Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

Pull networking fixes from David Miller:

 1) Fix erroneous netfilter drop of SIP packets generated by some Cisco
    phones, from Patrick McHardy.

 2) Fix netfilter IPSET refcounting in list_set_add(), from Jozsef
    Kadlecsik.

 3) Fix TCP syncookies route lookup key, we don't use the same values we
    would use for the usual SYN receive processing, from Dmitry Popov.

 4) Fix NULL deref in bond_slave_netdev_event(), from Nikolay
    Aleksandrov.

 5) When bonding enslave fails, we can forget to clear the IFF_BONDING
    bit, fix also from Nikolay Aleksandrov.

 6) skb->csum_start is 16-bits, which is almost always just fine.  But
    if we reallocate the headroom of an SKB this can push the
    skb->csum_start value outside of it's valid range.  This can easily
    happen when collapsing multiple SKBs from the retransmit queue
    together.

    Fix from Thomas Graf.

 7) Fix NULL deref in be2net driver due to missing check of
    __vlan_put_tag() return value, from Ivan Vecera.

 8) tun_set_iff() returns zero instead of error code on failure, fix
    from Wei Yongjun.

 9) Like GARP, 802 MRP needs to hold the app->lock when adding MAD
    events and queueing PDUs.  Fix from David Ward.

10) Build fix, MVMDIO needs PHYLIB, from Thomas Petazzoni..

11) Fix mac80211 static with ipv6 modular build, from Cong Wang.

12) If userland specifies a path cost explicitly, do not override it
    when the carrier state changes.  From Stephen Hemminger.

13) mvnets calculates the TX queue to use incorrectly resulting in
    garbage pointer derefs and crashes, fix from Willy Tarreau.

14) cdc_mbim does erroneous sizeof(ETH_HLEN).  Fix from Bjorn Mork.

15) IP fragmentation can leak a refcount-less route out from an RCU
    protected section.  This results in crashes and all sorts of hard to
    diagnose behavior.  Fix from Eric Dumazet.

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (24 commits)
  qlcnic: fix beaconing test for 82xx adapter
  net: drop dst before queueing fragments
  net: fec: fix regression in link change accounting
  net: cdc_mbim: remove bogus sizeof()
  drivers: net: ethernet: cpsw: get slave VLAN id from slave node instead of cpsw node
  net: mvneta: fix improper tx queue usage in mvneta_tx()
  esp4: fix error return code in esp_output()
  bridge: make user modified path cost sticky
  ipv6: statically link register_inet6addr_notifier()
  net: mvmdio: add select PHYLIB
  net/802/mrp: fix possible race condition when calling mrp_pdu_queue()
  tuntap: fix error return code in tun_set_iff()
  be2net: take care of __vlan_put_tag return value
  can: sja1000: fix handling on dt properties on little endian systems
  can: mcp251x: add missing IRQF_ONESHOT to request_threaded_irq
  netfilter: nf_nat: fix race when unloading protocol modules
  tcp: Reallocate headroom if it would overflow csum_start
  stmmac: prevent interrupt loop with MMC RX IPC Counter
  bonding: IFF_BONDING is not stripped on enslave failure
  bonding: fix netdev event NULL pointer dereference
  ...

18 files changed, 153 insertions, 79 deletions

diff --git a/net/802/mrp.c b/net/802/mrp.c
index a4cc3229952a..e085bcc754f6 100644
--- a/net/802/mrp.c
+++ b/net/802/mrp.c
@@ -870,8 +870,12 @@ void mrp_uninit_applicant(struct net_device *dev, struct mrp_application *appl)
          * all pending messages before the applicant is gone.
          */
         del_timer_sync(&app->join_timer);
+
+        spin_lock(&app->lock);
         mrp_mad_event(app, MRP_EVENT_TX);
         mrp_pdu_queue(app);
+        spin_unlock(&app->lock);
+
         mrp_queue_xmit(app);
 
         dev_mc_del(dev, appl->group_address);
diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c
index ef1b91431c6b..459dab22b3f6 100644
--- a/net/bridge/br_if.c
+++ b/net/bridge/br_if.c
@@ -67,7 +67,8 @@ void br_port_carrier_check(struct net_bridge_port *p)
         struct net_device *dev = p->dev;
         struct net_bridge *br = p->br;
 
-        if (netif_running(dev) && netif_oper_up(dev))
+        if (!(p->flags & BR_ADMIN_COST) &&
+            netif_running(dev) && netif_oper_up(dev))
                 p->path_cost = port_cost(dev);
 
         if (!netif_running(br->dev))
diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
index 3cbf5beb3d4b..d2c043a857b6 100644
--- a/net/bridge/br_private.h
+++ b/net/bridge/br_private.h
@@ -156,6 +156,7 @@ struct net_bridge_port
 #define BR_BPDU_GUARD           0x00000002
 #define BR_ROOT_BLOCK           0x00000004
 #define BR_MULTICAST_FAST_LEAVE 0x00000008
+#define BR_ADMIN_COST           0x00000010
 
