Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

Pull networking fixes from David Miller:

 1) Fix SKB leak in 8139cp, from Dave Jones.

 2) Fix use of *_PAGES interfaces with mlx5 firmware, from Moshe Lazar.

 3) RCU conversion of macvtap introduced two races, fixes by Eric
    Dumazet

 4) Synchronize statistic flows in bnx2x driver to prevent corruption,
    from Dmitry Kravkov

 5) Undo optimization in IP tunneling, we were using the inner IP header
    in some cases to inherit the IP ID, but that isn't correct in some
    circumstances.  From Pravin B Shelar

 6) Use correct struct size when parsing netlink attributes in
    rtnl_bridge_getlink().  From Asbjoern Sloth Toennesen

 7) Length verifications in tun_get_user() are bogus, from Weiping Pan
    and Dan Carpenter

 8) Fix bad merge resolution during 3.11 networking development in
    openvswitch, albeit a harmless one which added some unreachable
    code.  From Jesse Gross

 9) Wrong size used in flexible array allocation in openvswitch, from
    Pravin B Shelar

10) Clear out firmware capability flags the be2net driver isn't ready to
    handle yet, from Sarveshwar Bandi

11) Revert DMA mapping error checking addition to cxgb3 driver, it's
    buggy.  From Alexey Kardashevskiy

12) Fix regression in packet scheduler rate limiting when working with a
    link layer of ATM.  From Jesper Dangaard Brouer

13) Fix several errors in TCP Cubic congestion control, in particular
    overflow errors in timestamp calculations.  From Eric Dumazet and
    Van Jacobson

14) In ipv6 routing lookups, we need to backtrack if subtree traversal
    don't result in a match.  From Hannes Frederic Sowa

15) ipgre_header() returns incorrect packet offset.  Fix from Timo Teräs

16) Get "low latency" out of the new MIB counter names.  From Eliezer
    Tamir

17) State check in ndo_dflt_fdb_del() is inverted, from Sridhar
    Samudrala

18) Handle TCP Fast Open properly in netfilter conntrack, from Yuchung
    Cheng

19) Wrong memcpy length in pcan_usb driver, from Stephane Grosjean

20) Fix dealock in TIPC, from Wang Weidong and Ding Tianhong

21) call_rcu() call to destroy SCTP transport is done too early and
    might result in an oops.  From Daniel Borkmann

22) Fix races in genetlink family dumps, from Johannes Berg

23) Flags passed into macvlan by the user need to be validated properly,
    from Michael S Tsirkin

24) Fix skge build on 32-bit, from Stephen Hemminger

25) Handle malformed TCP headers properly in xt_TCPMSS, from Pablo Neira
    Ayuso

26) Fix handling of stacked vlans in vlan_dev_real_dev(), from Nikolay
    Aleksandrov

27) Eliminate MTU calculation overflows in esp{4,6}, from Daniel
    Borkmann

28) neigh_parms need to be setup before calling the ->ndo_neigh_setup()
    method.  From Veaceslav Falico

29) Kill out-of-bounds prefetch in fib_trie, from Eric Dumazet

30) Don't dereference MLD query message if the length isn't value in the
    bridge multicast code, from Linus Lüssing

31) Fix VXLAN IGMP join regression due to an inverted check, from Cong
    Wang

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (70 commits)
  net/mlx5_core: Support MANAGE_PAGES and QUERY_PAGES firmware command changes
  tun: signedness bug in tun_get_user()
  qlcnic: Fix diagnostic interrupt test for 83xx adapters
  qlcnic: Fix beacon state return status handling
  qlcnic: Fix set driver version command
  net: tg3: fix NULL pointer dereference in tg3_io_error_detected and tg3_io_slot_reset
  net_sched: restore "linklayer atm" handling
  drivers/net/ethernet/via/via-velocity.c: update napi implementation
  Revert "cxgb3: Check and handle the dma mapping errors"
  be2net: Clear any capability flags that driver is not interested in.
  openvswitch: Reset tunnel key between input and output.
  openvswitch: Use correct type while allocating flex array.
  openvswitch: Fix bad merge resolution.
  tun: compare with 0 instead of total_len
  rtnetlink: rtnl_bridge_getlink: Call nlmsg_find_attr() with ifinfomsg header
  ethernet/arc/arc_emac - fix NAPI "work > weight" warning
  ip_tunnel: Do not use inner ip-header-id for tunnel ip-header-id.
  bnx2x: prevent crash in shutdown flow with CNIC
  bnx2x: fix PTE write access error
  bnx2x: fix memory leak in VF
  ...

38 files changed, 237 insertions, 90 deletions

diff --git a/net/8021q/vlan_core.c b/net/8021q/vlan_core.c
index 4a78c4de9f20..6ee48aac776f 100644
--- a/net/8021q/vlan_core.c
+++ b/net/8021q/vlan_core.c
@@ -91,7 +91,12 @@ EXPORT_SYMBOL(__vlan_find_dev_deep);
 
 struct net_device *vlan_dev_real_dev(const struct net_device *dev)
 {
-        return vlan_dev_priv(dev)->real_dev;
+        struct net_device *ret = vlan_dev_priv(dev)->real_dev;
+
+        while (is_vlan_dev(ret))
+                ret = vlan_dev_priv(ret)->real_dev;
+
+        return ret;
 }
 EXPORT_SYMBOL(vlan_dev_real_dev);
 
diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c
index e14531f1ce1c..264de88db320 100644
--- a/net/batman-adv/bridge_loop_avoidance.c
+++ b/net/batman-adv/bridge_loop_avoidance.c
@@ -1529,6 +1529,8 @@ out:
  * in these cases, the skb is further handled by this function and
  * returns 1, otherwise it returns 0 and the caller shall further
  * process the skb.
+ *
+ * This call might reallocate skb data.
  */
 int batadv_bla_tx(struct batadv_priv *bat_priv, struct sk_buff *skb,
                   unsigned short vid)
diff --git a/net/batman-adv/gateway_client.c b/net/batman-adv/gateway_client.c
index f105219f4a4b..7614af31daff 100644
--- a/net/batman-adv/gateway_client.c
+++ b/net/batman-adv/gateway_client.c
@@ -508,6 +508,7 @@ out:
         return 0;
 }
 
+/* this call might reallocate skb data */
 static bool batadv_is_type_dhcprequest(struct sk_buff *skb, int header_len)
 {
         int ret = false;
@@ -568,6 +569,7 @@ out:
         return ret;
 }
 
