Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

Pull networking fixes from David Miller:

 1) Fix BPF filter validation of netlink attribute accesses, from
    Mathias Kruase.

 2) Netfilter conntrack generation seqcount not initialized properly,
    from Andrey Vagin.

 3) Fix comparison mask computation on big-endian in nft_cmp_fast(),
    from Patrick McHardy.

 4) Properly limit MTU over ipv6, from Eric Dumazet.

 5) Fix seccomp system call argument population on 32-bit, from Daniel
    Borkmann.

 6) skb_network_protocol() should not use hard-coded ETH_HLEN, instead
    skb->mac_len needs to be used.  From Vlad Yasevich.

 7) We have several cases of using socket based communications to
    implement a tunnel.  For example, some tunnels are encapsulations
    over UDP so we use an internal kernel UDP socket to do the
    transmits.

    These tunnels should behave just like other software devices and
    pass the packets on down to the next layer.

    Most importantly we want the top-level socket (eg TCP) that created
    the traffic to be charged for the SKB memory.

    However, once you get into the IP output path, we have code that
    assumed that whatever was attached to skb->sk is an IP socket.

    To keep the top-level socket being charged for the SKB memory,
    whilst satisfying the needs of the IP output path, we now pass in an
    explicit 'sk' argument.

    From Eric Dumazet.

 8) ping_init_sock() leaks group info, from Xiaoming Wang.

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (33 commits)
  cxgb4: use the correct max size for firmware flash
  qlcnic: Fix MSI-X initialization code
  ip6_gre: don't allow to remove the fb_tunnel_dev
  ipv4: add a sock pointer to dst->output() path.
  ipv4: add a sock pointer to ip_queue_xmit()
  driver/net: cosa driver uses udelay incorrectly
  at86rf230: fix __at86rf230_read_subreg function
  at86rf230: remove check if AVDD settled
  net: cadence: Add architecture dependencies
  net: Start with correct mac_len in skb_network_protocol
  Revert "net: sctp: Fix a_rwnd/rwnd management to reflect real state of the receiver's buffer"
  cxgb4: Save the correct mac addr for hw-loopback connections in the L2T
  net: filter: seccomp: fix wrong decoding of BPF_S_ANC_SECCOMP_LD_W
  seccomp: fix populating a0-a5 syscall args in 32-bit x86 BPF
  qlcnic: Do not disable SR-IOV when VFs are assigned to VMs
  qlcnic: Fix QLogic application/driver interface for virtual NIC configuration
  qlcnic: Fix PVID configuration on eSwitch port.
  qlcnic: Fix max ring count calculation
  qlcnic: Fix to send INIT_NIC_FUNC as first mailbox.
  qlcnic: Fix panic due to uninitialzed delayed_work struct in use.
  ...

32 files changed, 170 insertions, 101 deletions

diff --git a/net/core/dev.c b/net/core/dev.c
index 14dac0654f28..5b3042e69f85 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -2284,7 +2284,7 @@ EXPORT_SYMBOL(skb_checksum_help);
 __be16 skb_network_protocol(struct sk_buff *skb, int *depth)
 {
         __be16 type = skb->protocol;
-        int vlan_depth = ETH_HLEN;
+        int vlan_depth = skb->mac_len;
 
         /* Tunnel gso handlers can set protocol to ethernet. */
         if (type == htons(ETH_P_TEB)) {
diff --git a/net/core/dst.c b/net/core/dst.c
index ca4231ec7347..80d6286c8b62 100644
--- a/net/core/dst.c
+++ b/net/core/dst.c
@@ -142,12 +142,12 @@ loop:
         mutex_unlock(&dst_gc_mutex);
 }
 
-int dst_discard(struct sk_buff *skb)
+int dst_discard_sk(struct sock *sk, struct sk_buff *skb)
 {
         kfree_skb(skb);
         return 0;
 }
-EXPORT_SYMBOL(dst_discard);
+EXPORT_SYMBOL(dst_discard_sk);
 
 const u32 dst_default_metrics[RTAX_MAX + 1] = {
         /* This initializer is needed to force linker to place this variable
@@ -184,7 +184,7 @@ void *dst_alloc(struct dst_ops *ops, struct net_device *dev,
         dst->xfrm = NULL;
 #endif
         dst->input = dst_discard;
-        dst->output = dst_discard;
+        dst->output = dst_discard_sk;
         dst->error = 0;
         dst->obsolete = initial_obsolete;
         dst->header_len = 0;
@@ -209,8 +209,10 @@ static void ___dst_free(struct dst_entry *dst)
         /* The first case (dev==NULL) is required, when
            protocol module is unloaded.
          */
-        if (dst->dev == NULL || !(dst->dev->flags&IFF_UP))
-                dst->input = dst->output = dst_discard;
+        if (dst->dev == NULL || !(dst->dev->flags&IFF_UP)) {
+                dst->input = dst_discard;
+                dst->output = dst_discard_sk;
+        }
         dst->obsolete = DST_OBSOLETE_DEAD;
 }
 
