Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

Pull networking fixes from David Miller:

 1) Fix BUG when decrypting empty packets in mac80211, from Ronald Wahl.

 2) nf_nat_range is not fully initialized and this is copied back to
    userspace, from Daniel Borkmann.

 3) Fix read past end of b uffer in netfilter ipset, also from Dan
    Carpenter.

 4) Signed integer overflow in ipv4 address mask creation helper
    inet_make_mask(), from Vincent BENAYOUN.

 5) VXLAN, be2net, mlx4_en, and qlcnic need ->ndo_gso_check() methods to
    properly describe the device's capabilities, from Joe Stringer.

 6) Fix memory leaks and checksum miscalculations in openvswitch, from
    Pravin B SHelar and Jesse Gross.

 7) FIB rules passes back ambiguous error code for unreachable routes,
    making behavior confusing for userspace.  Fix from Panu Matilainen.

 8) ieee802154fake_probe() doesn't release resources properly on error,
    from Alexey Khoroshilov.

 9) Fix skb_over_panic in add_grhead(), from Daniel Borkmann.

10) Fix access of stale slave pointers in bonding code, from Nikolay
    Aleksandrov.

11) Fix stack info leak in PPP pptp code, from Mathias Krause.

12) Cure locking bug in IPX stack, from Jiri Bohac.

13) Revert SKB fclone memory freeing optimization that is racey and can
    allow accesses to freed up memory, from Eric Dumazet.

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (71 commits)
  tcp: Restore RFC5961-compliant behavior for SYN packets
  net: Revert "net: avoid one atomic operation in skb_clone()"
  virtio-net: validate features during probe
  cxgb4 : Fix DCB priority groups being returned in wrong order
  ipx: fix locking regression in ipx_sendmsg and ipx_recvmsg
  openvswitch: Don't validate IPv6 label masks.
  pptp: fix stack info leak in pptp_getname()
  brcmfmac: don't include linux/unaligned/access_ok.h
  cxgb4i : Don't block unload/cxgb4 unload when remote closes TCP connection
  ipv6: delete protocol and unregister rtnetlink when cleanup
  net/mlx4_en: Add VXLAN ndo calls to the PF net device ops too
  bonding: fix curr_active_slave/carrier with loadbalance arp monitoring
  mac80211: minstrel_ht: fix a crash in rate sorting
  vxlan: Inline vxlan_gso_check().
  can: m_can: update to support CAN FD features
  can: m_can: fix incorrect error messages
  can: m_can: add missing delay after setting CCCR_INIT bit
  can: m_can: fix not set can_dlc for remote frame
  can: m_can: fix possible sleep in napi poll
  can: m_can: add missing message RAM initialization
  ...

22 files changed, 123 insertions, 128 deletions

diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
index 648d79ccf462..c465876c7861 100644
--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -813,10 +813,9 @@ static void __br_multicast_send_query(struct net_bridge *br,
                 return;
 
         if (port) {
-                __skb_push(skb, sizeof(struct ethhdr));
                 skb->dev = port->dev;
                 NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_OUT, skb, NULL, skb->dev,
-                        dev_queue_xmit);
+                        br_dev_queue_push_xmit);
         } else {
                 br_multicast_select_own_querier(br, ip, skb);
                 netif_rx(skb);
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index c16615bfb61e..32e31c299631 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -552,20 +552,13 @@ static void kfree_skbmem(struct sk_buff *skb)
         case SKB_FCLONE_CLONE:
                 fclones = container_of(skb, struct sk_buff_fclones, skb2);
 
-                /* Warning : We must perform the atomic_dec_and_test() before
-                 * setting skb->fclone back to SKB_FCLONE_FREE, otherwise
-                 * skb_clone() could set clone_ref to 2 before our decrement.
-                 * Anyway, if we are going to free the structure, no need to
-                 * rewrite skb->fclone.
+                /* The clone portion is available for
+                 * fast-cloning again.
                  */
-                if (atomic_dec_and_test(&fclones->fclone_ref)) {
+                skb->fclone = SKB_FCLONE_FREE;
+
+                if (atomic_dec_and_test(&fclones->fclone_ref))
                         kmem_cache_free(skbuff_fclone_cache, fclones);
-                } else {
-                        /* The clone portion is available for
-                         * fast-cloning again.
-                         */
-                        skb->fclone = SKB_FCLONE_FREE;
-                }
                 break;
         }
 }
@@ -887,11 +880,7 @@ struct sk_buff *skb_clone(struct sk_buff *skb, gfp_t gfp_mask)
         if (skb->fclone == SKB_FCLONE_ORIG &&
             n->fclone == SKB_FCLONE_FREE) {
                 n->fclone = SKB_FCLONE_CLONE;
-                /* As our fastclone was free, clone_ref must be 1 at this point.
-                 * We could use atomic_inc() here, but it is faster
-                 * to set the final value.
-                 */
-                atomic_set(&fclones->fclone_ref, 2);
+                atomic_inc(&fclones->fclone_ref);
         } else {
                 if (skb_pfmemalloc(skb))
                         gfp_mask |= __GFP_MEMALLOC;
diff --git a/net/dcb/dcbnl.c b/net/dcb/dcbnl.c
index ca11d283bbeb..93ea80196f0e 100644
--- a/net/dcb/dcbnl.c
+++ b/net/dcb/dcbnl.c
@@ -1080,13 +1080,13 @@ static int dcbnl_ieee_fill(struct sk_buff *skb, struct net_device *netdev)
         if (!app)
                 return -EMSGSIZE;
 