+/* this call might reallocate skb data */
 bool batadv_gw_is_dhcp_target(struct sk_buff *skb, unsigned int *header_len)
 {
         struct ethhdr *ethhdr;
@@ -619,6 +621,12 @@ bool batadv_gw_is_dhcp_target(struct sk_buff *skb, unsigned int *header_len)
 
         if (!pskb_may_pull(skb, *header_len + sizeof(*udphdr)))
                 return false;
+
+        /* skb->data might have been reallocated by pskb_may_pull() */
+        ethhdr = (struct ethhdr *)skb->data;
+        if (ntohs(ethhdr->h_proto) == ETH_P_8021Q)
+                ethhdr = (struct ethhdr *)(skb->data + VLAN_HLEN);
+
         udphdr = (struct udphdr *)(skb->data + *header_len);
         *header_len += sizeof(*udphdr);
 
@@ -634,12 +642,14 @@ bool batadv_gw_is_dhcp_target(struct sk_buff *skb, unsigned int *header_len)
         return true;
 }
 
+/* this call might reallocate skb data */
 bool batadv_gw_out_of_range(struct batadv_priv *bat_priv,
-                            struct sk_buff *skb, struct ethhdr *ethhdr)
+                            struct sk_buff *skb)
 {
         struct batadv_neigh_node *neigh_curr = NULL, *neigh_old = NULL;
         struct batadv_orig_node *orig_dst_node = NULL;
         struct batadv_gw_node *curr_gw = NULL;
+        struct ethhdr *ethhdr;
         bool ret, out_of_range = false;
         unsigned int header_len = 0;
         uint8_t curr_tq_avg;
@@ -648,6 +658,7 @@ bool batadv_gw_out_of_range(struct batadv_priv *bat_priv,
         if (!ret)
                 goto out;
 
+        ethhdr = (struct ethhdr *)skb->data;
         orig_dst_node = batadv_transtable_search(bat_priv, ethhdr->h_source,
                                                  ethhdr->h_dest);
         if (!orig_dst_node)
diff --git a/net/batman-adv/gateway_client.h b/net/batman-adv/gateway_client.h
index 039902dca4a6..1037d75da51f 100644
--- a/net/batman-adv/gateway_client.h
+++ b/net/batman-adv/gateway_client.h
@@ -34,7 +34,6 @@ void batadv_gw_node_delete(struct batadv_priv *bat_priv,
 void batadv_gw_node_purge(struct batadv_priv *bat_priv);
 int batadv_gw_client_seq_print_text(struct seq_file *seq, void *offset);
 bool batadv_gw_is_dhcp_target(struct sk_buff *skb, unsigned int *header_len);
-bool batadv_gw_out_of_range(struct batadv_priv *bat_priv,
-                            struct sk_buff *skb, struct ethhdr *ethhdr);
+bool batadv_gw_out_of_range(struct batadv_priv *bat_priv, struct sk_buff *skb);
 
 #endif /* _NET_BATMAN_ADV_GATEWAY_CLIENT_H_ */
diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c
index 700d0b49742d..0f04e1c302b4 100644
--- a/net/batman-adv/soft-interface.c
+++ b/net/batman-adv/soft-interface.c
@@ -180,6 +180,9 @@ static int batadv_interface_tx(struct sk_buff *skb,
         if (batadv_bla_tx(bat_priv, skb, vid))
                 goto dropped;
 
+        /* skb->data might have been reallocated by batadv_bla_tx() */
+        ethhdr = (struct ethhdr *)skb->data;
+
         /* Register the client MAC in the transtable */
         if (!is_multicast_ether_addr(ethhdr->h_source))
                 batadv_tt_local_add(soft_iface, ethhdr->h_source, skb->skb_iif);
@@ -220,6 +223,10 @@ static int batadv_interface_tx(struct sk_buff *skb,
                 default:
                         break;
                 }
+
+                /* reminder: ethhdr might have become unusable from here on
+                 * (batadv_gw_is_dhcp_target() might have reallocated skb data)
+                 */
         }
 
         /* ethernet packet should be broadcasted */
@@ -266,7 +273,7 @@ static int batadv_interface_tx(struct sk_buff *skb,
         /* unicast packet */
         } else {
                 if (atomic_read(&bat_priv->gw_mode) != BATADV_GW_MODE_OFF) {
-                        ret = batadv_gw_out_of_range(bat_priv, skb, ethhdr);
+                        ret = batadv_gw_out_of_range(bat_priv, skb);
                         if (ret)
                                 goto dropped;
                 }
diff --git a/net/batman-adv/unicast.c b/net/batman-adv/unicast.c
index dc8b5d4dd636..688a0419756b 100644
--- a/net/batman-adv/unicast.c
+++ b/net/batman-adv/unicast.c
@@ -326,7 +326,9 @@ static bool batadv_unicast_push_and_fill_skb(struct sk_buff *skb, int hdr_size,
  * @skb: the skb containing the payload to encapsulate
  * @orig_node: the destination node
  *
- * Returns false if the payload could not be encapsulated or true otherwise
+ * Returns false if the payload could not be encapsulated or true otherwise.
+ *
+ * This call might reallocate skb data.
  */
 static bool batadv_unicast_prepare_skb(struct sk_buff *skb,
                                        struct batadv_orig_node *orig_node)
@@ -343,7 +345,9 @@ static bool batadv_unicast_prepare_skb(struct sk_buff *skb,
  * @orig_node: the destination node
  * @packet_subtype: the batman 4addr packet subtype to use
  *
- * Returns false if the payload could not be encapsulated or true otherwise
+ * Returns false if the payload could not be encapsulated or true otherwise.
+ *
+ * This call might reallocate skb data.
  */
 bool batadv_unicast_4addr_prepare_skb(struct batadv_priv *bat_priv,
                                       struct sk_buff *skb,
@@ -401,7 +405,7 @@ int batadv_unicast_generic_send_skb(struct batadv_priv *bat_priv,
         struct batadv_neigh_node *neigh_node;
         int data_len = skb->len;
         int ret = NET_RX_DROP;
-        unsigned int dev_mtu;
+        unsigned int dev_mtu, header_len;
 
         /* get routing information */
         if (is_multicast_ether_addr(ethhdr->h_dest)) {
@@ -429,10 +433,12 @@ find_router:
         switch (packet_type) {
         case BATADV_UNICAST:
                 batadv_unicast_prepare_skb(skb, orig_node);
+                header_len = sizeof(struct batadv_unicast_packet);
                 break;
         case BATADV_UNICAST_4ADDR:
                 batadv_unicast_4addr_prepare_skb(bat_priv, skb, orig_node,
                                                  packet_subtype);
+                header_len = sizeof(struct batadv_unicast_4addr_packet);
                 break;
         default:
                 /* this function supports UNICAST and UNICAST_4ADDR only. It
@@ -441,6 +447,7 @@ find_router:
                 goto out;
         }
 
+        ethhdr = (struct ethhdr *)(skb->data + header_len);
         unicast_packet = (struct batadv_unicast_packet *)skb->data;
 