@@ -361,7 +363,8 @@ static void dst_ifdown(struct dst_entry *dst, struct net_device *dev,
                 return;
 
         if (!unregister) {
-                dst->input = dst->output = dst_discard;
+                dst->input = dst_discard;
+                dst->output = dst_discard_sk;
         } else {
                 dst->dev = dev_net(dst->dev)->loopback_dev;
                 dev_hold(dst->dev);
diff --git a/net/core/filter.c b/net/core/filter.c
index e08b3822c72a..cd58614660cf 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -600,6 +600,9 @@ static u64 __skb_get_nlattr(u64 ctx, u64 A, u64 X, u64 r4, u64 r5)
         if (skb_is_nonlinear(skb))
                 return 0;
 
+        if (skb->len < sizeof(struct nlattr))
+                return 0;
+
         if (A > skb->len - sizeof(struct nlattr))
                 return 0;
 
@@ -618,11 +621,14 @@ static u64 __skb_get_nlattr_nest(u64 ctx, u64 A, u64 X, u64 r4, u64 r5)
         if (skb_is_nonlinear(skb))
                 return 0;
 
+        if (skb->len < sizeof(struct nlattr))
+                return 0;
+
         if (A > skb->len - sizeof(struct nlattr))
                 return 0;
 
         nla = (struct nlattr *) &skb->data[A];
-        if (nla->nla_len > A - skb->len)
+        if (nla->nla_len > skb->len - A)
                 return 0;
 
         nla = nla_find_nested(nla, X);
@@ -1737,7 +1743,6 @@ void sk_decode_filter(struct sock_filter *filt, struct sock_filter *to)
                 [BPF_S_ANC_RXHASH]      = BPF_LD|BPF_B|BPF_ABS,
                 [BPF_S_ANC_CPU]         = BPF_LD|BPF_B|BPF_ABS,
                 [BPF_S_ANC_ALU_XOR_X]   = BPF_LD|BPF_B|BPF_ABS,
-                [BPF_S_ANC_SECCOMP_LD_W] = BPF_LD|BPF_B|BPF_ABS,
                 [BPF_S_ANC_VLAN_TAG]    = BPF_LD|BPF_B|BPF_ABS,
                 [BPF_S_ANC_VLAN_TAG_PRESENT] = BPF_LD|BPF_B|BPF_ABS,
                 [BPF_S_ANC_PAY_OFFSET]  = BPF_LD|BPF_B|BPF_ABS,
diff --git a/net/dccp/output.c b/net/dccp/output.c
index 8876078859da..0248e8a3460c 100644
--- a/net/dccp/output.c
+++ b/net/dccp/output.c
@@ -138,7 +138,7 @@ static int dccp_transmit_skb(struct sock *sk, struct sk_buff *skb)
 
                 DCCP_INC_STATS(DCCP_MIB_OUTSEGS);
 
-                err = icsk->icsk_af_ops->queue_xmit(skb, &inet->cork.fl);
+                err = icsk->icsk_af_ops->queue_xmit(sk, skb, &inet->cork.fl);
                 return net_xmit_eval(err);
         }
         return -ENOBUFS;
diff --git a/net/decnet/dn_route.c b/net/decnet/dn_route.c
index ce0cbbfe0f43..daccc4a36d80 100644
--- a/net/decnet/dn_route.c
+++ b/net/decnet/dn_route.c
@@ -752,7 +752,7 @@ static int dn_to_neigh_output(struct sk_buff *skb)
         return n->output(n, skb);
 }
 
-static int dn_output(struct sk_buff *skb)
+static int dn_output(struct sock *sk, struct sk_buff *skb)
 {
         struct dst_entry *dst = skb_dst(skb);
         struct dn_route *rt = (struct dn_route *)dst;
@@ -838,6 +838,18 @@ drop:
  * Used to catch bugs. This should never normally get
  * called.
  */
+static int dn_rt_bug_sk(struct sock *sk, struct sk_buff *skb)
+{
+        struct dn_skb_cb *cb = DN_SKB_CB(skb);
+
+        net_dbg_ratelimited("dn_rt_bug: skb from:%04x to:%04x\n",
+                            le16_to_cpu(cb->src), le16_to_cpu(cb->dst));
+
+        kfree_skb(skb);
+
+        return NET_RX_DROP;
+}
+
 static int dn_rt_bug(struct sk_buff *skb)
 {
         struct dn_skb_cb *cb = DN_SKB_CB(skb);
@@ -1463,7 +1475,7 @@ make_route:
 
         rt->n = neigh;
         rt->dst.lastuse = jiffies;
-        rt->dst.output = dn_rt_bug;
+        rt->dst.output = dn_rt_bug_sk;
         switch (res.type) {
         case RTN_UNICAST:
                 rt->dst.input = dn_forward;
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index 1a0755fea491..1cbeba5edff9 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -101,17 +101,17 @@ int __ip_local_out(struct sk_buff *skb)
                        skb_dst(skb)->dev, dst_output);
 }
 
