Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

Pull networking fixes from David Miller:
 "It's been a while since my last pull request so quite a few fixes have
  piled up."

Indeed.

 1) Fix nf_{log,queue} compilation with PROC_FS disabled, from Pablo
    Neira Ayuso.

 2) Fix data corruption on some tg3 chips with TSO enabled, from Michael
    Chan.

 3) Fix double insertion of VLAN tags in be2net driver, from Sarveshwar
    Bandi.

 4) Don't have TCP's MD5 support pass > PAGE_SIZE page offsets in
    scatter-gather entries into the crypto layer, the crypto layer can't
    handle that.  From Eric Dumazet.

 5) Fix lockdep splat in 802.1Q MRP code, also from Eric Dumazet.

 6) Fix OOPS in netfilter log module when called from conntrack, from
    Hans Schillstrom.

 7) FEC driver needs to use netif_tx_{lock,unlock}_bh() rather than the
    non-BH disabling variants.  From Fabio Estevam.

 8) TCP GSO can generate out-of-order packets, fix from Eric Dumazet.

 9) vxlan driver doesn't update 'used' field of fdb entries when it
    should, from Sridhar Samudrala.

10) ipv6 should use kzalloc() to allocate inet6 socket cork options,
    otherwise we can OOPS in ip6_cork_release().  From Eric Dumazet.

11) Fix races in bonding set mode, from Nikolay Aleksandrov.

12) Fix checksum generation regression added by "r8169: fix 8168evl
    frame padding.", from Francois Romieu.

13) ip_gre can look at stale SKB data pointer, fix from Eric Dumazet.

14) Fix checksum handling when GSO is enabled in bnx2x driver with
    certain chips, from Yuval Mintz.

15) Fix double free in batman-adv, from Martin Hundebøll.

16) Fix device startup synchronization with firmware in tg3 driver, from
    Nithin Sujit.

17) perf networking dropmonitor doesn't work at all due to mixed up
    trace parameter ordering, from Ben Hutchings.

18) Fix proportional rate reduction handling in tcp_ack(), from Nandita
    Dukkipati.

19) IPSEC layer doesn't return an error when a valid state is detected,
    causing an OOPS.  Fix from Timo Teräs.

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (85 commits)
  be2net: bug fix on returning an invalid nic descriptor
  tcp: xps: fix reordering issues
  net: Revert unused variable changes.
  xfrm: properly handle invalid states as an error
  virtio_net: enable napi for all possible queues during open
  tcp: bug fix in proportional rate reduction.
  net: ethernet: sun: drop unused variable
  net: ethernet: korina: drop unused variable
  net: ethernet: apple: drop unused variable
  qmi_wwan: Added support for Cinterion's PLxx WWAN Interface
  perf: net_dropmonitor: Remove progress indicator
  perf: net_dropmonitor: Use bisection in symbol lookup
  perf: net_dropmonitor: Do not assume ordering of dictionaries
  perf: net_dropmonitor: Fix symbol-relative addresses
  perf: net_dropmonitor: Fix trace parameter order
  net: fec: use a more proper compatible string for MVF type device
  qlcnic: Fix updating netdev->features
  qlcnic: remove netdev->trans_start updates within the driver
  qlcnic: Return proper error codes from probe failure paths
  tg3: Update version to 3.132
  ...

33 files changed, 305 insertions, 86 deletions

diff --git a/net/802/mrp.c b/net/802/mrp.c
index e085bcc754f6..1eb05d80b07b 100644
--- a/net/802/mrp.c
+++ b/net/802/mrp.c
@@ -871,10 +871,10 @@ void mrp_uninit_applicant(struct net_device *dev, struct mrp_application *appl)
          */
         del_timer_sync(&app->join_timer);
 
-        spin_lock(&app->lock);
+        spin_lock_bh(&app->lock);
         mrp_mad_event(app, MRP_EVENT_TX);
         mrp_pdu_queue(app);
-        spin_unlock(&app->lock);
+        spin_unlock_bh(&app->lock);
 
         mrp_queue_xmit(app);
 
diff --git a/net/batman-adv/main.c b/net/batman-adv/main.c
index 1240f07ad31d..51aafd669cbb 100644
--- a/net/batman-adv/main.c
+++ b/net/batman-adv/main.c
@@ -181,6 +181,7 @@ void batadv_mesh_free(struct net_device *soft_iface)
         batadv_originator_free(bat_priv);
 
         free_percpu(bat_priv->bat_counters);
+        bat_priv->bat_counters = NULL;
 
         atomic_set(&bat_priv->mesh_state, BATADV_MESH_INACTIVE);
 }
diff --git a/net/batman-adv/originator.c b/net/batman-adv/originator.c
index 2f3452546636..fad1a2093e15 100644
--- a/net/batman-adv/originator.c
+++ b/net/batman-adv/originator.c
@@ -156,12 +156,28 @@ static void batadv_orig_node_free_rcu(struct rcu_head *rcu)
         kfree(orig_node);
 }
 
+/**
+ * batadv_orig_node_free_ref - decrement the orig node refcounter and possibly
+ * schedule an rcu callback for freeing it
+ * @orig_node: the orig node to free
+ */
 void batadv_orig_node_free_ref(struct batadv_orig_node *orig_node)
 {
         if (atomic_dec_and_test(&orig_node->refcount))
                 call_rcu(&orig_node->rcu, batadv_orig_node_free_rcu);
 }
 
+/**
+ * batadv_orig_node_free_ref_now - decrement the orig node refcounter and
+ * possibly free it (without rcu callback)
+ * @orig_node: the orig node to free
+ */
+void batadv_orig_node_free_ref_now(struct batadv_orig_node *orig_node)
+{
+        if (atomic_dec_and_test(&orig_node->refcount))
+                batadv_orig_node_free_rcu(&orig_node->rcu);
+}
+
 void batadv_originator_free(struct batadv_priv *bat_priv)
 {
         struct batadv_hashtable *hash = bat_priv->orig_hash;
diff --git a/net/batman-adv/originator.h b/net/batman-adv/originator.h
index 7df48fa7669d..734e5a3d8a5b 100644
--- a/net/batman-adv/originator.h
+++ b/net/batman-adv/originator.h
@@ -26,6 +26,7 @@ int batadv_originator_init(struct batadv_priv *bat_priv);
 void batadv_originator_free(struct batadv_priv *bat_priv);
 void batadv_purge_orig_ref(struct batadv_priv *bat_priv);
 void batadv_orig_node_free_ref(struct batadv_orig_node *orig_node);
+void batadv_orig_node_free_ref_now(struct batadv_orig_node *orig_node);
 struct batadv_orig_node *batadv_get_orig_node(struct batadv_priv *bat_priv,
                                               const uint8_t *addr);
 struct batadv_neigh_node *
diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c
index 6f20d339e33a..819dfb006cdf 100644
--- a/net/batman-adv/soft-interface.c
+++ b/net/batman-adv/soft-interface.c
@@ -505,6 +505,7 @@ unreg_debugfs:
         batadv_debugfs_del_meshif(dev);
 free_bat_counters:
         free_percpu(bat_priv->bat_counters);
+        bat_priv->bat_counters = NULL;
 