         /* inform the destination node that we are still missing a correct route
diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
index 61c5e819380e..08e576ada0b2 100644
--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -1195,7 +1195,7 @@ static int br_ip6_multicast_query(struct net_bridge *br,
                 max_delay = msecs_to_jiffies(ntohs(mld->mld_maxdelay));
                 if (max_delay)
                         group = &mld->mld_mca;
-        } else if (skb->len >= sizeof(*mld2q)) {
+        } else {
                 if (!pskb_may_pull(skb, sizeof(*mld2q))) {
                         err = -EINVAL;
                         goto out;
diff --git a/net/bridge/br_sysfs_br.c b/net/bridge/br_sysfs_br.c
index 394bb96b6087..3b9637fb7939 100644
--- a/net/bridge/br_sysfs_br.c
+++ b/net/bridge/br_sysfs_br.c
@@ -1,5 +1,5 @@
 /*
- *      Sysfs attributes of bridge ports
+ *      Sysfs attributes of bridge
  *      Linux ethernet bridge
  *
  *      Authors:
diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
index 00ee068efc1c..b84a1b155bc1 100644
--- a/net/core/flow_dissector.c
+++ b/net/core/flow_dissector.c
@@ -65,6 +65,7 @@ ipv6:
                 nhoff += sizeof(struct ipv6hdr);
                 break;
         }
+        case __constant_htons(ETH_P_8021AD):
         case __constant_htons(ETH_P_8021Q): {
                 const struct vlan_hdr *vlan;
                 struct vlan_hdr _vlan;
diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index 9232c68941ab..60533db8b72d 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -1441,16 +1441,18 @@ struct neigh_parms *neigh_parms_alloc(struct net_device *dev,
                 atomic_set(&p->refcnt, 1);
                 p->reachable_time =
                                 neigh_rand_reach_time(p->base_reachable_time);
+                dev_hold(dev);
+                p->dev = dev;
+                write_pnet(&p->net, hold_net(net));
+                p->sysctl_table = NULL;
 
                 if (ops->ndo_neigh_setup && ops->ndo_neigh_setup(dev, p)) {
+                        release_net(net);
+                        dev_put(dev);
                         kfree(p);
                         return NULL;
                 }
 
-                dev_hold(dev);
-                p->dev = dev;
-                write_pnet(&p->net, hold_net(net));
-                p->sysctl_table = NULL;
                 write_lock_bh(&tbl->lock);
                 p->next         = tbl->parms.next;
                 tbl->parms.next = p;
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 3de740834d1f..ca198c1d1d30 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -2156,7 +2156,7 @@ int ndo_dflt_fdb_del(struct ndmsg *ndm,
         /* If aging addresses are supported device will need to
          * implement its own handler for this.
          */
-        if (ndm->ndm_state & NUD_PERMANENT) {
+        if (!(ndm->ndm_state & NUD_PERMANENT)) {
                 pr_info("%s: FDB only supports static addresses\n", dev->name);
                 return -EINVAL;
         }
@@ -2384,7 +2384,7 @@ static int rtnl_bridge_getlink(struct sk_buff *skb, struct netlink_callback *cb)
         struct nlattr *extfilt;
         u32 filter_mask = 0;
 
-        extfilt = nlmsg_find_attr(cb->nlh, sizeof(struct rtgenmsg),
+        extfilt = nlmsg_find_attr(cb->nlh, sizeof(struct ifinfomsg),
                                   IFLA_EXT_MASK);
         if (extfilt)
                 filter_mask = nla_get_u32(extfilt);
diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index ab3d814bc80a..109ee89f123e 100644
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -477,7 +477,7 @@ static u32 esp4_get_mtu(struct xfrm_state *x, int mtu)
         }
 
         return ((mtu - x->props.header_len - crypto_aead_authsize(esp->aead) -
-                 net_adj) & ~(align - 1)) + (net_adj - 2);
+                 net_adj) & ~(align - 1)) + net_adj - 2;
 }
 
 static void esp4_err(struct sk_buff *skb, u32 info)
diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
index 108a1e9c9eac..3df6d3edb2a1 100644
--- a/net/ipv4/fib_trie.c
+++ b/net/ipv4/fib_trie.c
@@ -71,7 +71,6 @@
 #include <linux/init.h>
 #include <linux/list.h>
 #include <linux/slab.h>
-#include <linux/prefetch.h>
 #include <linux/export.h>
 #include <net/net_namespace.h>
 #include <net/ip.h>
@@ -1761,10 +1760,8 @@ static struct leaf *leaf_walk_rcu(struct tnode *p, struct rt_trie_node *c)
                         if (!c)
                                 continue;
 
-                        if (IS_LEAF(c)) {
-                                prefetch(rcu_dereference_rtnl(p->child[idx]));
+                        if (IS_LEAF(c))
                                 return (struct leaf *) c;
-                        }
 
                         /* Rescan start scanning in new node */
                         p = (struct tnode *) c;
diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
index 1f6eab66f7ce..8d6939eeb492 100644
--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
@@ -383,7 +383,7 @@ static int ipgre_header(struct sk_buff *skb, struct net_device *dev,
         if (daddr)
                 memcpy(&iph->daddr, daddr, 4);
         if (iph->daddr)
-                return t->hlen;
+                return t->hlen + sizeof(*iph);
 
         return -(t->hlen + sizeof(*iph));
 }
diff --git a/net/ipv4/ip_tunnel_core.c b/net/ipv4/ip_tunnel_core.c
index 7167b08977df..850525b34899 100644
--- a/net/ipv4/ip_tunnel_core.c
+++ b/net/ipv4/ip_tunnel_core.c
@@ -76,9 +76,7 @@ int iptunnel_xmit(struct net *net, struct rtable *rt,
         iph->daddr      =       dst;
         iph->saddr      =       src;
         iph->ttl        =       ttl;
-        tunnel_ip_select_ident(skb,
-                               (const struct iphdr *)skb_inner_network_header(skb),
-                               &rt->dst);
+        __ip_select_ident(iph, &rt->dst, (skb_shinfo(skb)->gso_segs ?: 1) - 1);
 
         err = ip_local_out(skb);
         if (unlikely(net_xmit_eval(err)))
diff --git a/net/ipv4/proc.c b/net/ipv4/proc.c
index 6577a1149a47..463bd1273346 100644
--- a/net/ipv4/proc.c
+++ b/net/ipv4/proc.c
@@ -273,7 +273,7 @@ static const struct snmp_mib snmp4_net_list[] = {
         SNMP_MIB_ITEM("TCPFastOpenListenOverflow", LINUX_MIB_TCPFASTOPENLISTENOVERFLOW),
         SNMP_MIB_ITEM("TCPFastOpenCookieReqd", LINUX_MIB_TCPFASTOPENCOOKIEREQD),
         SNMP_MIB_ITEM("TCPSpuriousRtxHostQueues", LINUX_MIB_TCPSPURIOUS_RTX_HOSTQUEUES),
-        SNMP_MIB_ITEM("LowLatencyRxPackets", LINUX_MIB_LOWLATENCYRXPACKETS),
+        SNMP_MIB_ITEM("BusyPollRxPackets", LINUX_MIB_BUSYPOLLRXPACKETS),
         SNMP_MIB_SENTINEL
 };
 