-int ip_local_out(struct sk_buff *skb)
+int ip_local_out_sk(struct sock *sk, struct sk_buff *skb)
 {
         int err;
 
         err = __ip_local_out(skb);
         if (likely(err == 1))
-                err = dst_output(skb);
+                err = dst_output_sk(sk, skb);
 
         return err;
 }
-EXPORT_SYMBOL_GPL(ip_local_out);
+EXPORT_SYMBOL_GPL(ip_local_out_sk);
 
 static inline int ip_select_ttl(struct inet_sock *inet, struct dst_entry *dst)
 {
@@ -226,9 +226,8 @@ static int ip_finish_output(struct sk_buff *skb)
                 return ip_finish_output2(skb);
 }
 
-int ip_mc_output(struct sk_buff *skb)
+int ip_mc_output(struct sock *sk, struct sk_buff *skb)
 {
-        struct sock *sk = skb->sk;
         struct rtable *rt = skb_rtable(skb);
         struct net_device *dev = rt->dst.dev;
 
@@ -287,7 +286,7 @@ int ip_mc_output(struct sk_buff *skb)
                             !(IPCB(skb)->flags & IPSKB_REROUTED));
 }
 
-int ip_output(struct sk_buff *skb)
+int ip_output(struct sock *sk, struct sk_buff *skb)
 {
         struct net_device *dev = skb_dst(skb)->dev;
 
@@ -315,9 +314,9 @@ static void ip_copy_addrs(struct iphdr *iph, const struct flowi4 *fl4)
                sizeof(fl4->saddr) + sizeof(fl4->daddr));
 }
 
-int ip_queue_xmit(struct sk_buff *skb, struct flowi *fl)
+/* Note: skb->sk can be different from sk, in case of tunnels */
+int ip_queue_xmit(struct sock *sk, struct sk_buff *skb, struct flowi *fl)
 {
-        struct sock *sk = skb->sk;
         struct inet_sock *inet = inet_sk(sk);
         struct ip_options_rcu *inet_opt;
         struct flowi4 *fl4;
@@ -389,6 +388,7 @@ packet_routed:
         ip_select_ident_more(skb, &rt->dst, sk,
                              (skb_shinfo(skb)->gso_segs ?: 1) - 1);
 
+        /* TODO : should we use skb->sk here instead of sk ? */
         skb->priority = sk->sk_priority;
         skb->mark = sk->sk_mark;
 
diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c
index e77381d1df9a..484d0ce27ef7 100644
--- a/net/ipv4/ip_tunnel.c
+++ b/net/ipv4/ip_tunnel.c
@@ -670,7 +670,7 @@ void ip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev,
                 return;
         }
 
-        err = iptunnel_xmit(rt, skb, fl4.saddr, fl4.daddr, protocol,
+        err = iptunnel_xmit(skb->sk, rt, skb, fl4.saddr, fl4.daddr, protocol,
                             tos, ttl, df, !net_eq(tunnel->net, dev_net(dev)));
         iptunnel_xmit_stats(err, &dev->stats, dev->tstats);
 
diff --git a/net/ipv4/ip_tunnel_core.c b/net/ipv4/ip_tunnel_core.c
index e0c2b1d2ea4e..bcf206c79005 100644
--- a/net/ipv4/ip_tunnel_core.c
+++ b/net/ipv4/ip_tunnel_core.c
@@ -46,7 +46,7 @@
 #include <net/netns/generic.h>
 #include <net/rtnetlink.h>
 
-int iptunnel_xmit(struct rtable *rt, struct sk_buff *skb,
+int iptunnel_xmit(struct sock *sk, struct rtable *rt, struct sk_buff *skb,
                   __be32 src, __be32 dst, __u8 proto,
                   __u8 tos, __u8 ttl, __be16 df, bool xnet)
 {
@@ -76,7 +76,7 @@ int iptunnel_xmit(struct rtable *rt, struct sk_buff *skb,
         iph->ttl        =       ttl;
         __ip_select_ident(iph, &rt->dst, (skb_shinfo(skb)->gso_segs ?: 1) - 1);
 
-        err = ip_local_out(skb);
+        err = ip_local_out_sk(sk, skb);
         if (unlikely(net_xmit_eval(err)))
                 pkt_len = 0;
         return pkt_len;
diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
index f4b19e5dde54..8210964a9f19 100644
--- a/net/ipv4/ping.c
+++ b/net/ipv4/ping.c
@@ -252,26 +252,33 @@ int ping_init_sock(struct sock *sk)
 {
         struct net *net = sock_net(sk);
         kgid_t group = current_egid();
-        struct group_info *group_info = get_current_groups();
-        int i, j, count = group_info->ngroups;
+        struct group_info *group_info;
+        int i, j, count;
         kgid_t low, high;
+        int ret = 0;
 
         inet_get_ping_group_range_net(net, &low, &high);
         if (gid_lte(low, group) && gid_lte(group, high))
                 return 0;
 
+        group_info = get_current_groups();
+        count = group_info->ngroups;
         for (i = 0; i < group_info->nblocks; i++) {
                 int cp_count = min_t(int, NGROUPS_PER_BLOCK, count);
                 for (j = 0; j < cp_count; j++) {
                         kgid_t gid = group_info->blocks[i][j];
                         if (gid_lte(low, gid) && gid_lte(gid, high))
-                                return 0;
+                                goto out_release_group;
                 }
 
                 count -= cp_count;
         }
 
-        return -EACCES;
+        ret = -EACCES;
+
+out_release_group:
+        put_group_info(group_info);
+        return ret;
 }
 EXPORT_SYMBOL_GPL(ping_init_sock);
 