         return ret;
 }
diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
index 5e89deeb9542..9e8748575845 100644
--- a/net/batman-adv/translation-table.c
+++ b/net/batman-adv/translation-table.c
@@ -144,7 +144,12 @@ static void batadv_tt_orig_list_entry_free_rcu(struct rcu_head *rcu)
         struct batadv_tt_orig_list_entry *orig_entry;
 
         orig_entry = container_of(rcu, struct batadv_tt_orig_list_entry, rcu);
-        batadv_orig_node_free_ref(orig_entry->orig_node);
+
+        /* We are in an rcu callback here, therefore we cannot use
+         * batadv_orig_node_free_ref() and its call_rcu():
+         * An rcu_barrier() wouldn't wait for that to finish
+         */
+        batadv_orig_node_free_ref_now(orig_entry->orig_node);
         kfree(orig_entry);
 }
 
diff --git a/net/bridge/netfilter/ebt_log.c b/net/bridge/netfilter/ebt_log.c
index 9878eb8204c5..19c37a4929bc 100644
--- a/net/bridge/netfilter/ebt_log.c
+++ b/net/bridge/netfilter/ebt_log.c
@@ -72,13 +72,12 @@ print_ports(const struct sk_buff *skb, uint8_t protocol, int offset)
 }
 
 static void
-ebt_log_packet(u_int8_t pf, unsigned int hooknum,
-   const struct sk_buff *skb, const struct net_device *in,
-   const struct net_device *out, const struct nf_loginfo *loginfo,
-   const char *prefix)
+ebt_log_packet(struct net *net, u_int8_t pf, unsigned int hooknum,
+               const struct sk_buff *skb, const struct net_device *in,
+               const struct net_device *out, const struct nf_loginfo *loginfo,
+               const char *prefix)
 {
         unsigned int bitmask;
-        struct net *net = dev_net(in ? in : out);
 
         /* FIXME: Disabled from containers until syslog ns is supported */
         if (!net_eq(net, &init_net))
@@ -191,7 +190,7 @@ ebt_log_tg(struct sk_buff *skb, const struct xt_action_param *par)
                 nf_log_packet(net, NFPROTO_BRIDGE, par->hooknum, skb,
                               par->in, par->out, &li, "%s", info->prefix);
         else
-                ebt_log_packet(NFPROTO_BRIDGE, par->hooknum, skb, par->in,
+                ebt_log_packet(net, NFPROTO_BRIDGE, par->hooknum, skb, par->in,
                                par->out, &li, info->prefix);
         return EBT_CONTINUE;
 }
diff --git a/net/bridge/netfilter/ebt_ulog.c b/net/bridge/netfilter/ebt_ulog.c
index fc1905c51417..df0364aa12d5 100644
--- a/net/bridge/netfilter/ebt_ulog.c
+++ b/net/bridge/netfilter/ebt_ulog.c
@@ -131,14 +131,16 @@ static struct sk_buff *ulog_alloc_skb(unsigned int size)
         return skb;
 }
 
-static void ebt_ulog_packet(unsigned int hooknr, const struct sk_buff *skb,
-   const struct net_device *in, const struct net_device *out,
-   const struct ebt_ulog_info *uloginfo, const char *prefix)
+static void ebt_ulog_packet(struct net *net, unsigned int hooknr,
+                            const struct sk_buff *skb,
+                            const struct net_device *in,
+                            const struct net_device *out,
+                            const struct ebt_ulog_info *uloginfo,
+                            const char *prefix)
 {
         ebt_ulog_packet_msg_t *pm;
         size_t size, copy_len;
         struct nlmsghdr *nlh;
-        struct net *net = dev_net(in ? in : out);
         struct ebt_ulog_net *ebt = ebt_ulog_pernet(net);
         unsigned int group = uloginfo->nlgroup;
         ebt_ulog_buff_t *ub = &ebt->ulog_buffers[group];
@@ -233,7 +235,7 @@ unlock:
 }
 
 /* this function is registered with the netfilter core */
-static void ebt_log_packet(u_int8_t pf, unsigned int hooknum,
+static void ebt_log_packet(struct net *net, u_int8_t pf, unsigned int hooknum,
    const struct sk_buff *skb, const struct net_device *in,
    const struct net_device *out, const struct nf_loginfo *li,
    const char *prefix)
@@ -252,13 +254,15 @@ static void ebt_log_packet(u_int8_t pf, unsigned int hooknum,
                 strlcpy(loginfo.prefix, prefix, sizeof(loginfo.prefix));
         }
 
-        ebt_ulog_packet(hooknum, skb, in, out, &loginfo, prefix);
+        ebt_ulog_packet(net, hooknum, skb, in, out, &loginfo, prefix);
 }
 
 static unsigned int
 ebt_ulog_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
-        ebt_ulog_packet(par->hooknum, skb, par->in, par->out,
+        struct net *net = dev_net(par->in ? par->in : par->out);
+
+        ebt_ulog_packet(net, par->hooknum, skb, par->in, par->out,
                         par->targinfo, NULL);
         return EBT_CONTINUE;
 }
diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
index c625e4dad4b0..2a83591492dd 100644
--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
@@ -235,7 +235,7 @@ static void ipgre_err(struct sk_buff *skb, u32 info)
            */
         struct net *net = dev_net(skb->dev);
         struct ip_tunnel_net *itn;
-        const struct iphdr *iph = (const struct iphdr *)skb->data;
+        const struct iphdr *iph;
         const int type = icmp_hdr(skb)->type;
         const int code = icmp_hdr(skb)->code;
         struct ip_tunnel *t;
@@ -281,6 +281,7 @@ static void ipgre_err(struct sk_buff *skb, u32 info)
         else
                 itn = net_generic(net, ipgre_net_id);
 
+        iph = (const struct iphdr *)skb->data;
         t = ip_tunnel_lookup(itn, skb->dev->ifindex, tpi.flags,
                              iph->daddr, iph->saddr, tpi.key);
 
diff --git a/net/ipv4/netfilter/ipt_ULOG.c b/net/ipv4/netfilter/ipt_ULOG.c
index f8a222cb6448..cf08218ddbcf 100644
--- a/net/ipv4/netfilter/ipt_ULOG.c
+++ b/net/ipv4/netfilter/ipt_ULOG.c
@@ -162,7 +162,8 @@ static struct sk_buff *ulog_alloc_skb(unsigned int size)
         return skb;
 }
 