diff --git a/net/ipv4/tcp_cubic.c b/net/ipv4/tcp_cubic.c
index a9077f441cb2..b6ae92a51f58 100644
--- a/net/ipv4/tcp_cubic.c
+++ b/net/ipv4/tcp_cubic.c
@@ -206,8 +206,8 @@ static u32 cubic_root(u64 a)
  */
 static inline void bictcp_update(struct bictcp *ca, u32 cwnd)
 {
-        u64 offs;
-        u32 delta, t, bic_target, max_cnt;
+        u32 delta, bic_target, max_cnt;
+        u64 offs, t;
 
         ca->ack_cnt++;  /* count the number of ACKs */
 
@@ -250,9 +250,11 @@ static inline void bictcp_update(struct bictcp *ca, u32 cwnd)
          * if the cwnd < 1 million packets !!!
          */
 
+        t = (s32)(tcp_time_stamp - ca->epoch_start);
+        t += msecs_to_jiffies(ca->delay_min >> 3);
         /* change the unit from HZ to bictcp_HZ */
-        t = ((tcp_time_stamp + msecs_to_jiffies(ca->delay_min>>3)
-              - ca->epoch_start) << BICTCP_HZ) / HZ;
+        t <<= BICTCP_HZ;
+        do_div(t, HZ);
 
         if (t < ca->bic_K)              /* t - K */
                 offs = ca->bic_K - t;
@@ -414,7 +416,7 @@ static void bictcp_acked(struct sock *sk, u32 cnt, s32 rtt_us)
                 return;
 
         /* Discard delay samples right after fast recovery */
-        if ((s32)(tcp_time_stamp - ca->epoch_start) < HZ)
+        if (ca->epoch_start && (s32)(tcp_time_stamp - ca->epoch_start) < HZ)
                 return;
 
         delay = (rtt_us << 3) / USEC_PER_MSEC;
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index 40ffd72243a4..aeac0dc3635d 100644
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -425,7 +425,7 @@ static u32 esp6_get_mtu(struct xfrm_state *x, int mtu)
                 net_adj = 0;
 
         return ((mtu - x->props.header_len - crypto_aead_authsize(esp->aead) -
-                 net_adj) & ~(align - 1)) + (net_adj - 2);
+                 net_adj) & ~(align - 1)) + net_adj - 2;
 }
 
 static void esp6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
index bff3d821c7eb..c4ff5bbb45c4 100644
--- a/net/ipv6/ip6_fib.c
+++ b/net/ipv6/ip6_fib.c
@@ -993,14 +993,22 @@ static struct fib6_node * fib6_lookup_1(struct fib6_node *root,
 
                         if (ipv6_prefix_equal(&key->addr, args->addr, key->plen)) {
 #ifdef CONFIG_IPV6_SUBTREES
-                                if (fn->subtree)
-                                        fn = fib6_lookup_1(fn->subtree, args + 1);
+                                if (fn->subtree) {
+                                        struct fib6_node *sfn;
+                                        sfn = fib6_lookup_1(fn->subtree,
+                                                            args + 1);
+                                        if (!sfn)
+                                                goto backtrack;
+                                        fn = sfn;
+                                }
 #endif
-                                if (!fn || fn->fn_flags & RTN_RTINFO)
+                                if (fn->fn_flags & RTN_RTINFO)
                                         return fn;
                         }
                 }
-
+#ifdef CONFIG_IPV6_SUBTREES
+backtrack:
+#endif
                 if (fn->fn_flags & RTN_ROOT)
                         break;
 
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index ae31968d42d3..cc9e02d79b55 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -31,10 +31,12 @@
 #include "led.h"
 
 #define IEEE80211_AUTH_TIMEOUT          (HZ / 5)
+#define IEEE80211_AUTH_TIMEOUT_LONG     (HZ / 2)
 #define IEEE80211_AUTH_TIMEOUT_SHORT    (HZ / 10)
 #define IEEE80211_AUTH_MAX_TRIES        3
 #define IEEE80211_AUTH_WAIT_ASSOC       (HZ * 5)
 #define IEEE80211_ASSOC_TIMEOUT         (HZ / 5)
+#define IEEE80211_ASSOC_TIMEOUT_LONG    (HZ / 2)
 #define IEEE80211_ASSOC_TIMEOUT_SHORT   (HZ / 10)
 #define IEEE80211_ASSOC_MAX_TRIES       3
 
@@ -209,8 +211,9 @@ ieee80211_determine_chantype(struct ieee80211_sub_if_data *sdata,
                              struct ieee80211_channel *channel,
                              const struct ieee80211_ht_operation *ht_oper,
                              const struct ieee80211_vht_operation *vht_oper,
-                             struct cfg80211_chan_def *chandef, bool verbose)
+                             struct cfg80211_chan_def *chandef, bool tracking)
 {
+        struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
         struct cfg80211_chan_def vht_chandef;
         u32 ht_cfreq, ret;
 
@@ -229,7 +232,7 @@ ieee80211_determine_chantype(struct ieee80211_sub_if_data *sdata,
         ht_cfreq = ieee80211_channel_to_frequency(ht_oper->primary_chan,
                                                   channel->band);
         /* check that channel matches the right operating channel */
-        if (channel->center_freq != ht_cfreq) {
+        if (!tracking && channel->center_freq != ht_cfreq) {
                 /*
                  * It's possible that some APs are confused here;
                  * Netgear WNDR3700 sometimes reports 4 higher than
@@ -237,11 +240,10 @@ ieee80211_determine_chantype(struct ieee80211_sub_if_data *sdata,
                  * since we look at probe response/beacon data here
                  * it should be OK.
                  */
-                if (verbose)
-                        sdata_info(sdata,
-                                   "Wrong control channel: center-freq: %d ht-cfreq: %d ht->primary_chan: %d band: %d - Disabling HT\n",
-                                   channel->center_freq, ht_cfreq,
-                                   ht_oper->primary_chan, channel->band);
+                sdata_info(sdata,
+                           "Wrong control channel: center-freq: %d ht-cfreq: %d ht->primary_chan: %d band: %d - Disabling HT\n",
+                           channel->center_freq, ht_cfreq,
+                           ht_oper->primary_chan, channel->band);
                 ret = IEEE80211_STA_DISABLE_HT | IEEE80211_STA_DISABLE_VHT;
                 goto out;
         }
@@ -295,7 +297,7 @@ ieee80211_determine_chantype(struct ieee80211_sub_if_data *sdata,
                                 channel->band);
                 break;
         default:
-                if (verbose)
+                if (!(ifmgd->flags & IEEE80211_STA_DISABLE_VHT))
                         sdata_info(sdata,
                                    "AP VHT operation IE has invalid channel width (%d), disable VHT\n",
                                    vht_oper->chan_width);
@@ -304,7 +306,7 @@ ieee80211_determine_chantype(struct ieee80211_sub_if_data *sdata,
         }
 