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 34d094cadb11..1485aafcad59 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -1129,7 +1129,7 @@ static void ipv4_link_failure(struct sk_buff *skb)
                 dst_set_expires(&rt->dst, 0);
 }
 
-static int ip_rt_bug(struct sk_buff *skb)
+static int ip_rt_bug(struct sock *sk, struct sk_buff *skb)
 {
         pr_debug("%s: %pI4 -> %pI4, %s\n",
                  __func__, &ip_hdr(skb)->saddr, &ip_hdr(skb)->daddr,
@@ -2218,7 +2218,7 @@ struct dst_entry *ipv4_blackhole_route(struct net *net, struct dst_entry *dst_or
 
                 new->__use = 1;
                 new->input = dst_discard;
-                new->output = dst_discard;
+                new->output = dst_discard_sk;
 
                 new->dev = ort->dst.dev;
                 if (new->dev)
@@ -2357,7 +2357,7 @@ static int rt_fill_info(struct net *net,  __be32 dst, __be32 src,
                         }
                 } else
 #endif
-                        if (nla_put_u32(skb, RTA_IIF, rt->rt_iif))
+                        if (nla_put_u32(skb, RTA_IIF, skb->dev->ifindex))
                                 goto nla_put_failure;
         }
 
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 699fb102e971..025e25093984 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -981,7 +981,7 @@ static int tcp_transmit_skb(struct sock *sk, struct sk_buff *skb, int clone_it,
                 TCP_ADD_STATS(sock_net(sk), TCP_MIB_OUTSEGS,
                               tcp_skb_pcount(skb));
 
-        err = icsk->icsk_af_ops->queue_xmit(skb, &inet->cork.fl);
+        err = icsk->icsk_af_ops->queue_xmit(sk, skb, &inet->cork.fl);
         if (likely(err <= 0))
                 return err;
 
diff --git a/net/ipv4/xfrm4_output.c b/net/ipv4/xfrm4_output.c
index baa0f63731fd..40e701f2e1e0 100644
--- a/net/ipv4/xfrm4_output.c
+++ b/net/ipv4/xfrm4_output.c
@@ -86,7 +86,7 @@ int xfrm4_output_finish(struct sk_buff *skb)
         return xfrm_output(skb);
 }
 
-int xfrm4_output(struct sk_buff *skb)
+int xfrm4_output(struct sock *sk, struct sk_buff *skb)
 {
         struct dst_entry *dst = skb_dst(skb);
         struct xfrm_state *x = dst->xfrm;
diff --git a/net/ipv6/inet6_connection_sock.c b/net/ipv6/inet6_connection_sock.c
index c9138189415a..d4ade34ab375 100644
--- a/net/ipv6/inet6_connection_sock.c
+++ b/net/ipv6/inet6_connection_sock.c
@@ -224,9 +224,8 @@ static struct dst_entry *inet6_csk_route_socket(struct sock *sk,
         return dst;
 }
 
-int inet6_csk_xmit(struct sk_buff *skb, struct flowi *fl_unused)
+int inet6_csk_xmit(struct sock *sk, struct sk_buff *skb, struct flowi *fl_unused)
 {
-        struct sock *sk = skb->sk;
         struct ipv6_pinfo *np = inet6_sk(sk);
         struct flowi6 fl6;
         struct dst_entry *dst;
diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
index c98338b81d30..9d921462b57f 100644
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -1559,6 +1559,15 @@ static int ip6gre_changelink(struct net_device *dev, struct nlattr *tb[],
         return 0;
 }
 
+static void ip6gre_dellink(struct net_device *dev, struct list_head *head)
+{
+        struct net *net = dev_net(dev);
+        struct ip6gre_net *ign = net_generic(net, ip6gre_net_id);
+
+        if (dev != ign->fb_tunnel_dev)
+                unregister_netdevice_queue(dev, head);
+}
+
 static size_t ip6gre_get_size(const struct net_device *dev)
 {
         return
@@ -1636,6 +1645,7 @@ static struct rtnl_link_ops ip6gre_link_ops __read_mostly = {
         .validate       = ip6gre_tunnel_validate,
         .newlink        = ip6gre_newlink,
         .changelink     = ip6gre_changelink,
+        .dellink        = ip6gre_dellink,
         .get_size       = ip6gre_get_size,
         .fill_info      = ip6gre_fill_info,
 };
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 3284d61577c0..40e7581374f7 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -132,7 +132,7 @@ static int ip6_finish_output(struct sk_buff *skb)
                 return ip6_finish_output2(skb);
 }
 