-static void ipt_ulog_packet(unsigned int hooknum,
+static void ipt_ulog_packet(struct net *net,
+                            unsigned int hooknum,
                             const struct sk_buff *skb,
                             const struct net_device *in,
                             const struct net_device *out,
@@ -174,7 +175,6 @@ static void ipt_ulog_packet(unsigned int hooknum,
         size_t size, copy_len;
         struct nlmsghdr *nlh;
         struct timeval tv;
-        struct net *net = dev_net(in ? in : out);
         struct ulog_net *ulog = ulog_pernet(net);
 
         /* ffs == find first bit set, necessary because userspace
@@ -291,12 +291,15 @@ alloc_failure:
 static unsigned int
 ulog_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
-        ipt_ulog_packet(par->hooknum, skb, par->in, par->out,
+        struct net *net = dev_net(par->in ? par->in : par->out);
+
+        ipt_ulog_packet(net, par->hooknum, skb, par->in, par->out,
                         par->targinfo, NULL);
         return XT_CONTINUE;
 }
 
-static void ipt_logfn(u_int8_t pf,
+static void ipt_logfn(struct net *net,
+                      u_int8_t pf,
                       unsigned int hooknum,
                       const struct sk_buff *skb,
                       const struct net_device *in,
@@ -318,7 +321,7 @@ static void ipt_logfn(u_int8_t pf,
                 strlcpy(loginfo.prefix, prefix, sizeof(loginfo.prefix));
         }
 
-        ipt_ulog_packet(hooknum, skb, in, out, &loginfo, prefix);
+        ipt_ulog_packet(net, hooknum, skb, in, out, &loginfo, prefix);
 }
 
 static int ulog_tg_check(const struct xt_tgchk_param *par)
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index dcb116dde216..ab450c099aa4 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -2887,6 +2887,7 @@ struct sk_buff *tcp_tso_segment(struct sk_buff *skb,
         unsigned int mss;
         struct sk_buff *gso_skb = skb;
         __sum16 newcheck;
+        bool ooo_okay, copy_destructor;
 
         if (!pskb_may_pull(skb, sizeof(*th)))
                 goto out;
@@ -2927,10 +2928,18 @@ struct sk_buff *tcp_tso_segment(struct sk_buff *skb,
                 goto out;
         }
 
+        copy_destructor = gso_skb->destructor == tcp_wfree;
+        ooo_okay = gso_skb->ooo_okay;
+        /* All segments but the first should have ooo_okay cleared */
+        skb->ooo_okay = 0;
+
         segs = skb_segment(skb, features);
         if (IS_ERR(segs))
                 goto out;
 
+        /* Only first segment might have ooo_okay set */
+        segs->ooo_okay = ooo_okay;
+
         delta = htonl(oldlen + (thlen + mss));
 
         skb = segs;
@@ -2950,6 +2959,17 @@ struct sk_buff *tcp_tso_segment(struct sk_buff *skb,
                                                     thlen, skb->csum));
 
                 seq += mss;
+                if (copy_destructor) {
+                        skb->destructor = gso_skb->destructor;
+                        skb->sk = gso_skb->sk;
+                        /* {tcp|sock}_wfree() use exact truesize accounting :
+                         * sum(skb->truesize) MUST be exactly be gso_skb->truesize
+                         * So we account mss bytes of 'true size' for each segment.
+                         * The last segment will contain the remaining.
+                         */
+                        skb->truesize = mss;
+                        gso_skb->truesize -= mss;
+                }
                 skb = skb->next;
                 th = tcp_hdr(skb);
 
@@ -2962,7 +2982,7 @@ struct sk_buff *tcp_tso_segment(struct sk_buff *skb,
          * is freed at TX completion, and not right now when gso_skb
          * is freed by GSO engine
          */
-        if (gso_skb->destructor == tcp_wfree) {
+        if (copy_destructor) {
                 swap(gso_skb->sk, skb->sk);
                 swap(gso_skb->destructor, skb->destructor);
                 swap(gso_skb->truesize, skb->truesize);
@@ -3269,8 +3289,11 @@ int tcp_md5_hash_skb_data(struct tcp_md5sig_pool *hp,
 
         for (i = 0; i < shi->nr_frags; ++i) {
                 const struct skb_frag_struct *f = &shi->frags[i];
-                struct page *page = skb_frag_page(f);
-                sg_set_page(&sg, page, skb_frag_size(f), f->page_offset);
+                unsigned int offset = f->page_offset;
+                struct page *page = skb_frag_page(f) + (offset >> PAGE_SHIFT);
+
+                sg_set_page(&sg, page, skb_frag_size(f),
+                            offset_in_page(offset));
                 if (crypto_hash_update(desc, &sg, skb_frag_size(f)))
                         return 1;
         }
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 08bbe6096528..9c6225780bd5 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -2743,8 +2743,8 @@ static void tcp_process_loss(struct sock *sk, int flag, bool is_dupack)
  * tcp_xmit_retransmit_queue().
  */
 static void tcp_fastretrans_alert(struct sock *sk, int pkts_acked,
-                                  int prior_sacked, bool is_dupack,
-                                  int flag)
+                                  int prior_sacked, int prior_packets,
+                                  bool is_dupack, int flag)
 {
         struct inet_connection_sock *icsk = inet_csk(sk);
         struct tcp_sock *tp = tcp_sk(sk);
@@ -2804,7 +2804,8 @@ static void tcp_fastretrans_alert(struct sock *sk, int pkts_acked,
                                 tcp_add_reno_sack(sk);
                 } else
                         do_lost = tcp_try_undo_partial(sk, pkts_acked);
-                newly_acked_sacked = pkts_acked + tp->sacked_out - prior_sacked;
+                newly_acked_sacked = prior_packets - tp->packets_out +
+                                     tp->sacked_out - prior_sacked;
                 break;
         case TCP_CA_Loss:
                 tcp_process_loss(sk, flag, is_dupack);
@@ -2818,7 +2819,8 @@ static void tcp_fastretrans_alert(struct sock *sk, int pkts_acked,
                         if (is_dupack)
                                 tcp_add_reno_sack(sk);
                 }
-                newly_acked_sacked = pkts_acked + tp->sacked_out - prior_sacked;
+                newly_acked_sacked = prior_packets - tp->packets_out +
+                                     tp->sacked_out - prior_sacked;
 
                 if (icsk->icsk_ca_state <= TCP_CA_Disorder)
                         tcp_try_undo_dsack(sk);
@@ -3330,9 +3332,10 @@ static int tcp_ack(struct sock *sk, const struct sk_buff *skb, int flag)
         bool is_dupack = false;
         u32 prior_in_flight;
         u32 prior_fackets;
-        int prior_packets;
+        int prior_packets = tp->packets_out;
         int prior_sacked = tp->sacked_out;
         int pkts_acked = 0;
+        int previous_packets_out = 0;
 