-        spin_lock(&dcb_lock);
+        spin_lock_bh(&dcb_lock);
         list_for_each_entry(itr, &dcb_app_list, list) {
                 if (itr->ifindex == netdev->ifindex) {
                         err = nla_put(skb, DCB_ATTR_IEEE_APP, sizeof(itr->app),
                                          &itr->app);
                         if (err) {
-                                spin_unlock(&dcb_lock);
+                                spin_unlock_bh(&dcb_lock);
                                 return -EMSGSIZE;
                         }
                 }
@@ -1097,7 +1097,7 @@ static int dcbnl_ieee_fill(struct sk_buff *skb, struct net_device *netdev)
         else
                 dcbx = -EOPNOTSUPP;
 
-        spin_unlock(&dcb_lock);
+        spin_unlock_bh(&dcb_lock);
         nla_nest_end(skb, app);
 
         /* get peer info if available */
@@ -1234,7 +1234,7 @@ static int dcbnl_cee_fill(struct sk_buff *skb, struct net_device *netdev)
         }
 
         /* local app */
-        spin_lock(&dcb_lock);
+        spin_lock_bh(&dcb_lock);
         app = nla_nest_start(skb, DCB_ATTR_CEE_APP_TABLE);
         if (!app)
                 goto dcb_unlock;
@@ -1271,7 +1271,7 @@ static int dcbnl_cee_fill(struct sk_buff *skb, struct net_device *netdev)
         else
                 dcbx = -EOPNOTSUPP;
 
-        spin_unlock(&dcb_lock);
+        spin_unlock_bh(&dcb_lock);
 
         /* features flags */
         if (ops->getfeatcfg) {
@@ -1326,7 +1326,7 @@ static int dcbnl_cee_fill(struct sk_buff *skb, struct net_device *netdev)
         return 0;
 
 dcb_unlock:
-        spin_unlock(&dcb_lock);
+        spin_unlock_bh(&dcb_lock);
 nla_put_failure:
         return err;
 }
@@ -1762,10 +1762,10 @@ u8 dcb_getapp(struct net_device *dev, struct dcb_app *app)
         struct dcb_app_type *itr;
         u8 prio = 0;
 
-        spin_lock(&dcb_lock);
+        spin_lock_bh(&dcb_lock);
         if ((itr = dcb_app_lookup(app, dev->ifindex, 0)))
                 prio = itr->app.priority;
-        spin_unlock(&dcb_lock);
+        spin_unlock_bh(&dcb_lock);
 
         return prio;
 }
@@ -1789,7 +1789,7 @@ int dcb_setapp(struct net_device *dev, struct dcb_app *new)
         if (dev->dcbnl_ops->getdcbx)
                 event.dcbx = dev->dcbnl_ops->getdcbx(dev);
 
-        spin_lock(&dcb_lock);
+        spin_lock_bh(&dcb_lock);
         /* Search for existing match and replace */
         if ((itr = dcb_app_lookup(new, dev->ifindex, 0))) {
                 if (new->priority)
@@ -1804,7 +1804,7 @@ int dcb_setapp(struct net_device *dev, struct dcb_app *new)
         if (new->priority)
                 err = dcb_app_add(new, dev->ifindex);
 out:
-        spin_unlock(&dcb_lock);
+        spin_unlock_bh(&dcb_lock);
         if (!err)
                 call_dcbevent_notifiers(DCB_APP_EVENT, &event);
         return err;
@@ -1823,10 +1823,10 @@ u8 dcb_ieee_getapp_mask(struct net_device *dev, struct dcb_app *app)
         struct dcb_app_type *itr;
         u8 prio = 0;
 
-        spin_lock(&dcb_lock);
+        spin_lock_bh(&dcb_lock);
         if ((itr = dcb_app_lookup(app, dev->ifindex, 0)))
                 prio |= 1 << itr->app.priority;
-        spin_unlock(&dcb_lock);
+        spin_unlock_bh(&dcb_lock);
 
         return prio;
 }
@@ -1850,7 +1850,7 @@ int dcb_ieee_setapp(struct net_device *dev, struct dcb_app *new)
         if (dev->dcbnl_ops->getdcbx)
                 event.dcbx = dev->dcbnl_ops->getdcbx(dev);
 