-int ip6_output(struct sk_buff *skb)
+int ip6_output(struct sock *sk, struct sk_buff *skb)
 {
         struct net_device *dev = skb_dst(skb)->dev;
         struct inet6_dev *idev = ip6_dst_idev(skb_dst(skb));
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 5015c50a5ba7..4011617cca68 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -84,9 +84,9 @@ static void		ip6_dst_ifdown(struct dst_entry *,
 static int               ip6_dst_gc(struct dst_ops *ops);
 
 static int              ip6_pkt_discard(struct sk_buff *skb);
-static int              ip6_pkt_discard_out(struct sk_buff *skb);
+static int              ip6_pkt_discard_out(struct sock *sk, struct sk_buff *skb);
 static int              ip6_pkt_prohibit(struct sk_buff *skb);
-static int              ip6_pkt_prohibit_out(struct sk_buff *skb);
+static int              ip6_pkt_prohibit_out(struct sock *sk, struct sk_buff *skb);
 static void             ip6_link_failure(struct sk_buff *skb);
 static void             ip6_rt_update_pmtu(struct dst_entry *dst, struct sock *sk,
                                            struct sk_buff *skb, u32 mtu);
@@ -290,7 +290,7 @@ static const struct rt6_info ip6_blk_hole_entry_template = {
                 .obsolete       = DST_OBSOLETE_FORCE_CHK,
                 .error          = -EINVAL,
                 .input          = dst_discard,
-                .output         = dst_discard,
+                .output         = dst_discard_sk,
         },
         .rt6i_flags     = (RTF_REJECT | RTF_NONEXTHOP),
         .rt6i_protocol  = RTPROT_KERNEL,
@@ -1058,7 +1058,7 @@ struct dst_entry *ip6_blackhole_route(struct net *net, struct dst_entry *dst_ori
 
                 new->__use = 1;
                 new->input = dst_discard;
-                new->output = dst_discard;
+                new->output = dst_discard_sk;
 
                 if (dst_metrics_read_only(&ort->dst))
                         new->_metrics = ort->dst._metrics;
@@ -1338,7 +1338,7 @@ static unsigned int ip6_mtu(const struct dst_entry *dst)
         unsigned int mtu = dst_metric_raw(dst, RTAX_MTU);
 
         if (mtu)
-                return mtu;
+                goto out;
 
         mtu = IPV6_MIN_MTU;
 
@@ -1348,7 +1348,8 @@ static unsigned int ip6_mtu(const struct dst_entry *dst)
                 mtu = idev->cnf.mtu6;
         rcu_read_unlock();
 
-        return mtu;
+out:
+        return min_t(unsigned int, mtu, IP6_MAX_MTU);
 }
 
 static struct dst_entry *icmp6_dst_gc_list;
@@ -1576,7 +1577,7 @@ int ip6_route_add(struct fib6_config *cfg)
                 switch (cfg->fc_type) {
                 case RTN_BLACKHOLE:
                         rt->dst.error = -EINVAL;
-                        rt->dst.output = dst_discard;
+                        rt->dst.output = dst_discard_sk;
                         rt->dst.input = dst_discard;
                         break;
                 case RTN_PROHIBIT:
@@ -2128,7 +2129,7 @@ static int ip6_pkt_discard(struct sk_buff *skb)
         return ip6_pkt_drop(skb, ICMPV6_NOROUTE, IPSTATS_MIB_INNOROUTES);
 }
 
-static int ip6_pkt_discard_out(struct sk_buff *skb)
+static int ip6_pkt_discard_out(struct sock *sk, struct sk_buff *skb)
 {
         skb->dev = skb_dst(skb)->dev;
         return ip6_pkt_drop(skb, ICMPV6_NOROUTE, IPSTATS_MIB_OUTNOROUTES);
@@ -2139,7 +2140,7 @@ static int ip6_pkt_prohibit(struct sk_buff *skb)
         return ip6_pkt_drop(skb, ICMPV6_ADM_PROHIBITED, IPSTATS_MIB_INNOROUTES);
 }
 
-static int ip6_pkt_prohibit_out(struct sk_buff *skb)
+static int ip6_pkt_prohibit_out(struct sock *sk, struct sk_buff *skb)
 {
         skb->dev = skb_dst(skb)->dev;
         return ip6_pkt_drop(skb, ICMPV6_ADM_PROHIBITED, IPSTATS_MIB_OUTNOROUTES);
diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
index 1693c8d885f0..8da8268d65f8 100644
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -974,8 +974,9 @@ static netdev_tx_t ipip6_tunnel_xmit(struct sk_buff *skb,
                 goto out;
         }
 
-        err = iptunnel_xmit(rt, skb, fl4.saddr, fl4.daddr, IPPROTO_IPV6, tos,
-                            ttl, df, !net_eq(tunnel->net, dev_net(dev)));
+        err = iptunnel_xmit(skb->sk, rt, skb, fl4.saddr, fl4.daddr,
+                            IPPROTO_IPV6, tos, ttl, df,
+                            !net_eq(tunnel->net, dev_net(dev)));
         iptunnel_xmit_stats(err, &dev->stats, dev->tstats);
         return NETDEV_TX_OK;
 
diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c
index 6cd625e37706..19ef329bdbf8 100644
--- a/net/ipv6/xfrm6_output.c
+++ b/net/ipv6/xfrm6_output.c
@@ -163,7 +163,7 @@ static int __xfrm6_output(struct sk_buff *skb)
         return x->outer_mode->afinfo->output_finish(skb);
 }
 