         /* If the ack is older than previous acks
          * then we can probably ignore it.
@@ -3403,14 +3406,14 @@ static int tcp_ack(struct sock *sk, const struct sk_buff *skb, int flag)
         sk->sk_err_soft = 0;
         icsk->icsk_probes_out = 0;
         tp->rcv_tstamp = tcp_time_stamp;
-        prior_packets = tp->packets_out;
         if (!prior_packets)
                 goto no_queue;
 
         /* See if we can take anything off of the retransmit queue. */
+        previous_packets_out = tp->packets_out;
         flag |= tcp_clean_rtx_queue(sk, prior_fackets, prior_snd_una);
 
-        pkts_acked = prior_packets - tp->packets_out;
+        pkts_acked = previous_packets_out - tp->packets_out;
 
         if (tcp_ack_is_dubious(sk, flag)) {
                 /* Advance CWND, if state allows this. */
@@ -3418,7 +3421,7 @@ static int tcp_ack(struct sock *sk, const struct sk_buff *skb, int flag)
                         tcp_cong_avoid(sk, ack, prior_in_flight);
                 is_dupack = !(flag & (FLAG_SND_UNA_ADVANCED | FLAG_NOT_DUP));
                 tcp_fastretrans_alert(sk, pkts_acked, prior_sacked,
-                                      is_dupack, flag);
+                                      prior_packets, is_dupack, flag);
         } else {
                 if (flag & FLAG_DATA_ACKED)
                         tcp_cong_avoid(sk, ack, prior_in_flight);
@@ -3441,7 +3444,7 @@ no_queue:
         /* If data was DSACKed, see if we can undo a cwnd reduction. */
         if (flag & FLAG_DSACKING_ACK)
                 tcp_fastretrans_alert(sk, pkts_acked, prior_sacked,
-                                      is_dupack, flag);
+                                      prior_packets, is_dupack, flag);
         /* If this ack opens up a zero window, clear backoff.  It was
          * being used to time the probes, and is probably far higher than
          * it needs to be for normal retransmission.
@@ -3464,7 +3467,7 @@ old_ack:
         if (TCP_SKB_CB(skb)->sacked) {
                 flag |= tcp_sacktag_write_queue(sk, skb, prior_snd_una);
                 tcp_fastretrans_alert(sk, pkts_acked, prior_sacked,
-                                      is_dupack, flag);
+                                      prior_packets, is_dupack, flag);
         }
 
         SOCK_DEBUG(sk, "Ack %u before %u:%u\n", ack, tp->snd_una, tp->snd_nxt);
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 536d40929ba6..ec335fabd5cc 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -874,11 +874,13 @@ static int tcp_transmit_skb(struct sock *sk, struct sk_buff *skb, int clone_it,
                                                            &md5);
         tcp_header_size = tcp_options_size + sizeof(struct tcphdr);
 
-        if (tcp_packets_in_flight(tp) == 0) {
+        if (tcp_packets_in_flight(tp) == 0)
                 tcp_ca_event(sk, CA_EVENT_TX_START);
-                skb->ooo_okay = 1;
-        } else
-                skb->ooo_okay = 0;
+
+        /* if no packet is in qdisc/device queue, then allow XPS to select
+         * another queue.
+         */
+        skb->ooo_okay = sk_wmem_alloc_get(sk) == 0;
 
         skb_push(skb, tcp_header_size);
         skb_reset_transport_header(skb);
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index d2eedf192330..dae1949019d7 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1147,7 +1147,7 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to,
                         if (WARN_ON(np->cork.opt))
                                 return -EINVAL;
 
-                        np->cork.opt = kmalloc(opt->tot_len, sk->sk_allocation);
+                        np->cork.opt = kzalloc(opt->tot_len, sk->sk_allocation);
                         if (unlikely(np->cork.opt == NULL))
                                 return -ENOBUFS;
 
diff --git a/net/irda/irlap_frame.c b/net/irda/irlap_frame.c
index 8c004161a843..9ea0c933b9ff 100644
--- a/net/irda/irlap_frame.c
+++ b/net/irda/irlap_frame.c
@@ -544,7 +544,7 @@ static void irlap_recv_discovery_xid_cmd(struct irlap_cb *self,
                 /*
                  *  We now have some discovery info to deliver!
                  */
-                discovery = kmalloc(sizeof(discovery_t), GFP_ATOMIC);
+                discovery = kzalloc(sizeof(discovery_t), GFP_ATOMIC);
                 if (!discovery) {
                         IRDA_WARNING("%s: unable to malloc!\n", __func__);
                         return;
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index 158e6eb188d3..44be28cfc6c4 100644
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -1267,6 +1267,7 @@ void ieee80211_sta_reset_conn_monitor(struct ieee80211_sub_if_data *sdata);
 void ieee80211_mgd_stop(struct ieee80211_sub_if_data *sdata);
 void ieee80211_mgd_conn_tx_status(struct ieee80211_sub_if_data *sdata,
                                   __le16 fc, bool acked);
+void ieee80211_sta_restart(struct ieee80211_sub_if_data *sdata);
 
 /* IBSS code */
 void ieee80211_ibss_notify_scan_completed(struct ieee80211_local *local);
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index 29620bfc7a69..a46e490f20dd 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -1015,7 +1015,8 @@ static void ieee80211_chswitch_timer(unsigned long data)
 
 static void
 ieee80211_sta_process_chanswitch(struct ieee80211_sub_if_data *sdata,
-                                 u64 timestamp, struct ieee802_11_elems *elems)
+                                 u64 timestamp, struct ieee802_11_elems *elems,
+                                 bool beacon)
 {
         struct ieee80211_local *local = sdata->local;
         struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
@@ -1032,6 +1033,7 @@ ieee80211_sta_process_chanswitch(struct ieee80211_sub_if_data *sdata,
         struct cfg80211_chan_def new_vht_chandef = {};
         const struct ieee80211_sec_chan_offs_ie *sec_chan_offs;
         const struct ieee80211_wide_bw_chansw_ie *wide_bw_chansw_ie;
+        const struct ieee80211_ht_operation *ht_oper;
         int secondary_channel_offset = -1;
 