-        spin_lock(&dcb_lock);
+        spin_lock_bh(&dcb_lock);
         /* Search for existing match and abort if found */
         if (dcb_app_lookup(new, dev->ifindex, new->priority)) {
                 err = -EEXIST;
@@ -1859,7 +1859,7 @@ int dcb_ieee_setapp(struct net_device *dev, struct dcb_app *new)
 
         err = dcb_app_add(new, dev->ifindex);
 out:
-        spin_unlock(&dcb_lock);
+        spin_unlock_bh(&dcb_lock);
         if (!err)
                 call_dcbevent_notifiers(DCB_APP_EVENT, &event);
         return err;
@@ -1882,7 +1882,7 @@ int dcb_ieee_delapp(struct net_device *dev, struct dcb_app *del)
         if (dev->dcbnl_ops->getdcbx)
                 event.dcbx = dev->dcbnl_ops->getdcbx(dev);
 
-        spin_lock(&dcb_lock);
+        spin_lock_bh(&dcb_lock);
         /* Search for existing match and remove it. */
         if ((itr = dcb_app_lookup(del, dev->ifindex, del->priority))) {
                 list_del(&itr->list);
@@ -1890,7 +1890,7 @@ int dcb_ieee_delapp(struct net_device *dev, struct dcb_app *del)
                 err = 0;
         }
 
-        spin_unlock(&dcb_lock);
+        spin_unlock_bh(&dcb_lock);
         if (!err)
                 call_dcbevent_notifiers(DCB_APP_EVENT, &event);
         return err;
@@ -1902,12 +1902,12 @@ static void dcb_flushapp(void)
         struct dcb_app_type *app;
         struct dcb_app_type *tmp;
 
-        spin_lock(&dcb_lock);
+        spin_lock_bh(&dcb_lock);
         list_for_each_entry_safe(app, tmp, &dcb_app_list, list) {
                 list_del(&app->list);
                 kfree(app);
         }
-        spin_unlock(&dcb_lock);
+        spin_unlock_bh(&dcb_lock);
 }
 
 static int __init dcbnl_init(void)
diff --git a/net/ipv4/fib_rules.c b/net/ipv4/fib_rules.c
index f2e15738534d..8f7bd56955b0 100644
--- a/net/ipv4/fib_rules.c
+++ b/net/ipv4/fib_rules.c
@@ -62,6 +62,10 @@ int __fib_lookup(struct net *net, struct flowi4 *flp, struct fib_result *res)
         else
                 res->tclassid = 0;
 #endif
+
+        if (err == -ESRCH)
+                err = -ENETUNREACH;
+
         return err;
 }
 EXPORT_SYMBOL_GPL(__fib_lookup);
diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
index fb70e3ecc3e4..bb15d0e03d4f 100644
--- a/net/ipv4/igmp.c
+++ b/net/ipv4/igmp.c
@@ -318,9 +318,7 @@ igmp_scount(struct ip_mc_list *pmc, int type, int gdeleted, int sdeleted)
         return scount;
 }
 
-#define igmp_skb_size(skb) (*(unsigned int *)((skb)->cb))
-
-static struct sk_buff *igmpv3_newpack(struct net_device *dev, int size)
+static struct sk_buff *igmpv3_newpack(struct net_device *dev, unsigned int mtu)
 {
         struct sk_buff *skb;
         struct rtable *rt;
@@ -330,6 +328,7 @@ static struct sk_buff *igmpv3_newpack(struct net_device *dev, int size)
         struct flowi4 fl4;
         int hlen = LL_RESERVED_SPACE(dev);
         int tlen = dev->needed_tailroom;
+        unsigned int size = mtu;
 
         while (1) {
                 skb = alloc_skb(size + hlen + tlen,
@@ -341,7 +340,6 @@ static struct sk_buff *igmpv3_newpack(struct net_device *dev, int size)
                         return NULL;
         }
         skb->priority = TC_PRIO_CONTROL;
-        igmp_skb_size(skb) = size;
 
         rt = ip_route_output_ports(net, &fl4, NULL, IGMPV3_ALL_MCR, 0,
                                    0, 0,
@@ -354,6 +352,8 @@ static struct sk_buff *igmpv3_newpack(struct net_device *dev, int size)
         skb_dst_set(skb, &rt->dst);
         skb->dev = dev;
 
+        skb->reserved_tailroom = skb_end_offset(skb) -
+                                 min(mtu, skb_end_offset(skb));
         skb_reserve(skb, hlen);
 
         skb_reset_network_header(skb);
@@ -423,8 +423,7 @@ static struct sk_buff *add_grhead(struct sk_buff *skb, struct ip_mc_list *pmc,
         return skb;
 }
 
-#define AVAILABLE(skb) ((skb) ? ((skb)->dev ? igmp_skb_size(skb) - (skb)->len : \
-        skb_tailroom(skb)) : 0)
+#define AVAILABLE(skb)  ((skb) ? skb_availroom(skb) : 0)
 
 static struct sk_buff *add_grec(struct sk_buff *skb, struct ip_mc_list *pmc,
         int type, int gdeleted, int sdeleted)
diff --git a/net/ipv4/netfilter/nft_masq_ipv4.c b/net/ipv4/netfilter/nft_masq_ipv4.c
index c1023c445920..665de06561cd 100644
--- a/net/ipv4/netfilter/nft_masq_ipv4.c
+++ b/net/ipv4/netfilter/nft_masq_ipv4.c
@@ -24,6 +24,7 @@ static void nft_masq_ipv4_eval(const struct nft_expr *expr,
         struct nf_nat_range range;
         unsigned int verdict;
 