         if (!cfg80211_chandef_valid(&vht_chandef)) {
-                if (verbose)
+                if (!(ifmgd->flags & IEEE80211_STA_DISABLE_VHT))
                         sdata_info(sdata,
                                    "AP VHT information is invalid, disable VHT\n");
                 ret = IEEE80211_STA_DISABLE_VHT;
@@ -317,7 +319,7 @@ ieee80211_determine_chantype(struct ieee80211_sub_if_data *sdata,
         }
 
         if (!cfg80211_chandef_compatible(chandef, &vht_chandef)) {
-                if (verbose)
+                if (!(ifmgd->flags & IEEE80211_STA_DISABLE_VHT))
                         sdata_info(sdata,
                                    "AP VHT information doesn't match HT, disable VHT\n");
                 ret = IEEE80211_STA_DISABLE_VHT;
@@ -333,18 +335,27 @@ out:
         if (ret & IEEE80211_STA_DISABLE_VHT)
                 vht_chandef = *chandef;
 
+        /*
+         * Ignore the DISABLED flag when we're already connected and only
+         * tracking the APs beacon for bandwidth changes - otherwise we
+         * might get disconnected here if we connect to an AP, update our
+         * regulatory information based on the AP's country IE and the
+         * information we have is wrong/outdated and disables the channel
+         * that we're actually using for the connection to the AP.
+         */
         while (!cfg80211_chandef_usable(sdata->local->hw.wiphy, chandef,
-                                        IEEE80211_CHAN_DISABLED)) {
+                                        tracking ? 0 :
+                                                   IEEE80211_CHAN_DISABLED)) {
                 if (WARN_ON(chandef->width == NL80211_CHAN_WIDTH_20_NOHT)) {
                         ret = IEEE80211_STA_DISABLE_HT |
                               IEEE80211_STA_DISABLE_VHT;
-                        goto out;
+                        break;
                 }
 
                 ret |= chandef_downgrade(chandef);
         }
 
-        if (chandef->width != vht_chandef.width && verbose)
+        if (chandef->width != vht_chandef.width && !tracking)
                 sdata_info(sdata,
                            "capabilities/regulatory prevented using AP HT/VHT configuration, downgraded\n");
 
@@ -384,7 +395,7 @@ static int ieee80211_config_bw(struct ieee80211_sub_if_data *sdata,
 
         /* calculate new channel (type) based on HT/VHT operation IEs */
         flags = ieee80211_determine_chantype(sdata, sband, chan, ht_oper,
-                                             vht_oper, &chandef, false);
+                                             vht_oper, &chandef, true);
 
         /*
          * Downgrade the new channel if we associated with restricted
@@ -3394,10 +3405,13 @@ static int ieee80211_probe_auth(struct ieee80211_sub_if_data *sdata)
 
         if (tx_flags == 0) {
                 auth_data->timeout = jiffies + IEEE80211_AUTH_TIMEOUT;
-                ifmgd->auth_data->timeout_started = true;
+                auth_data->timeout_started = true;
                 run_again(sdata, auth_data->timeout);
         } else {
-                auth_data->timeout_started = false;
+                auth_data->timeout =
+                        round_jiffies_up(jiffies + IEEE80211_AUTH_TIMEOUT_LONG);
+                auth_data->timeout_started = true;
+                run_again(sdata, auth_data->timeout);
         }
 
         return 0;
@@ -3434,7 +3448,11 @@ static int ieee80211_do_assoc(struct ieee80211_sub_if_data *sdata)
                 assoc_data->timeout_started = true;
                 run_again(sdata, assoc_data->timeout);
         } else {
-                assoc_data->timeout_started = false;
+                assoc_data->timeout =
+                        round_jiffies_up(jiffies +
+                                         IEEE80211_ASSOC_TIMEOUT_LONG);
+                assoc_data->timeout_started = true;
+                run_again(sdata, assoc_data->timeout);
         }
 
         return 0;
@@ -3829,7 +3847,7 @@ static int ieee80211_prep_channel(struct ieee80211_sub_if_data *sdata,
         ifmgd->flags |= ieee80211_determine_chantype(sdata, sband,
                                                      cbss->channel,
                                                      ht_oper, vht_oper,
-                                                     &chandef, true);
+                                                     &chandef, false);
 
         sdata->needed_rx_chains = min(ieee80211_ht_vht_rx_chains(sdata, cbss),
                                       local->rx_chains);
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index 7dcc376eea5f..2f8010707d01 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -526,7 +526,7 @@ static bool tcp_in_window(const struct nf_conn *ct,
         const struct nf_conntrack_tuple *tuple = &ct->tuplehash[dir].tuple;
         __u32 seq, ack, sack, end, win, swin;
         s16 receiver_offset;
-        bool res;
+        bool res, in_recv_win;
 
         /*
          * Get the required data from the packet.
@@ -649,14 +649,18 @@ static bool tcp_in_window(const struct nf_conn *ct,
                  receiver->td_end, receiver->td_maxend, receiver->td_maxwin,
                  receiver->td_scale);
 
+        /* Is the ending sequence in the receive window (if available)? */
+        in_recv_win = !receiver->td_maxwin ||
+                      after(end, sender->td_end - receiver->td_maxwin - 1);
+
         pr_debug("tcp_in_window: I=%i II=%i III=%i IV=%i\n",
                  before(seq, sender->td_maxend + 1),
-                 after(end, sender->td_end - receiver->td_maxwin - 1),
+                 (in_recv_win ? 1 : 0),
                  before(sack, receiver->td_end + 1),
                  after(sack, receiver->td_end - MAXACKWINDOW(sender) - 1));
 
         if (before(seq, sender->td_maxend + 1) &&
-            after(end, sender->td_end - receiver->td_maxwin - 1) &&
+            in_recv_win &&
             before(sack, receiver->td_end + 1) &&
             after(sack, receiver->td_end - MAXACKWINDOW(sender) - 1)) {
                 /*
@@ -725,7 +729,7 @@ static bool tcp_in_window(const struct nf_conn *ct,
                         nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
                         "nf_ct_tcp: %s ",
                         before(seq, sender->td_maxend + 1) ?
-                        after(end, sender->td_end - receiver->td_maxwin - 1) ?
+                        in_recv_win ?
                         before(sack, receiver->td_end + 1) ?
                         after(sack, receiver->td_end - MAXACKWINDOW(sender) - 1) ? "BUG"
                         : "ACK is under the lower bound (possible overly delayed ACK)"
diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
index 962e9792e317..d92cc317bf8b 100644
--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -419,6 +419,7 @@ __build_packet_message(struct nfnl_log_net *log,
         nfmsg->version = NFNETLINK_V0;
         nfmsg->res_id = htons(inst->group_num);
 