         ASSERT_MGD_MTX(ifmgd);
@@ -1048,11 +1050,14 @@ ieee80211_sta_process_chanswitch(struct ieee80211_sub_if_data *sdata,
 
         sec_chan_offs = elems->sec_chan_offs;
         wide_bw_chansw_ie = elems->wide_bw_chansw_ie;
+        ht_oper = elems->ht_operation;
 
         if (ifmgd->flags & (IEEE80211_STA_DISABLE_HT |
                             IEEE80211_STA_DISABLE_40MHZ)) {
                 sec_chan_offs = NULL;
                 wide_bw_chansw_ie = NULL;
+                /* only used for bandwidth here */
+                ht_oper = NULL;
         }
 
         if (ifmgd->flags & IEEE80211_STA_DISABLE_VHT)
@@ -1094,10 +1099,20 @@ ieee80211_sta_process_chanswitch(struct ieee80211_sub_if_data *sdata,
                 return;
         }
 
-        if (sec_chan_offs) {
+        if (!beacon && sec_chan_offs) {
                 secondary_channel_offset = sec_chan_offs->sec_chan_offs;
+        } else if (beacon && ht_oper) {
+                secondary_channel_offset =
+                        ht_oper->ht_param & IEEE80211_HT_PARAM_CHA_SEC_OFFSET;
         } else if (!(ifmgd->flags & IEEE80211_STA_DISABLE_HT)) {
-                /* if HT is enabled and the IE not present, it's still HT */
+                /*
+                 * If it's not a beacon, HT is enabled and the IE not present,
+                 * it's 20 MHz, 802.11-2012 8.5.2.6:
+                 *      This element [the Secondary Channel Offset Element] is
+                 *      present when switching to a 40 MHz channel. It may be
+                 *      present when switching to a 20 MHz channel (in which
+                 *      case the secondary channel offset is set to SCN).
+                 */
                 secondary_channel_offset = IEEE80211_HT_PARAM_CHA_SEC_NONE;
         }
 
@@ -2796,7 +2811,8 @@ static void ieee80211_rx_bss_info(struct ieee80211_sub_if_data *sdata,
                 mutex_unlock(&local->iflist_mtx);
         }
 
-        ieee80211_sta_process_chanswitch(sdata, rx_status->mactime, elems);
+        ieee80211_sta_process_chanswitch(sdata, rx_status->mactime,
+                                         elems, true);
 
 }
 
@@ -3210,7 +3226,7 @@ void ieee80211_sta_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
 
                         ieee80211_sta_process_chanswitch(sdata,
                                                          rx_status->mactime,
-                                                         &elems);
+                                                         &elems, false);
                 } else if (mgmt->u.action.category == WLAN_CATEGORY_PUBLIC) {
                         ies_len = skb->len -
                                   offsetof(struct ieee80211_mgmt,
@@ -3232,7 +3248,7 @@ void ieee80211_sta_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
 
                         ieee80211_sta_process_chanswitch(sdata,
                                                          rx_status->mactime,
-                                                         &elems);
+                                                         &elems, false);
                 }
                 break;
         }
@@ -3623,6 +3639,31 @@ static void ieee80211_restart_sta_timer(struct ieee80211_sub_if_data *sdata)
         }
 }
 
+#ifdef CONFIG_PM
+void ieee80211_sta_restart(struct ieee80211_sub_if_data *sdata)
+{
+        struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
+
+        mutex_lock(&ifmgd->mtx);
+        if (!ifmgd->associated) {
+                mutex_unlock(&ifmgd->mtx);
+                return;
+        }
+
+        if (sdata->flags & IEEE80211_SDATA_DISCONNECT_RESUME) {
+                sdata->flags &= ~IEEE80211_SDATA_DISCONNECT_RESUME;
+                mlme_dbg(sdata, "driver requested disconnect after resume\n");
+                ieee80211_sta_connection_lost(sdata,
+                                              ifmgd->associated->bssid,
+                                              WLAN_REASON_UNSPECIFIED,
+                                              true);
+                mutex_unlock(&ifmgd->mtx);
+                return;
+        }
+        mutex_unlock(&ifmgd->mtx);
+}
+#endif
+
 /* interface setup */
 void ieee80211_sta_setup_sdata(struct ieee80211_sub_if_data *sdata)
 {
@@ -4329,7 +4370,7 @@ int ieee80211_mgd_deauth(struct ieee80211_sub_if_data *sdata,
         struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
         u8 frame_buf[IEEE80211_DEAUTH_FRAME_LEN];
         bool tx = !req->local_state_change;
-        bool sent_frame = false;
+        bool report_frame = false;
 
         mutex_lock(&ifmgd->mtx);
 
@@ -4346,7 +4387,7 @@ int ieee80211_mgd_deauth(struct ieee80211_sub_if_data *sdata,
                 ieee80211_destroy_auth_data(sdata, false);
                 mutex_unlock(&ifmgd->mtx);
 
-                sent_frame = tx;
+                report_frame = true;
                 goto out;
         }
 
@@ -4354,12 +4395,12 @@ int ieee80211_mgd_deauth(struct ieee80211_sub_if_data *sdata,
             ether_addr_equal(ifmgd->associated->bssid, req->bssid)) {
                 ieee80211_set_disassoc(sdata, IEEE80211_STYPE_DEAUTH,
                                        req->reason_code, tx, frame_buf);
-                sent_frame = tx;
+                report_frame = true;
         }
         mutex_unlock(&ifmgd->mtx);
 
  out:
-        if (sent_frame)
+        if (report_frame)
                 __cfg80211_send_deauth(sdata->dev, frame_buf,
                                        IEEE80211_DEAUTH_FRAME_LEN);
 
diff --git a/net/mac80211/rate.c b/net/mac80211/rate.c
index 0d51877efdb7..d3f414fe67e0 100644
--- a/net/mac80211/rate.c
+++ b/net/mac80211/rate.c
@@ -688,8 +688,15 @@ int rate_control_set_rates(struct ieee80211_hw *hw,
                            struct ieee80211_sta *pubsta,
                            struct ieee80211_sta_rates *rates)
 {
-        struct ieee80211_sta_rates *old = rcu_dereference(pubsta->rates);
+        struct ieee80211_sta_rates *old;
 
+        /*
+         * mac80211 guarantees that this function will not be called
+         * concurrently, so the following RCU access is safe, even without
+         * extra locking. This can not be checked easily, so we just set
+         * the condition to true.
+         */
+        old = rcu_dereference_protected(pubsta->rates, true);
         rcu_assign_pointer(pubsta->rates, rates);
         if (old)
                 kfree_rcu(old, rcu_head);
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index c8447af76ead..8e2952620256 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -3036,6 +3036,9 @@ static int prepare_for_handlers(struct ieee80211_rx_data *rx,
                          * and location updates. Note that mac80211
                          * itself never looks at these frames.
                          */
+                        if (!multicast &&
+                            !ether_addr_equal(sdata->vif.addr, hdr->addr1))
+                                return 0;
                         if (ieee80211_is_public_action(hdr, skb->len))
                                 return 1;
                         if (!ieee80211_is_beacon(hdr->frame_control))
diff --git a/net/mac80211/tkip.c b/net/mac80211/tkip.c
index 3ed801d90f1e..124b1fdc20d0 100644
--- a/net/mac80211/tkip.c
+++ b/net/mac80211/tkip.c
@@ -208,10 +208,10 @@ void ieee80211_get_tkip_p2k(struct ieee80211_key_conf *keyconf,
         u32 iv32 = get_unaligned_le32(&data[4]);
         u16 iv16 = data[2] | (data[0] << 8);
 