+        memset(&range, 0, sizeof(range));
         range.flags = priv->flags;
 
         verdict = nf_nat_masquerade_ipv4(pkt->skb, pkt->ops->hooknum,
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 88fa2d160685..d107ee246a1d 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -5231,7 +5231,7 @@ slow_path:
         if (len < (th->doff << 2) || tcp_checksum_complete_user(sk, skb))
                 goto csum_error;
 
-        if (!th->ack && !th->rst)
+        if (!th->ack && !th->rst && !th->syn)
                 goto discard;
 
         /*
@@ -5650,7 +5650,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
                         goto discard;
         }
 
-        if (!th->ack && !th->rst)
+        if (!th->ack && !th->rst && !th->syn)
                 goto discard;
 
         if (!tcp_validate_incoming(sk, skb, th, 0))
diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
index 0171f08325c3..1a01d79b8698 100644
--- a/net/ipv6/ip6mr.c
+++ b/net/ipv6/ip6mr.c
@@ -1439,6 +1439,10 @@ reg_pernet_fail:
 
 void ip6_mr_cleanup(void)
 {
+        rtnl_unregister(RTNL_FAMILY_IP6MR, RTM_GETROUTE);
+#ifdef CONFIG_IPV6_PIMSM_V2
+        inet6_del_protocol(&pim6_protocol, IPPROTO_PIM);
+#endif
         unregister_netdevice_notifier(&ip6_mr_notifier);
         unregister_pernet_subsys(&ip6mr_net_ops);
         kmem_cache_destroy(mrt_cachep);
diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c
index 9648de2b6745..ed2c4e400b46 100644
--- a/net/ipv6/mcast.c
+++ b/net/ipv6/mcast.c
@@ -1550,7 +1550,7 @@ static void ip6_mc_hdr(struct sock *sk, struct sk_buff *skb,
         hdr->daddr = *daddr;
 }
 
-static struct sk_buff *mld_newpack(struct inet6_dev *idev, int size)
+static struct sk_buff *mld_newpack(struct inet6_dev *idev, unsigned int mtu)
 {
         struct net_device *dev = idev->dev;
         struct net *net = dev_net(dev);
@@ -1561,13 +1561,13 @@ static struct sk_buff *mld_newpack(struct inet6_dev *idev, int size)
         const struct in6_addr *saddr;
         int hlen = LL_RESERVED_SPACE(dev);
         int tlen = dev->needed_tailroom;
+        unsigned int size = mtu + hlen + tlen;
         int err;
         u8 ra[8] = { IPPROTO_ICMPV6, 0,
                      IPV6_TLV_ROUTERALERT, 2, 0, 0,
                      IPV6_TLV_PADN, 0 };
 
         /* we assume size > sizeof(ra) here */
-        size += hlen + tlen;
         /* limit our allocations to order-0 page */
         size = min_t(int, size, SKB_MAX_ORDER(0, 0));
         skb = sock_alloc_send_skb(sk, size, 1, &err);
@@ -1576,6 +1576,8 @@ static struct sk_buff *mld_newpack(struct inet6_dev *idev, int size)
                 return NULL;
 
         skb->priority = TC_PRIO_CONTROL;
+        skb->reserved_tailroom = skb_end_offset(skb) -
+                                 min(mtu, skb_end_offset(skb));
         skb_reserve(skb, hlen);
 
         if (__ipv6_get_lladdr(idev, &addr_buf, IFA_F_TENTATIVE)) {
@@ -1690,8 +1692,7 @@ static struct sk_buff *add_grhead(struct sk_buff *skb, struct ifmcaddr6 *pmc,
         return skb;
 }
 
-#define AVAILABLE(skb) ((skb) ? ((skb)->dev ? (skb)->dev->mtu - (skb)->len : \
-        skb_tailroom(skb)) : 0)
+#define AVAILABLE(skb)  ((skb) ? skb_availroom(skb) : 0)
 
 static struct sk_buff *add_grec(struct sk_buff *skb, struct ifmcaddr6 *pmc,
         int type, int gdeleted, int sdeleted, int crsend)
diff --git a/net/ipv6/netfilter/nft_masq_ipv6.c b/net/ipv6/netfilter/nft_masq_ipv6.c
index 8a7ac685076d..529c119cbb14 100644
--- a/net/ipv6/netfilter/nft_masq_ipv6.c
+++ b/net/ipv6/netfilter/nft_masq_ipv6.c
@@ -25,6 +25,7 @@ static void nft_masq_ipv6_eval(const struct nft_expr *expr,
         struct nf_nat_range range;
         unsigned int verdict;
 