+        memset(&pmsg, 0, sizeof(pmsg));
         pmsg.hw_protocol        = skb->protocol;
         pmsg.hook               = hooknum;
 
@@ -498,7 +499,10 @@ __build_packet_message(struct nfnl_log_net *log,
         if (indev && skb->dev &&
             skb->mac_header != skb->network_header) {
                 struct nfulnl_msg_packet_hw phw;
-                int len = dev_parse_header(skb, phw.hw_addr);
+                int len;
+
+                memset(&phw, 0, sizeof(phw));
+                len = dev_parse_header(skb, phw.hw_addr);
                 if (len > 0) {
                         phw.hw_addrlen = htons(len);
                         if (nla_put(inst->skb, NFULA_HWADDR, sizeof(phw), &phw))
diff --git a/net/netfilter/nfnetlink_queue_core.c b/net/netfilter/nfnetlink_queue_core.c
index 971ea145ab3e..8a703c3dd318 100644
--- a/net/netfilter/nfnetlink_queue_core.c
+++ b/net/netfilter/nfnetlink_queue_core.c
@@ -463,7 +463,10 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue,
         if (indev && entskb->dev &&
             entskb->mac_header != entskb->network_header) {
                 struct nfqnl_msg_packet_hw phw;
-                int len = dev_parse_header(entskb, phw.hw_addr);
+                int len;
+
+                memset(&phw, 0, sizeof(phw));
+                len = dev_parse_header(entskb, phw.hw_addr);
                 if (len) {
                         phw.hw_addrlen = htons(len);
                         if (nla_put(skb, NFQA_HWADDR, sizeof(phw), &phw))
diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
index 7011c71646f0..6113cc7efffc 100644
--- a/net/netfilter/xt_TCPMSS.c
+++ b/net/netfilter/xt_TCPMSS.c
@@ -52,7 +52,8 @@ tcpmss_mangle_packet(struct sk_buff *skb,
 {
         const struct xt_tcpmss_info *info = par->targinfo;
         struct tcphdr *tcph;
-        unsigned int tcplen, i;
+        int len, tcp_hdrlen;
+        unsigned int i;
         __be16 oldval;
         u16 newmss;
         u8 *opt;
@@ -64,11 +65,14 @@ tcpmss_mangle_packet(struct sk_buff *skb,
         if (!skb_make_writable(skb, skb->len))
                 return -1;
 
-        tcplen = skb->len - tcphoff;
+        len = skb->len - tcphoff;
+        if (len < (int)sizeof(struct tcphdr))
+                return -1;
+
         tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff);
+        tcp_hdrlen = tcph->doff * 4;
 
-        /* Header cannot be larger than the packet */
-        if (tcplen < tcph->doff*4)
+        if (len < tcp_hdrlen)
                 return -1;
 
         if (info->mss == XT_TCPMSS_CLAMP_PMTU) {
@@ -87,9 +91,8 @@ tcpmss_mangle_packet(struct sk_buff *skb,
                 newmss = info->mss;
 
         opt = (u_int8_t *)tcph;
-        for (i = sizeof(struct tcphdr); i < tcph->doff*4; i += optlen(opt, i)) {
-                if (opt[i] == TCPOPT_MSS && tcph->doff*4 - i >= TCPOLEN_MSS &&
-                    opt[i+1] == TCPOLEN_MSS) {
+        for (i = sizeof(struct tcphdr); i <= tcp_hdrlen - TCPOLEN_MSS; i += optlen(opt, i)) {
+                if (opt[i] == TCPOPT_MSS && opt[i+1] == TCPOLEN_MSS) {
                         u_int16_t oldmss;
 
                         oldmss = (opt[i+2] << 8) | opt[i+3];
@@ -112,9 +115,10 @@ tcpmss_mangle_packet(struct sk_buff *skb,
         }
 
         /* There is data after the header so the option can't be added
-           without moving it, and doing so may make the SYN packet
-           itself too large. Accept the packet unmodified instead. */
-        if (tcplen > tcph->doff*4)
+         * without moving it, and doing so may make the SYN packet
+         * itself too large. Accept the packet unmodified instead.
+         */
+        if (len > tcp_hdrlen)
                 return 0;
 
         /*
@@ -143,10 +147,10 @@ tcpmss_mangle_packet(struct sk_buff *skb,
                 newmss = min(newmss, (u16)1220);
 
         opt = (u_int8_t *)tcph + sizeof(struct tcphdr);
-        memmove(opt + TCPOLEN_MSS, opt, tcplen - sizeof(struct tcphdr));
+        memmove(opt + TCPOLEN_MSS, opt, len - sizeof(struct tcphdr));
 
         inet_proto_csum_replace2(&tcph->check, skb,
-                                 htons(tcplen), htons(tcplen + TCPOLEN_MSS), 1);
+                                 htons(len), htons(len + TCPOLEN_MSS), 1);
         opt[0] = TCPOPT_MSS;
         opt[1] = TCPOLEN_MSS;
         opt[2] = (newmss & 0xff00) >> 8;
diff --git a/net/netfilter/xt_TCPOPTSTRIP.c b/net/netfilter/xt_TCPOPTSTRIP.c
index b68fa191710f..625fa1d636a0 100644
--- a/net/netfilter/xt_TCPOPTSTRIP.c
+++ b/net/netfilter/xt_TCPOPTSTRIP.c
@@ -38,7 +38,7 @@ tcpoptstrip_mangle_packet(struct sk_buff *skb,
         struct tcphdr *tcph;
         u_int16_t n, o;
         u_int8_t *opt;
-        int len;
+        int len, tcp_hdrlen;
 
         /* This is a fragment, no TCP header is available */
         if (par->fragoff != 0)
@@ -52,7 +52,9 @@ tcpoptstrip_mangle_packet(struct sk_buff *skb,
                 return NF_DROP;
 
         tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff);
-        if (tcph->doff * 4 > len)
+        tcp_hdrlen = tcph->doff * 4;
+
+        if (len < tcp_hdrlen)
                 return NF_DROP;
 
         opt  = (u_int8_t *)tcph;
@@ -61,10 +63,10 @@ tcpoptstrip_mangle_packet(struct sk_buff *skb,
          * Walk through all TCP options - if we find some option to remove,
          * set all octets to %TCPOPT_NOP and adjust checksum.
          */
-        for (i = sizeof(struct tcphdr); i < tcp_hdrlen(skb); i += optl) {
+        for (i = sizeof(struct tcphdr); i < tcp_hdrlen - 1; i += optl) {
                 optl = optlen(opt, i);
 