-        spin_lock_bh(&key->u.tkip.txlock);
+        spin_lock(&key->u.tkip.txlock);
         ieee80211_compute_tkip_p1k(key, iv32);
         tkip_mixing_phase2(tk, ctx, iv16, p2k);
-        spin_unlock_bh(&key->u.tkip.txlock);
+        spin_unlock(&key->u.tkip.txlock);
 }
 EXPORT_SYMBOL(ieee80211_get_tkip_p2k);
 
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index 3f87fa468b1f..27e07150eb46 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -1740,6 +1740,13 @@ int ieee80211_reconfig(struct ieee80211_local *local)
         mb();
         local->resuming = false;
 
+        list_for_each_entry(sdata, &local->interfaces, list) {
+                if (!ieee80211_sdata_running(sdata))
+                        continue;
+                if (sdata->vif.type == NL80211_IFTYPE_STATION)
+                        ieee80211_sta_restart(sdata);
+        }
+
         mod_timer(&local->sta_cleanup, jiffies + 1);
 #else
         WARN_ON(1);
diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c
index 388656d5a9ec..3b18dd1be7d9 100644
--- a/net/netfilter/nf_log.c
+++ b/net/netfilter/nf_log.c
@@ -148,7 +148,7 @@ void nf_log_packet(struct net *net,
                 va_start(args, fmt);
                 vsnprintf(prefix, sizeof(prefix), fmt, args);
                 va_end(args);
-                logger->logfn(pf, hooknum, skb, in, out, loginfo, prefix);
+                logger->logfn(net, pf, hooknum, skb, in, out, loginfo, prefix);
         }
         rcu_read_unlock();
 }
@@ -368,17 +368,20 @@ static int __net_init nf_log_net_init(struct net *net)
         return 0;
 
 out_sysctl:
+#ifdef CONFIG_PROC_FS
         /* For init_net: errors will trigger panic, don't unroll on error. */
         if (!net_eq(net, &init_net))
                 remove_proc_entry("nf_log", net->nf.proc_netfilter);
-
+#endif
         return ret;
 }
 
 static void __net_exit nf_log_net_exit(struct net *net)
 {
         netfilter_log_sysctl_exit(net);
+#ifdef CONFIG_PROC_FS
         remove_proc_entry("nf_log", net->nf.proc_netfilter);
+#endif
 }
 
 static struct pernet_operations nf_log_net_ops = {
diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
index faf1e9300d8a..962e9792e317 100644
--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -602,7 +602,8 @@ static struct nf_loginfo default_loginfo = {
 
 /* log handler for internal netfilter logging api */
 void
-nfulnl_log_packet(u_int8_t pf,
+nfulnl_log_packet(struct net *net,
+                  u_int8_t pf,
                   unsigned int hooknum,
                   const struct sk_buff *skb,
                   const struct net_device *in,
@@ -615,7 +616,6 @@ nfulnl_log_packet(u_int8_t pf,
         const struct nf_loginfo *li;
         unsigned int qthreshold;
         unsigned int plen;
-        struct net *net = dev_net(in ? in : out);
         struct nfnl_log_net *log = nfnl_log_pernet(net);
 
         if (li_user && li_user->type == NF_LOG_TYPE_ULOG)
@@ -1045,7 +1045,9 @@ static int __net_init nfnl_log_net_init(struct net *net)
 
 static void __net_exit nfnl_log_net_exit(struct net *net)
 {
+#ifdef CONFIG_PROC_FS
         remove_proc_entry("nfnetlink_log", net->nf.proc_netfilter);
+#endif
 }
 
 static struct pernet_operations nfnl_log_net_ops = {
diff --git a/net/netfilter/nfnetlink_queue_core.c b/net/netfilter/nfnetlink_queue_core.c
index 2e0e835baf72..4e27fa035814 100644
--- a/net/netfilter/nfnetlink_queue_core.c
+++ b/net/netfilter/nfnetlink_queue_core.c
@@ -1285,7 +1285,9 @@ static int __net_init nfnl_queue_net_init(struct net *net)
 
 static void __net_exit nfnl_queue_net_exit(struct net *net)
 {
+#ifdef CONFIG_PROC_FS
         remove_proc_entry("nfnetlink_queue", net->nf.proc_netfilter);
+#endif
 }
 
 static struct pernet_operations nfnl_queue_net_ops = {
diff --git a/net/netfilter/xt_LOG.c b/net/netfilter/xt_LOG.c
index fe573f6c9e91..491c7d821a0b 100644
--- a/net/netfilter/xt_LOG.c
+++ b/net/netfilter/xt_LOG.c
@@ -466,7 +466,8 @@ log_packet_common(struct sbuff *m,
 
 
 static void
-ipt_log_packet(u_int8_t pf,
+ipt_log_packet(struct net *net,
+               u_int8_t pf,
                unsigned int hooknum,
                const struct sk_buff *skb,
                const struct net_device *in,
@@ -475,7 +476,6 @@ ipt_log_packet(u_int8_t pf,
                const char *prefix)
 {
         struct sbuff *m;
-        struct net *net = dev_net(in ? in : out);
 
         /* FIXME: Disabled from containers until syslog ns is supported */
         if (!net_eq(net, &init_net))
@@ -797,7 +797,8 @@ fallback:
 }
 
 static void
-ip6t_log_packet(u_int8_t pf,
+ip6t_log_packet(struct net *net,
+                u_int8_t pf,
                 unsigned int hooknum,
                 const struct sk_buff *skb,
                 const struct net_device *in,
@@ -806,7 +807,6 @@ ip6t_log_packet(u_int8_t pf,
                 const char *prefix)
 {
         struct sbuff *m;
-        struct net *net = dev_net(in ? in : out);
 