+        memset(&range, 0, sizeof(range));
         range.flags = priv->flags;
 
         verdict = nf_nat_masquerade_ipv6(pkt->skb, &range, pkt->out);
diff --git a/net/ipx/af_ipx.c b/net/ipx/af_ipx.c
index 91729b807c7d..1b095ca37aa4 100644
--- a/net/ipx/af_ipx.c
+++ b/net/ipx/af_ipx.c
@@ -1764,6 +1764,7 @@ static int ipx_recvmsg(struct kiocb *iocb, struct socket *sock,
         struct ipxhdr *ipx = NULL;
         struct sk_buff *skb;
         int copied, rc;
+        bool locked = true;
 
         lock_sock(sk);
         /* put the autobinding in */
@@ -1790,6 +1791,8 @@ static int ipx_recvmsg(struct kiocb *iocb, struct socket *sock,
         if (sock_flag(sk, SOCK_ZAPPED))
                 goto out;
 
+        release_sock(sk);
+        locked = false;
         skb = skb_recv_datagram(sk, flags & ~MSG_DONTWAIT,
                                 flags & MSG_DONTWAIT, &rc);
         if (!skb) {
@@ -1826,7 +1829,8 @@ static int ipx_recvmsg(struct kiocb *iocb, struct socket *sock,
 out_free:
         skb_free_datagram(sk, skb);
 out:
-        release_sock(sk);
+        if (locked)
+                release_sock(sk);
         return rc;
 }
 
diff --git a/net/mac80211/aes_ccm.c b/net/mac80211/aes_ccm.c
index ec24378caaaf..09d9caaec591 100644
--- a/net/mac80211/aes_ccm.c
+++ b/net/mac80211/aes_ccm.c
@@ -53,6 +53,9 @@ int ieee80211_aes_ccm_decrypt(struct crypto_aead *tfm, u8 *b_0, u8 *aad,
                 __aligned(__alignof__(struct aead_request));
         struct aead_request *aead_req = (void *) aead_req_data;
 
+        if (data_len == 0)
+                return -EINVAL;
+
         memset(aead_req, 0, sizeof(aead_req_data));
 
         sg_init_one(&pt, data, data_len);
diff --git a/net/mac80211/rc80211_minstrel_ht.c b/net/mac80211/rc80211_minstrel_ht.c
index df90ce2db00c..408fd8ab4eef 100644
--- a/net/mac80211/rc80211_minstrel_ht.c
+++ b/net/mac80211/rc80211_minstrel_ht.c
@@ -252,19 +252,16 @@ minstrel_ht_sort_best_tp_rates(struct minstrel_ht_sta *mi, u8 index,
         cur_thr = mi->groups[cur_group].rates[cur_idx].cur_tp;
         cur_prob = mi->groups[cur_group].rates[cur_idx].probability;
 
-        tmp_group = tp_list[j - 1] / MCS_GROUP_RATES;
-        tmp_idx = tp_list[j - 1] % MCS_GROUP_RATES;
-        tmp_thr = mi->groups[tmp_group].rates[tmp_idx].cur_tp;
-        tmp_prob = mi->groups[tmp_group].rates[tmp_idx].probability;
-
-        while (j > 0 && (cur_thr > tmp_thr ||
-              (cur_thr == tmp_thr && cur_prob > tmp_prob))) {
-                j--;
+        do {
                 tmp_group = tp_list[j - 1] / MCS_GROUP_RATES;
                 tmp_idx = tp_list[j - 1] % MCS_GROUP_RATES;
                 tmp_thr = mi->groups[tmp_group].rates[tmp_idx].cur_tp;
                 tmp_prob = mi->groups[tmp_group].rates[tmp_idx].probability;
-        }
+                if (cur_thr < tmp_thr ||
+                    (cur_thr == tmp_thr && cur_prob <= tmp_prob))
+                        break;
+                j--;
+        } while (j > 0);
 