-int xfrm6_output(struct sk_buff *skb)
+int xfrm6_output(struct sock *sk, struct sk_buff *skb)
 {
         return NF_HOOK(NFPROTO_IPV6, NF_INET_POST_ROUTING, skb, NULL,
                        skb_dst(skb)->dev, __xfrm6_output);
diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
index 47f7a5490555..a4e37d7158dc 100644
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -1131,10 +1131,10 @@ static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb,
         skb->local_df = 1;
 #if IS_ENABLED(CONFIG_IPV6)
         if (tunnel->sock->sk_family == PF_INET6 && !tunnel->v4mapped)
-                error = inet6_csk_xmit(skb, NULL);
+                error = inet6_csk_xmit(tunnel->sock, skb, NULL);
         else
 #endif
-                error = ip_queue_xmit(skb, fl);
+                error = ip_queue_xmit(tunnel->sock, skb, fl);
 
         /* Update stats */
         if (error >= 0) {
diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c
index 0b44d855269c..3397fe6897c0 100644
--- a/net/l2tp/l2tp_ip.c
+++ b/net/l2tp/l2tp_ip.c
@@ -487,7 +487,7 @@ static int l2tp_ip_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *m
 
 xmit:
         /* Queue the packet to IP for output */
-        rc = ip_queue_xmit(skb, &inet->cork.fl);
+        rc = ip_queue_xmit(sk, skb, &inet->cork.fl);
         rcu_read_unlock();
 
 error:
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 6dba48efe01e..75421f2ba8be 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1795,6 +1795,7 @@ int nf_conntrack_init_net(struct net *net)
         int cpu;
 
         atomic_set(&net->ct.count, 0);
+        seqcount_init(&net->ct.generation);
 
         net->ct.pcpu_lists = alloc_percpu(struct ct_pcpu);
         if (!net->ct.pcpu_lists)
diff --git a/net/netfilter/nf_conntrack_pptp.c b/net/netfilter/nf_conntrack_pptp.c
index 7bd03decd36c..825c3e3f8305 100644
--- a/net/netfilter/nf_conntrack_pptp.c
+++ b/net/netfilter/nf_conntrack_pptp.c
@@ -605,32 +605,14 @@ static struct nf_conntrack_helper pptp __read_mostly = {
         .expect_policy          = &pptp_exp_policy,
 };
 
-static void nf_conntrack_pptp_net_exit(struct net *net)
-{
-        nf_ct_gre_keymap_flush(net);
-}
-
-static struct pernet_operations nf_conntrack_pptp_net_ops = {
-        .exit = nf_conntrack_pptp_net_exit,
-};
-
 static int __init nf_conntrack_pptp_init(void)
 {
-        int rv;
-
-        rv = nf_conntrack_helper_register(&pptp);
-        if (rv < 0)
-                return rv;
-        rv = register_pernet_subsys(&nf_conntrack_pptp_net_ops);
-        if (rv < 0)
-                nf_conntrack_helper_unregister(&pptp);
-        return rv;
+        return nf_conntrack_helper_register(&pptp);
 }
 
 static void __exit nf_conntrack_pptp_fini(void)
 {
         nf_conntrack_helper_unregister(&pptp);
-        unregister_pernet_subsys(&nf_conntrack_pptp_net_ops);
 }
 
 module_init(nf_conntrack_pptp_init);
diff --git a/net/netfilter/nf_conntrack_proto_gre.c b/net/netfilter/nf_conntrack_proto_gre.c
index 9d9c0dade602..d5665739e3b1 100644
--- a/net/netfilter/nf_conntrack_proto_gre.c
+++ b/net/netfilter/nf_conntrack_proto_gre.c
@@ -66,7 +66,7 @@ static inline struct netns_proto_gre *gre_pernet(struct net *net)
         return net_generic(net, proto_gre_net_id);
 }
 
-void nf_ct_gre_keymap_flush(struct net *net)
+static void nf_ct_gre_keymap_flush(struct net *net)
 {
         struct netns_proto_gre *net_gre = gre_pernet(net);
         struct nf_ct_gre_keymap *km, *tmp;
@@ -78,7 +78,6 @@ void nf_ct_gre_keymap_flush(struct net *net)
         }
         write_unlock_bh(&net_gre->keymap_lock);
 }
-EXPORT_SYMBOL(nf_ct_gre_keymap_flush);
 
 static inline int gre_key_cmpfn(const struct nf_ct_gre_keymap *km,
                                 const struct nf_conntrack_tuple *t)
diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c
index 90998a6ff8b9..804105391b9a 100644
--- a/net/netfilter/nf_tables_core.c
+++ b/net/netfilter/nf_tables_core.c
@@ -25,9 +25,8 @@ static void nft_cmp_fast_eval(const struct nft_expr *expr,
                               struct nft_data data[NFT_REG_MAX + 1])
 {
         const struct nft_cmp_fast_expr *priv = nft_expr_priv(expr);
-        u32 mask;
+        u32 mask = nft_cmp_fast_mask(priv->len);
 