         /* FIXME: Disabled from containers until syslog ns is supported */
         if (!net_eq(net, &init_net))
@@ -833,17 +833,18 @@ log_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
         const struct xt_log_info *loginfo = par->targinfo;
         struct nf_loginfo li;
+        struct net *net = dev_net(par->in ? par->in : par->out);
 
         li.type = NF_LOG_TYPE_LOG;
         li.u.log.level = loginfo->level;
         li.u.log.logflags = loginfo->logflags;
 
         if (par->family == NFPROTO_IPV4)
-                ipt_log_packet(NFPROTO_IPV4, par->hooknum, skb, par->in,
+                ipt_log_packet(net, NFPROTO_IPV4, par->hooknum, skb, par->in,
                                par->out, &li, loginfo->prefix);
 #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
         else if (par->family == NFPROTO_IPV6)
-                ip6t_log_packet(NFPROTO_IPV6, par->hooknum, skb, par->in,
+                ip6t_log_packet(net, NFPROTO_IPV6, par->hooknum, skb, par->in,
                                 par->out, &li, loginfo->prefix);
 #endif
         else
diff --git a/net/netfilter/xt_NFLOG.c b/net/netfilter/xt_NFLOG.c
index a17dd0f589b2..fb7497c928a0 100644
--- a/net/netfilter/xt_NFLOG.c
+++ b/net/netfilter/xt_NFLOG.c
@@ -26,13 +26,14 @@ nflog_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
         const struct xt_nflog_info *info = par->targinfo;
         struct nf_loginfo li;
+        struct net *net = dev_net(par->in ? par->in : par->out);
 
         li.type              = NF_LOG_TYPE_ULOG;
         li.u.ulog.copy_len   = info->len;
         li.u.ulog.group      = info->group;
         li.u.ulog.qthreshold = info->threshold;
 
-        nfulnl_log_packet(par->family, par->hooknum, skb, par->in,
+        nfulnl_log_packet(net, par->family, par->hooknum, skb, par->in,
                           par->out, &li, info->prefix);
         return XT_CONTINUE;
 }
diff --git a/net/netfilter/xt_TCPOPTSTRIP.c b/net/netfilter/xt_TCPOPTSTRIP.c
index 25fd1c4e1eec..1eb1a44bfd3d 100644
--- a/net/netfilter/xt_TCPOPTSTRIP.c
+++ b/net/netfilter/xt_TCPOPTSTRIP.c
@@ -30,17 +30,28 @@ static inline unsigned int optlen(const u_int8_t *opt, unsigned int offset)
 
 static unsigned int
 tcpoptstrip_mangle_packet(struct sk_buff *skb,
-                          const struct xt_tcpoptstrip_target_info *info,
+                          const struct xt_action_param *par,
                           unsigned int tcphoff, unsigned int minlen)
 {
+        const struct xt_tcpoptstrip_target_info *info = par->targinfo;
         unsigned int optl, i, j;
         struct tcphdr *tcph;
         u_int16_t n, o;
         u_int8_t *opt;
+        int len;
+
+        /* This is a fragment, no TCP header is available */
+        if (par->fragoff != 0)
+                return XT_CONTINUE;
 
         if (!skb_make_writable(skb, skb->len))
                 return NF_DROP;
 
+        len = skb->len - tcphoff;
+        if (len < (int)sizeof(struct tcphdr) ||
+            tcp_hdr(skb)->doff * 4 > len)
+                return NF_DROP;
+
         tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff);
         opt  = (u_int8_t *)tcph;
 
@@ -76,7 +87,7 @@ tcpoptstrip_mangle_packet(struct sk_buff *skb,
 static unsigned int
 tcpoptstrip_tg4(struct sk_buff *skb, const struct xt_action_param *par)
 {
-        return tcpoptstrip_mangle_packet(skb, par->targinfo, ip_hdrlen(skb),
+        return tcpoptstrip_mangle_packet(skb, par, ip_hdrlen(skb),
                sizeof(struct iphdr) + sizeof(struct tcphdr));
 }
 
@@ -94,7 +105,7 @@ tcpoptstrip_tg6(struct sk_buff *skb, const struct xt_action_param *par)
         if (tcphoff < 0)
                 return NF_DROP;
 
-        return tcpoptstrip_mangle_packet(skb, par->targinfo, tcphoff,
+        return tcpoptstrip_mangle_packet(skb, par, tcphoff,
                sizeof(*ipv6h) + sizeof(struct tcphdr));
 }
 #endif
diff --git a/net/netlabel/netlabel_domainhash.c b/net/netlabel/netlabel_domainhash.c
index d8d424337550..6bb1d42f0fac 100644
--- a/net/netlabel/netlabel_domainhash.c
+++ b/net/netlabel/netlabel_domainhash.c
@@ -245,6 +245,71 @@ static void netlbl_domhsh_audit_add(struct netlbl_dom_map *entry,
         }
 }
 
+/**
+ * netlbl_domhsh_validate - Validate a new domain mapping entry
+ * @entry: the entry to validate
+ *
+ * This function validates the new domain mapping entry to ensure that it is
+ * a valid entry.  Returns zero on success, negative values on failure.
+ *
+ */
+static int netlbl_domhsh_validate(const struct netlbl_dom_map *entry)
+{
+        struct netlbl_af4list *iter4;
+        struct netlbl_domaddr4_map *map4;
+#if IS_ENABLED(CONFIG_IPV6)
+        struct netlbl_af6list *iter6;
+        struct netlbl_domaddr6_map *map6;
+#endif /* IPv6 */
+
+        if (entry == NULL)
+                return -EINVAL;
+
+        switch (entry->type) {
+        case NETLBL_NLTYPE_UNLABELED:
+                if (entry->type_def.cipsov4 != NULL ||
+                    entry->type_def.addrsel != NULL)
+                        return -EINVAL;
+                break;
+        case NETLBL_NLTYPE_CIPSOV4:
+                if (entry->type_def.cipsov4 == NULL)
+                        return -EINVAL;
+                break;
+        case NETLBL_NLTYPE_ADDRSELECT:
+                netlbl_af4list_foreach(iter4, &entry->type_def.addrsel->list4) {
+                        map4 = netlbl_domhsh_addr4_entry(iter4);
+                        switch (map4->type) {
+                        case NETLBL_NLTYPE_UNLABELED:
+                                if (map4->type_def.cipsov4 != NULL)
+                                        return -EINVAL;
+                                break;
+                        case NETLBL_NLTYPE_CIPSOV4:
+                                if (map4->type_def.cipsov4 == NULL)
+                                        return -EINVAL;
+                                break;
+                        default:
+                                return -EINVAL;
+                        }
+                }
+#if IS_ENABLED(CONFIG_IPV6)
+                netlbl_af6list_foreach(iter6, &entry->type_def.addrsel->list6) {
+                        map6 = netlbl_domhsh_addr6_entry(iter6);
+                        switch (map6->type) {
+                        case NETLBL_NLTYPE_UNLABELED:
+                                break;
+                        default:
+                                return -EINVAL;
+                        }
+                }
+#endif /* IPv6 */
+                break;
+        default:
+                return -EINVAL;
+        }
+
+        return 0;
+}
+
 /*
  * Domain Hash Table Functions
  */
@@ -311,6 +376,10 @@ int netlbl_domhsh_add(struct netlbl_dom_map *entry,
         struct netlbl_af6list *tmp6;
 #endif /* IPv6 */
 