         if (j < MAX_THR_RATES - 1) {
                 memmove(&tp_list[j + 1], &tp_list[j], (sizeof(*tp_list) *
diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index 86f9d76b1464..d259da3ce67a 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -1863,6 +1863,12 @@ ip_set_sockfn_get(struct sock *sk, int optval, void __user *user, int *len)
         if (*op < IP_SET_OP_VERSION) {
                 /* Check the version at the beginning of operations */
                 struct ip_set_req_version *req_version = data;
+
+                if (*len < sizeof(struct ip_set_req_version)) {
+                        ret = -EINVAL;
+                        goto done;
+                }
+
                 if (req_version->version != IPSET_PROTOCOL) {
                         ret = -EPROTO;
                         goto done;
diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c
index 437a3663ad03..bd90bf8107da 100644
--- a/net/netfilter/ipvs/ip_vs_xmit.c
+++ b/net/netfilter/ipvs/ip_vs_xmit.c
@@ -846,6 +846,8 @@ ip_vs_prepare_tunneled_skb(struct sk_buff *skb, int skb_af,
                 new_skb = skb_realloc_headroom(skb, max_headroom);
                 if (!new_skb)
                         goto error;
+                if (skb->sk)
+                        skb_set_owner_w(new_skb, skb->sk);
                 consume_skb(skb);
                 skb = new_skb;
         }
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 5016a6929085..2c699757bccf 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -611,12 +611,16 @@ __nf_conntrack_confirm(struct sk_buff *skb)
          */
         NF_CT_ASSERT(!nf_ct_is_confirmed(ct));
         pr_debug("Confirming conntrack %p\n", ct);
-        /* We have to check the DYING flag inside the lock to prevent
-           a race against nf_ct_get_next_corpse() possibly called from
-           user context, else we insert an already 'dead' hash, blocking
-           further use of that particular connection -JM */
+
+        /* We have to check the DYING flag after unlink to prevent
+         * a race against nf_ct_get_next_corpse() possibly called from
+         * user context, else we insert an already 'dead' hash, blocking
+         * further use of that particular connection -JM.
+         */
+        nf_ct_del_from_dying_or_unconfirmed_list(ct);
 
         if (unlikely(nf_ct_is_dying(ct))) {
+                nf_ct_add_to_dying_list(ct);
                 nf_conntrack_double_unlock(hash, reply_hash);
                 local_bh_enable();
                 return NF_ACCEPT;
@@ -636,8 +640,6 @@ __nf_conntrack_confirm(struct sk_buff *skb)
                     zone == nf_ct_zone(nf_ct_tuplehash_to_ctrack(h)))
                         goto out;
 
-        nf_ct_del_from_dying_or_unconfirmed_list(ct);
-
         /* Timer relative to confirmation time, not original
            setting time, otherwise we'd get timer wrap in
            weird delay cases. */
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 11ab4b078f3b..66e8425dbfe7 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -3484,13 +3484,8 @@ static void nft_chain_commit_update(struct nft_trans *trans)
         }
 }
 
-/* Schedule objects for release via rcu to make sure no packets are accesing
- * removed rules.
- */
-static void nf_tables_commit_release_rcu(struct rcu_head *rt)
+static void nf_tables_commit_release(struct nft_trans *trans)
 {
-        struct nft_trans *trans = container_of(rt, struct nft_trans, rcu_head);
-
         switch (trans->msg_type) {
         case NFT_MSG_DELTABLE:
                 nf_tables_table_destroy(&trans->ctx);
@@ -3612,10 +3607,11 @@ static int nf_tables_commit(struct sk_buff *skb)
                 }
         }
 
+        synchronize_rcu();
+
         list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
                 list_del(&trans->list);
-                trans->ctx.nla = NULL;
-                call_rcu(&trans->rcu_head, nf_tables_commit_release_rcu);
+                nf_tables_commit_release(trans);
         }
 
         nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
@@ -3623,13 +3619,8 @@ static int nf_tables_commit(struct sk_buff *skb)
         return 0;
 }
 
-/* Schedule objects for release via rcu to make sure no packets are accesing
- * aborted rules.
- */
-static void nf_tables_abort_release_rcu(struct rcu_head *rt)
+static void nf_tables_abort_release(struct nft_trans *trans)
 {
-        struct nft_trans *trans = container_of(rt, struct nft_trans, rcu_head);
-
         switch (trans->msg_type) {
         case NFT_MSG_NEWTABLE:
                 nf_tables_table_destroy(&trans->ctx);
@@ -3725,11 +3716,12 @@ static int nf_tables_abort(struct sk_buff *skb)
                 }
         }
 
+        synchronize_rcu();
+
         list_for_each_entry_safe_reverse(trans, next,
                                          &net->nft.commit_list, list) {
                 list_del(&trans->list);
-                trans->ctx.nla = NULL;
-                call_rcu(&trans->rcu_head, nf_tables_abort_release_rcu);
+                nf_tables_abort_release(trans);
         }
 
         return 0;
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
index 6c5a915cfa75..13c2e17bbe27 100644
--- a/net/netfilter/nfnetlink.c
+++ b/net/netfilter/nfnetlink.c
@@ -47,6 +47,8 @@ static const int nfnl_group2type[NFNLGRP_MAX+1] = {
         [NFNLGRP_CONNTRACK_EXP_NEW]     = NFNL_SUBSYS_CTNETLINK_EXP,
         [NFNLGRP_CONNTRACK_EXP_UPDATE]  = NFNL_SUBSYS_CTNETLINK_EXP,
         [NFNLGRP_CONNTRACK_EXP_DESTROY] = NFNL_SUBSYS_CTNETLINK_EXP,
+        [NFNLGRP_NFTABLES]              = NFNL_SUBSYS_NFTABLES,
+        [NFNLGRP_ACCT_QUOTA]            = NFNL_SUBSYS_ACCT,
 };
 
 void nfnl_lock(__u8 subsys_id)
@@ -464,7 +466,12 @@ static void nfnetlink_rcv(struct sk_buff *skb)
 static int nfnetlink_bind(int group)
 {
         const struct nfnetlink_subsystem *ss;
-        int type = nfnl_group2type[group];
+        int type;
+
+        if (group <= NFNLGRP_NONE || group > NFNLGRP_MAX)
+                return -EINVAL;
+
+        type = nfnl_group2type[group];
 
         rcu_read_lock();
         ss = nfnetlink_get_subsys(type);
@@ -514,6 +521,9 @@ static int __init nfnetlink_init(void)
 {
         int i;
 