-                if (i + optl > tcp_hdrlen(skb))
+                if (i + optl > tcp_hdrlen)
                         break;
 
                 if (!tcpoptstrip_test_bit(info->strip_bmap, opt[i]))
diff --git a/net/netlink/genetlink.c b/net/netlink/genetlink.c
index 512718adb0d5..f85f8a2ad6cf 100644
--- a/net/netlink/genetlink.c
+++ b/net/netlink/genetlink.c
@@ -789,6 +789,10 @@ static int ctrl_dumpfamily(struct sk_buff *skb, struct netlink_callback *cb)
         struct net *net = sock_net(skb->sk);
         int chains_to_skip = cb->args[0];
         int fams_to_skip = cb->args[1];
+        bool need_locking = chains_to_skip || fams_to_skip;
+
+        if (need_locking)
+                genl_lock();
 
         for (i = chains_to_skip; i < GENL_FAM_TAB_SIZE; i++) {
                 n = 0;
@@ -810,6 +814,9 @@ errout:
         cb->args[0] = i;
         cb->args[1] = n;
 
+        if (need_locking)
+                genl_unlock();
+
         return skb->len;
 }
 
diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c
index 22c5f399f1cf..ab101f715447 100644
--- a/net/openvswitch/actions.c
+++ b/net/openvswitch/actions.c
@@ -535,6 +535,7 @@ int ovs_execute_actions(struct datapath *dp, struct sk_buff *skb)
 {
         struct sw_flow_actions *acts = rcu_dereference(OVS_CB(skb)->flow->sf_acts);
 
+        OVS_CB(skb)->tun_key = NULL;
         return do_execute_actions(dp, skb, acts->actions,
                                          acts->actions_len, false);
 }
diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c
index f7e3a0d84c40..f2ed7600084e 100644
--- a/net/openvswitch/datapath.c
+++ b/net/openvswitch/datapath.c
@@ -2076,9 +2076,6 @@ static int ovs_vport_cmd_set(struct sk_buff *skb, struct genl_info *info)
         ovs_notify(reply, info, &ovs_dp_vport_multicast_group);
         return 0;
 
-        rtnl_unlock();
-        return 0;
-
 exit_free:
         kfree_skb(reply);
 exit_unlock:
diff --git a/net/openvswitch/flow.c b/net/openvswitch/flow.c
index 5c519b121e1b..1aa84dc58777 100644
--- a/net/openvswitch/flow.c
+++ b/net/openvswitch/flow.c
@@ -240,7 +240,7 @@ static struct flex_array *alloc_buckets(unsigned int n_buckets)
         struct flex_array *buckets;
         int i, err;
 
-        buckets = flex_array_alloc(sizeof(struct hlist_head *),
+        buckets = flex_array_alloc(sizeof(struct hlist_head),
                                    n_buckets, GFP_KERNEL);
         if (!buckets)
                 return NULL;
diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
index 281c1bded1f6..51b968d3febb 100644
--- a/net/sched/sch_api.c
+++ b/net/sched/sch_api.c
@@ -285,6 +285,45 @@ static struct Qdisc_ops *qdisc_lookup_ops(struct nlattr *kind)
         return q;
 }
 
+/* The linklayer setting were not transferred from iproute2, in older
+ * versions, and the rate tables lookup systems have been dropped in
+ * the kernel. To keep backward compatible with older iproute2 tc
+ * utils, we detect the linklayer setting by detecting if the rate
+ * table were modified.
+ *
+ * For linklayer ATM table entries, the rate table will be aligned to
+ * 48 bytes, thus some table entries will contain the same value.  The
+ * mpu (min packet unit) is also encoded into the old rate table, thus
+ * starting from the mpu, we find low and high table entries for
+ * mapping this cell.  If these entries contain the same value, when
+ * the rate tables have been modified for linklayer ATM.
+ *
+ * This is done by rounding mpu to the nearest 48 bytes cell/entry,
+ * and then roundup to the next cell, calc the table entry one below,
+ * and compare.
+ */
+static __u8 __detect_linklayer(struct tc_ratespec *r, __u32 *rtab)
+{
+        int low       = roundup(r->mpu, 48);
+        int high      = roundup(low+1, 48);
+        int cell_low  = low >> r->cell_log;
+        int cell_high = (high >> r->cell_log) - 1;
+
+        /* rtab is too inaccurate at rates > 100Mbit/s */
+        if ((r->rate > (100000000/8)) || (rtab[0] == 0)) {
+                pr_debug("TC linklayer: Giving up ATM detection\n");
+                return TC_LINKLAYER_ETHERNET;
+        }
+
+        if ((cell_high > cell_low) && (cell_high < 256)
+            && (rtab[cell_low] == rtab[cell_high])) {
+                pr_debug("TC linklayer: Detected ATM, low(%d)=high(%d)=%u\n",
+                         cell_low, cell_high, rtab[cell_high]);
+                return TC_LINKLAYER_ATM;
+        }
+        return TC_LINKLAYER_ETHERNET;
+}
+
 static struct qdisc_rate_table *qdisc_rtab_list;
 
 struct qdisc_rate_table *qdisc_get_rtab(struct tc_ratespec *r, struct nlattr *tab)
@@ -308,6 +347,8 @@ struct qdisc_rate_table *qdisc_get_rtab(struct tc_ratespec *r, struct nlattr *ta
                 rtab->rate = *r;
                 rtab->refcnt = 1;
                 memcpy(rtab->data, nla_data(tab), 1024);
+                if (r->linklayer == TC_LINKLAYER_UNAWARE)
+                        r->linklayer = __detect_linklayer(r, rtab->data);
                 rtab->next = qdisc_rtab_list;
                 qdisc_rtab_list = rtab;
         }
diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c
index 4626cef4b76e..48be3d5c0d92 100644
--- a/net/sched/sch_generic.c
+++ b/net/sched/sch_generic.c
@@ -25,6 +25,7 @@
 #include <linux/rcupdate.h>
 #include <linux/list.h>
 #include <linux/slab.h>
+#include <linux/if_vlan.h>
 #include <net/sch_generic.h>
 #include <net/pkt_sched.h>
 #include <net/dst.h>
@@ -207,15 +208,19 @@ void __qdisc_run(struct Qdisc *q)
 
 unsigned long dev_trans_start(struct net_device *dev)
 {
-        unsigned long val, res = dev->trans_start;
+        unsigned long val, res;
         unsigned int i;
 