+        ret_val = netlbl_domhsh_validate(entry);
+        if (ret_val != 0)
+                return ret_val;
+
         /* XXX - we can remove this RCU read lock as the spinlock protects the
          *       entire function, but before we do we need to fixup the
          *       netlbl_af[4,6]list RCU functions to do "the right thing" with
diff --git a/net/wireless/core.c b/net/wireless/core.c
index 84c9ad7e1dca..73405e00c800 100644
--- a/net/wireless/core.c
+++ b/net/wireless/core.c
@@ -638,17 +638,21 @@ int wiphy_register(struct wiphy *wiphy)
          * cfg80211_mutex lock
          */
         res = rfkill_register(rdev->rfkill);
-        if (res)
-                goto out_rm_dev;
+        if (res) {
+                device_del(&rdev->wiphy.dev);
+
+                mutex_lock(&cfg80211_mutex);
+                debugfs_remove_recursive(rdev->wiphy.debugfsdir);
+                list_del_rcu(&rdev->list);
+                wiphy_regulatory_deregister(wiphy);
+                mutex_unlock(&cfg80211_mutex);
+                return res;
+        }
 
         rtnl_lock();
         rdev->wiphy.registered = true;
         rtnl_unlock();
         return 0;
-
-out_rm_dev:
-        device_del(&rdev->wiphy.dev);
-        return res;
 }
 EXPORT_SYMBOL(wiphy_register);
 
@@ -866,7 +870,6 @@ void cfg80211_leave(struct cfg80211_registered_device *rdev,
 #endif
                 __cfg80211_disconnect(rdev, dev,
                                       WLAN_REASON_DEAUTH_LEAVING, true);
-                cfg80211_mlme_down(rdev, dev);
                 wdev_unlock(wdev);
                 break;
         case NL80211_IFTYPE_MESH_POINT:
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index afa283841e8c..dfdb5e643211 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -7577,6 +7577,8 @@ static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
                     &tcp->payload_tok))
                 return -ENOBUFS;
 
+        nla_nest_end(msg, nl_tcp);
+
         return 0;
 }
 
@@ -9970,6 +9972,7 @@ int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
         if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
             (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
                                         netdev->ifindex)) ||
+            nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)) ||
             nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, freq) ||
             (sig_dbm &&
              nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
@@ -10010,6 +10013,7 @@ void cfg80211_mgmt_tx_status(struct wireless_dev *wdev, u64 cookie,
         if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
             (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
                                    netdev->ifindex)) ||
+            nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)) ||
             nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
             nla_put_u64(msg, NL80211_ATTR_COOKIE, cookie) ||
             (ack && nla_put_flag(msg, NL80211_ATTR_ACK)))
diff --git a/net/wireless/sme.c b/net/wireless/sme.c
index a9dc5c736df0..8b5eddfba1e5 100644
--- a/net/wireless/sme.c
+++ b/net/wireless/sme.c
@@ -961,7 +961,7 @@ int __cfg80211_disconnect(struct cfg80211_registered_device *rdev,
                 /* was it connected by userspace SME? */
                 if (!wdev->conn) {
                         cfg80211_mlme_down(rdev, dev);
-                        return 0;
+                        goto disconnect;
                 }
 
                 if (wdev->sme_state == CFG80211_SME_CONNECTING &&
@@ -987,6 +987,7 @@ int __cfg80211_disconnect(struct cfg80211_registered_device *rdev,
                         return err;
         }
 
+ disconnect:
         if (wdev->sme_state == CFG80211_SME_CONNECTED)
                 __cfg80211_disconnected(dev, NULL, 0, 0, false);
         else if (wdev->sme_state == CFG80211_SME_CONNECTING)
diff --git a/net/wireless/trace.h b/net/wireless/trace.h
index ecd4fcec3c94..5755bc14abbd 100644
--- a/net/wireless/trace.h
+++ b/net/wireless/trace.h
@@ -2441,6 +2441,7 @@ TRACE_EVENT(cfg80211_report_wowlan_wakeup,
         TP_STRUCT__entry(
                 WIPHY_ENTRY
                 WDEV_ENTRY
+                __field(bool, non_wireless)
                 __field(bool, disconnect)
                 __field(bool, magic_pkt)
                 __field(bool, gtk_rekey_failure)
@@ -2449,20 +2450,22 @@ TRACE_EVENT(cfg80211_report_wowlan_wakeup,
                 __field(bool, rfkill_release)
                 __field(s32, pattern_idx)
                 __field(u32, packet_len)
-                __dynamic_array(u8, packet, wakeup->packet_present_len)
+                __dynamic_array(u8, packet,
+                                wakeup ? wakeup->packet_present_len : 0)
         ),
         TP_fast_assign(
                 WIPHY_ASSIGN;
                 WDEV_ASSIGN;
-                __entry->disconnect = wakeup->disconnect;
-                __entry->magic_pkt = wakeup->magic_pkt;
-                __entry->gtk_rekey_failure = wakeup->gtk_rekey_failure;
-                __entry->eap_identity_req = wakeup->eap_identity_req;
-                __entry->four_way_handshake = wakeup->four_way_handshake;
-                __entry->rfkill_release = wakeup->rfkill_release;
-                __entry->pattern_idx = wakeup->pattern_idx;
-                __entry->packet_len = wakeup->packet_len;
-                if (wakeup->packet && wakeup->packet_present_len)
+                __entry->non_wireless = !wakeup;
+                __entry->disconnect = wakeup ? wakeup->disconnect : false;
+                __entry->magic_pkt = wakeup ? wakeup->magic_pkt : false;
+                __entry->gtk_rekey_failure = wakeup ? wakeup->gtk_rekey_failure : false;
+                __entry->eap_identity_req = wakeup ? wakeup->eap_identity_req : false;
+                __entry->four_way_handshake = wakeup ? wakeup->four_way_handshake : false;
+                __entry->rfkill_release = wakeup ? wakeup->rfkill_release : false;
+                __entry->pattern_idx = wakeup ? wakeup->pattern_idx : false;
+                __entry->packet_len = wakeup ? wakeup->packet_len : false;
+                if (wakeup && wakeup->packet && wakeup->packet_present_len)
                         memcpy(__get_dynamic_array(packet), wakeup->packet,
                                wakeup->packet_present_len);
         ),
diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c
index bcfda8921b5b..0cf003dfa8fc 100644
--- a/net/xfrm/xfrm_output.c
+++ b/net/xfrm/xfrm_output.c
@@ -64,6 +64,7 @@ static int xfrm_output_one(struct sk_buff *skb, int err)
 
                 if (unlikely(x->km.state != XFRM_STATE_VALID)) {
                         XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTSTATEINVALID);
+                        err = -EINVAL;
                         goto error;
                 }