+        for (i = NFNLGRP_NONE + 1; i <= NFNLGRP_MAX; i++)
+                BUG_ON(nfnl_group2type[i] == NFNL_SUBSYS_NONE);
+
         for (i=0; i<NFNL_SUBSYS_COUNT; i++)
                 mutex_init(&table[i].mutex);
 
diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c
index 9d6d6f60a80f..265e190f2218 100644
--- a/net/netfilter/nft_compat.c
+++ b/net/netfilter/nft_compat.c
@@ -21,45 +21,17 @@
 #include <linux/netfilter_ipv6/ip6_tables.h>
 #include <net/netfilter/nf_tables.h>
 
-static const struct {
-       const char       *name;
-       u8               type;
-} table_to_chaintype[] = {
-       { "filter",     NFT_CHAIN_T_DEFAULT },
-       { "raw",        NFT_CHAIN_T_DEFAULT },
-       { "security",   NFT_CHAIN_T_DEFAULT },
-       { "mangle",     NFT_CHAIN_T_ROUTE },
-       { "nat",        NFT_CHAIN_T_NAT },
-       { },
-};
-
-static int nft_compat_table_to_chaintype(const char *table)
-{
-        int i;
-
-        for (i = 0; table_to_chaintype[i].name != NULL; i++) {
-                if (strcmp(table_to_chaintype[i].name, table) == 0)
-                        return table_to_chaintype[i].type;
-        }
-
-        return -1;
-}
-
 static int nft_compat_chain_validate_dependency(const char *tablename,
                                                 const struct nft_chain *chain)
 {
-        enum nft_chain_type type;
         const struct nft_base_chain *basechain;
 
         if (!tablename || !(chain->flags & NFT_BASE_CHAIN))
                 return 0;
 
-        type = nft_compat_table_to_chaintype(tablename);
-        if (type < 0)
-                return -EINVAL;
-
         basechain = nft_base_chain(chain);
-        if (basechain->type->type != type)
+        if (strcmp(tablename, "nat") == 0 &&
+            basechain->type->type != NFT_CHAIN_T_NAT)
                 return -EINVAL;
 
         return 0;
@@ -117,7 +89,7 @@ nft_target_set_tgchk_param(struct xt_tgchk_param *par,
                            struct xt_target *target, void *info,
                            union nft_entry *entry, u8 proto, bool inv)
 {
-        par->net        = &init_net;
+        par->net        = ctx->net;
         par->table      = ctx->table->name;
         switch (ctx->afi->family) {
         case AF_INET:
@@ -324,7 +296,7 @@ nft_match_set_mtchk_param(struct xt_mtchk_param *par, const struct nft_ctx *ctx,
                           struct xt_match *match, void *info,
                           union nft_entry *entry, u8 proto, bool inv)
 {
-        par->net        = &init_net;
+        par->net        = ctx->net;
         par->table      = ctx->table->name;
         switch (ctx->afi->family) {
         case AF_INET:
@@ -374,7 +346,7 @@ nft_match_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
         union nft_entry e = {};
         int ret;
 
-        ret = nft_compat_chain_validate_dependency(match->name, ctx->chain);
+        ret = nft_compat_chain_validate_dependency(match->table, ctx->chain);
         if (ret < 0)
                 goto err;
 
@@ -448,7 +420,7 @@ static int nft_match_validate(const struct nft_ctx *ctx,
                 if (!(hook_mask & match->hooks))
                         return -EINVAL;
 
-                ret = nft_compat_chain_validate_dependency(match->name,
+                ret = nft_compat_chain_validate_dependency(match->table,
                                                            ctx->chain);
                 if (ret < 0)
                         return ret;
diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c
index 006886dbee36..8c4229b11c34 100644
--- a/net/openvswitch/actions.c
+++ b/net/openvswitch/actions.c
@@ -246,11 +246,11 @@ static void update_ipv6_checksum(struct sk_buff *skb, u8 l4_proto,
 {
         int transport_len = skb->len - skb_transport_offset(skb);
 
-        if (l4_proto == IPPROTO_TCP) {
+        if (l4_proto == NEXTHDR_TCP) {
                 if (likely(transport_len >= sizeof(struct tcphdr)))
                         inet_proto_csum_replace16(&tcp_hdr(skb)->check, skb,
                                                   addr, new_addr, 1);
-        } else if (l4_proto == IPPROTO_UDP) {
+        } else if (l4_proto == NEXTHDR_UDP) {
                 if (likely(transport_len >= sizeof(struct udphdr))) {
                         struct udphdr *uh = udp_hdr(skb);
 