+        if (is_vlan_dev(dev))
+                dev = vlan_dev_real_dev(dev);
+        res = dev->trans_start;
         for (i = 0; i < dev->num_tx_queues; i++) {
                 val = netdev_get_tx_queue(dev, i)->trans_start;
                 if (val && time_after(val, res))
                         res = val;
         }
         dev->trans_start = res;
+
         return res;
 }
 EXPORT_SYMBOL(dev_trans_start);
@@ -904,6 +909,7 @@ void psched_ratecfg_precompute(struct psched_ratecfg *r,
         memset(r, 0, sizeof(*r));
         r->overhead = conf->overhead;
         r->rate_bytes_ps = conf->rate;
+        r->linklayer = (conf->linklayer & TC_LINKLAYER_MASK);
         r->mult = 1;
         /*
          * The deal here is to replace a divide by a reciprocal one
diff --git a/net/sched/sch_htb.c b/net/sched/sch_htb.c
index 45e751527dfc..c2178b15ca6e 100644
--- a/net/sched/sch_htb.c
+++ b/net/sched/sch_htb.c
@@ -1329,6 +1329,7 @@ static int htb_change_class(struct Qdisc *sch, u32 classid,
         struct htb_sched *q = qdisc_priv(sch);
         struct htb_class *cl = (struct htb_class *)*arg, *parent;
         struct nlattr *opt = tca[TCA_OPTIONS];
+        struct qdisc_rate_table *rtab = NULL, *ctab = NULL;
         struct nlattr *tb[TCA_HTB_MAX + 1];
         struct tc_htb_opt *hopt;
 
@@ -1350,6 +1351,18 @@ static int htb_change_class(struct Qdisc *sch, u32 classid,
         if (!hopt->rate.rate || !hopt->ceil.rate)
                 goto failure;
 
+        /* Keeping backward compatible with rate_table based iproute2 tc */
+        if (hopt->rate.linklayer == TC_LINKLAYER_UNAWARE) {
+                rtab = qdisc_get_rtab(&hopt->rate, tb[TCA_HTB_RTAB]);
+                if (rtab)
+                        qdisc_put_rtab(rtab);
+        }
+        if (hopt->ceil.linklayer == TC_LINKLAYER_UNAWARE) {
+                ctab = qdisc_get_rtab(&hopt->ceil, tb[TCA_HTB_CTAB]);
+                if (ctab)
+                        qdisc_put_rtab(ctab);
+        }
+
         if (!cl) {              /* new class */
                 struct Qdisc *new_q;
                 int prio;
diff --git a/net/sctp/associola.c b/net/sctp/associola.c
index bce5b79662a6..ab67efc64b24 100644
--- a/net/sctp/associola.c
+++ b/net/sctp/associola.c
@@ -846,12 +846,12 @@ void sctp_assoc_control_transport(struct sctp_association *asoc,
                 else
                         spc_state = SCTP_ADDR_AVAILABLE;
                 /* Don't inform ULP about transition from PF to
-                 * active state and set cwnd to 1, see SCTP
+                 * active state and set cwnd to 1 MTU, see SCTP
                  * Quick failover draft section 5.1, point 5
                  */
                 if (transport->state == SCTP_PF) {
                         ulp_notify = false;
-                        transport->cwnd = 1;
+                        transport->cwnd = asoc->pathmtu;
                 }
                 transport->state = SCTP_ACTIVE;
                 break;
diff --git a/net/sctp/transport.c b/net/sctp/transport.c
index bdbbc3fd7c14..8fdd16046d66 100644
--- a/net/sctp/transport.c
+++ b/net/sctp/transport.c
@@ -181,12 +181,12 @@ static void sctp_transport_destroy(struct sctp_transport *transport)
                 return;
         }
 
-        call_rcu(&transport->rcu, sctp_transport_destroy_rcu);
-
         sctp_packet_free(&transport->packet);
 
         if (transport->asoc)
                 sctp_association_put(transport->asoc);
+
+        call_rcu(&transport->rcu, sctp_transport_destroy_rcu);
 }
 
 /* Start T3_rtx timer if it is not already running and update the heartbeat
diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c
index cb29ef7ba2f0..609c30c80816 100644
--- a/net/tipc/bearer.c
+++ b/net/tipc/bearer.c
@@ -460,6 +460,7 @@ static void bearer_disable(struct tipc_bearer *b_ptr)
 {
         struct tipc_link *l_ptr;
         struct tipc_link *temp_l_ptr;
+        struct tipc_link_req *temp_req;
 
         pr_info("Disabling bearer <%s>\n", b_ptr->name);
         spin_lock_bh(&b_ptr->lock);
@@ -468,9 +469,13 @@ static void bearer_disable(struct tipc_bearer *b_ptr)
         list_for_each_entry_safe(l_ptr, temp_l_ptr, &b_ptr->links, link_list) {
                 tipc_link_delete(l_ptr);
         }
-        if (b_ptr->link_req)
-                tipc_disc_delete(b_ptr->link_req);
+        temp_req = b_ptr->link_req;
+        b_ptr->link_req = NULL;
         spin_unlock_bh(&b_ptr->lock);
+
+        if (temp_req)
+                tipc_disc_delete(temp_req);
+
         memset(b_ptr, 0, sizeof(struct tipc_bearer));
 }
 
diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
index 593071dabd1c..4d9334683f84 100644
--- a/net/vmw_vsock/af_vsock.c
+++ b/net/vmw_vsock/af_vsock.c
@@ -347,7 +347,7 @@ void vsock_for_each_connected_socket(void (*fn)(struct sock *sk))
         for (i = 0; i < ARRAY_SIZE(vsock_connected_table); i++) {
                 struct vsock_sock *vsk;
                 list_for_each_entry(vsk, &vsock_connected_table[i],
-                                    connected_table);
+                                    connected_table)
                         fn(sk_vsock(vsk));
         }
 
diff --git a/net/wireless/core.c b/net/wireless/core.c
index 4f9f216665e9..a8c29fa4f1b3 100644
--- a/net/wireless/core.c
+++ b/net/wireless/core.c
@@ -765,6 +765,7 @@ void cfg80211_leave(struct cfg80211_registered_device *rdev,
                 cfg80211_leave_mesh(rdev, dev);
                 break;
         case NL80211_IFTYPE_AP:
+        case NL80211_IFTYPE_P2P_GO:
                 cfg80211_stop_ap(rdev, dev);
                 break;
         default:
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 25d217d90807..3fcba69817e5 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -441,10 +441,12 @@ static int nl80211_prepare_wdev_dump(struct sk_buff *skb,
                         goto out_unlock;
                 }
                 *rdev = wiphy_to_dev((*wdev)->wiphy);
-                cb->args[0] = (*rdev)->wiphy_idx;
+                /* 0 is the first index - add 1 to parse only once */
+                cb->args[0] = (*rdev)->wiphy_idx + 1;
                 cb->args[1] = (*wdev)->identifier;
         } else {
-                struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0]);
+                /* subtract the 1 again here */
+                struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
                 struct wireless_dev *tmp;
 
                 if (!wiphy) {