-        mask = ~0U >> (sizeof(priv->data) * BITS_PER_BYTE - priv->len);
         if ((data[priv->sreg].data[0] & mask) == priv->data)
                 return;
         data[NFT_REG_VERDICT].verdict = NFT_BREAK;
diff --git a/net/netfilter/nft_cmp.c b/net/netfilter/nft_cmp.c
index 954925db414d..e2b3f51c81f1 100644
--- a/net/netfilter/nft_cmp.c
+++ b/net/netfilter/nft_cmp.c
@@ -128,7 +128,7 @@ static int nft_cmp_fast_init(const struct nft_ctx *ctx,
         BUG_ON(err < 0);
         desc.len *= BITS_PER_BYTE;
 
-        mask = ~0U >> (sizeof(priv->data) * BITS_PER_BYTE - desc.len);
+        mask = nft_cmp_fast_mask(desc.len);
         priv->data = data.data[0] & mask;
         priv->len  = desc.len;
         return 0;
diff --git a/net/openvswitch/vport-gre.c b/net/openvswitch/vport-gre.c
index a3d6951602db..ebb6e2442554 100644
--- a/net/openvswitch/vport-gre.c
+++ b/net/openvswitch/vport-gre.c
@@ -174,7 +174,7 @@ static int gre_tnl_send(struct vport *vport, struct sk_buff *skb)
 
         skb->local_df = 1;
 
-        return iptunnel_xmit(rt, skb, fl.saddr,
+        return iptunnel_xmit(skb->sk, rt, skb, fl.saddr,
                              OVS_CB(skb)->tun_key->ipv4_dst, IPPROTO_GRE,
                              OVS_CB(skb)->tun_key->ipv4_tos,
                              OVS_CB(skb)->tun_key->ipv4_ttl, df, false);
diff --git a/net/sctp/associola.c b/net/sctp/associola.c
index 4f6d6f9d1274..39579c3e0d14 100644
--- a/net/sctp/associola.c
+++ b/net/sctp/associola.c
@@ -1395,35 +1395,44 @@ static inline bool sctp_peer_needs_update(struct sctp_association *asoc)
         return false;
 }
 
-/* Update asoc's rwnd for the approximated state in the buffer,
- * and check whether SACK needs to be sent.
- */
-void sctp_assoc_rwnd_update(struct sctp_association *asoc, bool update_peer)
+/* Increase asoc's rwnd by len and send any window update SACK if needed. */
+void sctp_assoc_rwnd_increase(struct sctp_association *asoc, unsigned int len)
 {
-        int rx_count;
         struct sctp_chunk *sack;
         struct timer_list *timer;
 
-        if (asoc->ep->rcvbuf_policy)
-                rx_count = atomic_read(&asoc->rmem_alloc);
-        else
-                rx_count = atomic_read(&asoc->base.sk->sk_rmem_alloc);
+        if (asoc->rwnd_over) {
+                if (asoc->rwnd_over >= len) {
+                        asoc->rwnd_over -= len;
+                } else {
+                        asoc->rwnd += (len - asoc->rwnd_over);
+                        asoc->rwnd_over = 0;
+                }
+        } else {
+                asoc->rwnd += len;
+        }
 
-        if ((asoc->base.sk->sk_rcvbuf - rx_count) > 0)
-                asoc->rwnd = (asoc->base.sk->sk_rcvbuf - rx_count) >> 1;
-        else
-                asoc->rwnd = 0;
+        /* If we had window pressure, start recovering it
+         * once our rwnd had reached the accumulated pressure
+         * threshold.  The idea is to recover slowly, but up
+         * to the initial advertised window.
+         */
+        if (asoc->rwnd_press && asoc->rwnd >= asoc->rwnd_press) {
+                int change = min(asoc->pathmtu, asoc->rwnd_press);
+                asoc->rwnd += change;
+                asoc->rwnd_press -= change;
+        }
 
-        pr_debug("%s: asoc:%p rwnd=%u, rx_count=%d, sk_rcvbuf=%d\n",
-                 __func__, asoc, asoc->rwnd, rx_count,
-                 asoc->base.sk->sk_rcvbuf);
+        pr_debug("%s: asoc:%p rwnd increased by %d to (%u, %u) - %u\n",
+                 __func__, asoc, len, asoc->rwnd, asoc->rwnd_over,
+                 asoc->a_rwnd);
 
         /* Send a window update SACK if the rwnd has increased by at least the
          * minimum of the association's PMTU and half of the receive buffer.
          * The algorithm used is similar to the one described in
          * Section 4.2.3.3 of RFC 1122.
          */
-        if (update_peer && sctp_peer_needs_update(asoc)) {
+        if (sctp_peer_needs_update(asoc)) {
                 asoc->a_rwnd = asoc->rwnd;
 
                 pr_debug("%s: sending window update SACK- asoc:%p rwnd:%u "
@@ -1445,6 +1454,45 @@ void sctp_assoc_rwnd_update(struct sctp_association *asoc, bool update_peer)
         }
 }
 