@@ -261,6 +261,10 @@ static void update_ipv6_checksum(struct sk_buff *skb, u8 l4_proto,
                                         uh->check = CSUM_MANGLED_0;
                         }
                 }
+        } else if (l4_proto == NEXTHDR_ICMP) {
+                if (likely(transport_len >= sizeof(struct icmp6hdr)))
+                        inet_proto_csum_replace16(&icmp6_hdr(skb)->icmp6_cksum,
+                                                  skb, addr, new_addr, 1);
         }
 }
 
@@ -722,8 +726,6 @@ static int do_execute_actions(struct datapath *dp, struct sk_buff *skb,
 
                 case OVS_ACTION_ATTR_SAMPLE:
                         err = sample(dp, skb, key, a);
-                        if (unlikely(err)) /* skb already freed. */
-                                return err;
                         break;
                 }
 
diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c
index e6d7255183eb..f9e556b56086 100644
--- a/net/openvswitch/datapath.c
+++ b/net/openvswitch/datapath.c
@@ -1265,7 +1265,7 @@ static size_t ovs_dp_cmd_msg_size(void)
         return msgsize;
 }
 
-/* Called with ovs_mutex or RCU read lock. */
+/* Called with ovs_mutex. */
 static int ovs_dp_cmd_fill_info(struct datapath *dp, struct sk_buff *skb,
                                 u32 portid, u32 seq, u32 flags, u8 cmd)
 {
@@ -1555,7 +1555,7 @@ static int ovs_dp_cmd_get(struct sk_buff *skb, struct genl_info *info)
         if (!reply)
                 return -ENOMEM;
 
-        rcu_read_lock();
+        ovs_lock();
         dp = lookup_datapath(sock_net(skb->sk), info->userhdr, info->attrs);
         if (IS_ERR(dp)) {
                 err = PTR_ERR(dp);
@@ -1564,12 +1564,12 @@ static int ovs_dp_cmd_get(struct sk_buff *skb, struct genl_info *info)
         err = ovs_dp_cmd_fill_info(dp, reply, info->snd_portid,
                                    info->snd_seq, 0, OVS_DP_CMD_NEW);
         BUG_ON(err < 0);
-        rcu_read_unlock();
+        ovs_unlock();
 
         return genlmsg_reply(reply, info);
 
 err_unlock_free:
-        rcu_read_unlock();
+        ovs_unlock();
         kfree_skb(reply);
         return err;
 }
@@ -1581,8 +1581,8 @@ static int ovs_dp_cmd_dump(struct sk_buff *skb, struct netlink_callback *cb)
         int skip = cb->args[0];
         int i = 0;
 
-        rcu_read_lock();
-        list_for_each_entry_rcu(dp, &ovs_net->dps, list_node) {
+        ovs_lock();
+        list_for_each_entry(dp, &ovs_net->dps, list_node) {
                 if (i >= skip &&
                     ovs_dp_cmd_fill_info(dp, skb, NETLINK_CB(cb->skb).portid,
                                          cb->nlh->nlmsg_seq, NLM_F_MULTI,
@@ -1590,7 +1590,7 @@ static int ovs_dp_cmd_dump(struct sk_buff *skb, struct netlink_callback *cb)
                         break;
                 i++;
         }
-        rcu_read_unlock();
+        ovs_unlock();
 
         cb->args[0] = i;
 
diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c
index 939bcb32100f..089b195c064a 100644
--- a/net/openvswitch/flow_netlink.c
+++ b/net/openvswitch/flow_netlink.c
@@ -145,7 +145,7 @@ static bool match_validate(const struct sw_flow_match *match,
         if (match->key->eth.type == htons(ETH_P_ARP)
                         || match->key->eth.type == htons(ETH_P_RARP)) {
                 key_expected |= 1 << OVS_KEY_ATTR_ARP;
-                if (match->mask && (match->mask->key.eth.type == htons(0xffff)))
+                if (match->mask && (match->mask->key.tp.src == htons(0xff)))
                         mask_allowed |= 1 << OVS_KEY_ATTR_ARP;
         }
 
@@ -689,6 +689,13 @@ static int ovs_key_from_nlattrs(struct sw_flow_match *match, u64 attrs,
                                 ipv6_key->ipv6_frag, OVS_FRAG_TYPE_MAX);
                         return -EINVAL;
                 }
+
+                if (!is_mask && ipv6_key->ipv6_label & htonl(0xFFF00000)) {
+                        OVS_NLERR("IPv6 flow label %x is out of range (max=%x).\n",
+                                  ntohl(ipv6_key->ipv6_label), (1 << 20) - 1);
+                        return -EINVAL;
+                }
+
                 SW_FLOW_KEY_PUT(match, ipv6.label,
                                 ipv6_key->ipv6_label, is_mask);
                 SW_FLOW_KEY_PUT(match, ip.proto,