+/* Decrease asoc's rwnd by len. */
+void sctp_assoc_rwnd_decrease(struct sctp_association *asoc, unsigned int len)
+{
+        int rx_count;
+        int over = 0;
+
+        if (unlikely(!asoc->rwnd || asoc->rwnd_over))
+                pr_debug("%s: association:%p has asoc->rwnd:%u, "
+                         "asoc->rwnd_over:%u!\n", __func__, asoc,
+                         asoc->rwnd, asoc->rwnd_over);
+
+        if (asoc->ep->rcvbuf_policy)
+                rx_count = atomic_read(&asoc->rmem_alloc);
+        else
+                rx_count = atomic_read(&asoc->base.sk->sk_rmem_alloc);
+
+        /* If we've reached or overflowed our receive buffer, announce
+         * a 0 rwnd if rwnd would still be positive.  Store the
+         * the potential pressure overflow so that the window can be restored
+         * back to original value.
+         */
+        if (rx_count >= asoc->base.sk->sk_rcvbuf)
+                over = 1;
+
+        if (asoc->rwnd >= len) {
+                asoc->rwnd -= len;
+                if (over) {
+                        asoc->rwnd_press += asoc->rwnd;
+                        asoc->rwnd = 0;
+                }
+        } else {
+                asoc->rwnd_over = len - asoc->rwnd;
+                asoc->rwnd = 0;
+        }
+
+        pr_debug("%s: asoc:%p rwnd decreased by %d to (%u, %u, %u)\n",
+                 __func__, asoc, len, asoc->rwnd, asoc->rwnd_over,
+                 asoc->rwnd_press);
+}
 
 /* Build the bind address list for the association based on info from the
  * local endpoint and the remote peer.
diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c
index 4e1d0fcb028e..c09757fbf803 100644
--- a/net/sctp/protocol.c
+++ b/net/sctp/protocol.c
@@ -957,7 +957,7 @@ static inline int sctp_v4_xmit(struct sk_buff *skb,
 
         SCTP_INC_STATS(sock_net(&inet->sk), SCTP_MIB_OUTSCTPPACKS);
 
-        return ip_queue_xmit(skb, &transport->fl);
+        return ip_queue_xmit(&inet->sk, skb, &transport->fl);
 }
 
 static struct sctp_af sctp_af_inet;
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index 01e002430c85..ae9fbeba40b0 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -6178,7 +6178,7 @@ static int sctp_eat_data(const struct sctp_association *asoc,
          * PMTU.  In cases, such as loopback, this might be a rather
          * large spill over.
          */
-        if ((!chunk->data_accepted) && (!asoc->rwnd ||
+        if ((!chunk->data_accepted) && (!asoc->rwnd || asoc->rwnd_over ||
             (datalen > asoc->rwnd + asoc->frag_point))) {
 
                 /* If this is the next TSN, consider reneging to make
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index e13519e9df80..ff20e2dbbbc7 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -2115,6 +2115,12 @@ static int sctp_recvmsg(struct kiocb *iocb, struct sock *sk,
                 sctp_skb_pull(skb, copied);
                 skb_queue_head(&sk->sk_receive_queue, skb);
 
+                /* When only partial message is copied to the user, increase
+                 * rwnd by that amount. If all the data in the skb is read,
+                 * rwnd is updated when the event is freed.
+                 */
+                if (!sctp_ulpevent_is_notification(event))
+                        sctp_assoc_rwnd_increase(event->asoc, copied);
                 goto out;
         } else if ((event->msg_flags & MSG_NOTIFICATION) ||
                    (event->msg_flags & MSG_EOR))
diff --git a/net/sctp/ulpevent.c b/net/sctp/ulpevent.c
index 8d198ae03606..85c64658bd0b 100644
--- a/net/sctp/ulpevent.c
+++ b/net/sctp/ulpevent.c
@@ -989,7 +989,7 @@ static void sctp_ulpevent_receive_data(struct sctp_ulpevent *event,
         skb = sctp_event2skb(event);
         /* Set the owner and charge rwnd for bytes received.  */
         sctp_ulpevent_set_owner(event, asoc);
-        sctp_assoc_rwnd_update(asoc, false);
+        sctp_assoc_rwnd_decrease(asoc, skb_headlen(skb));
 
         if (!skb->data_len)
                 return;
@@ -1011,7 +1011,6 @@ static void sctp_ulpevent_release_data(struct sctp_ulpevent *event)
 {
         struct sk_buff *skb, *frag;
         unsigned int    len;
-        struct sctp_association *asoc;
 
         /* Current stack structures assume that the rcv buffer is
          * per socket.   For UDP style sockets this is not true as
@@ -1036,11 +1035,8 @@ static void sctp_ulpevent_release_data(struct sctp_ulpevent *event)
         }
 
 done:
-        asoc = event->asoc;
-        sctp_association_hold(asoc);
+        sctp_assoc_rwnd_increase(event->asoc, len);
         sctp_ulpevent_release_owner(event);
-        sctp_assoc_rwnd_update(asoc, true);
-        sctp_association_put(asoc);
 }
 
 static void sctp_ulpevent_release_frag_data(struct sctp_ulpevent *event)
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index f02f511b7107..c08fbd11ceff 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1842,7 +1842,7 @@ purge_queue:
         xfrm_pol_put(pol);
 }
 
-static int xdst_queue_output(struct sk_buff *skb)
+static int xdst_queue_output(struct sock *sk, struct sk_buff *skb)
 {
         unsigned long sched_next;
         struct dst_entry *dst = skb_dst(skb);