 #ifdef CONFIG_BRIDGE_IGMP_SNOOPING
         u32                             multicast_startup_queries_sent;
diff --git a/net/bridge/br_stp_if.c b/net/bridge/br_stp_if.c
index 0bdb4ebd362b..d45e760141bb 100644
--- a/net/bridge/br_stp_if.c
+++ b/net/bridge/br_stp_if.c
@@ -288,6 +288,7 @@ int br_stp_set_path_cost(struct net_bridge_port *p, unsigned long path_cost)
             path_cost > BR_MAX_PATH_COST)
                 return -ERANGE;
 
+        p->flags |= BR_ADMIN_COST;
         p->path_cost = path_cost;
         br_configuration_update(p->br);
         br_port_state_selection(p->br);
diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index 3b4f0cd2e63e..4cfe34d4cc96 100644
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -139,8 +139,6 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb)
 
         /* skb is pure payload to encrypt */
 
-        err = -ENOMEM;
-
         esp = x->data;
         aead = esp->aead;
         alen = crypto_aead_authsize(aead);
@@ -176,8 +174,10 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb)
         }
 
         tmp = esp_alloc_tmp(aead, nfrags + sglists, seqhilen);
-        if (!tmp)
+        if (!tmp) {
+                err = -ENOMEM;
                 goto error;
+        }
 
         seqhi = esp_tmp_seqhi(tmp);
         iv = esp_tmp_iv(aead, tmp, seqhilen);
diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
index a6445b843ef4..52c273ea05c3 100644
--- a/net/ipv4/ip_fragment.c
+++ b/net/ipv4/ip_fragment.c
@@ -248,8 +248,7 @@ static void ip_expire(unsigned long arg)
                 if (!head->dev)
                         goto out_rcu_unlock;
 
-                /* skb dst is stale, drop it, and perform route lookup again */
-                skb_dst_drop(head);
+                /* skb has no dst, perform route lookup again */
                 iph = ip_hdr(head);
                 err = ip_route_input_noref(head, iph->daddr, iph->saddr,
                                            iph->tos, head->dev);
@@ -523,9 +522,16 @@ found:
                 qp->q.max_size = skb->len + ihl;
 
         if (qp->q.last_in == (INET_FRAG_FIRST_IN | INET_FRAG_LAST_IN) &&
-            qp->q.meat == qp->q.len)
-                return ip_frag_reasm(qp, prev, dev);
+            qp->q.meat == qp->q.len) {
+                unsigned long orefdst = skb->_skb_refdst;
 
+                skb->_skb_refdst = 0UL;
+                err = ip_frag_reasm(qp, prev, dev);
+                skb->_skb_refdst = orefdst;
+                return err;
+        }
+
+        skb_dst_drop(skb);
         inet_frag_lru_move(&qp->q);
         return -EINPROGRESS;
 
diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c
index ef54377fb11c..397e0f69435f 100644
--- a/net/ipv4/syncookies.c
+++ b/net/ipv4/syncookies.c
@@ -349,8 +349,8 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb,
          * hasn't changed since we received the original syn, but I see
          * no easy way to do this.
          */
-        flowi4_init_output(&fl4, 0, sk->sk_mark, RT_CONN_FLAGS(sk),
-                           RT_SCOPE_UNIVERSE, IPPROTO_TCP,
+        flowi4_init_output(&fl4, sk->sk_bound_dev_if, sk->sk_mark,
+                           RT_CONN_FLAGS(sk), RT_SCOPE_UNIVERSE, IPPROTO_TCP,
                            inet_sk_flowi_flags(sk),
                            (opt && opt->srr) ? opt->faddr : ireq->rmt_addr,
                            ireq->loc_addr, th->source, th->dest);
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index b44cf81d8178..509912a5ff98 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -2388,8 +2388,12 @@ int __tcp_retransmit_skb(struct sock *sk, struct sk_buff *skb)
          */
         TCP_SKB_CB(skb)->when = tcp_time_stamp;
 
-        /* make sure skb->data is aligned on arches that require it */
-        if (unlikely(NET_IP_ALIGN && ((unsigned long)skb->data & 3))) {
+        /* make sure skb->data is aligned on arches that require it
+         * and check if ack-trimming & collapsing extended the headroom
+         * beyond what csum_start can cover.
+         */
+        if (unlikely((NET_IP_ALIGN && ((unsigned long)skb->data & 3)) ||
+                     skb_headroom(skb) >= 0xFFFF)) {
                 struct sk_buff *nskb = __pskb_copy(skb, MAX_TCP_HEADER,
                                                    GFP_ATOMIC);
                 return nskb ? tcp_transmit_skb(sk, nskb, 0, GFP_ATOMIC) :
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index a459c4f5b769..dae802c0af7c 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -168,8 +168,6 @@ static void inet6_prefix_notify(int event, struct inet6_dev *idev,
 static bool ipv6_chk_same_addr(struct net *net, const struct in6_addr *addr,
                                struct net_device *dev);
 
-static ATOMIC_NOTIFIER_HEAD(inet6addr_chain);
-
 static struct ipv6_devconf ipv6_devconf __read_mostly = {
         .forwarding             = 0,
         .hop_limit              = IPV6_DEFAULT_HOPLIMIT,
@@ -837,7 +835,7 @@ out2:
         rcu_read_unlock_bh();
 
         if (likely(err == 0))
-                atomic_notifier_call_chain(&inet6addr_chain, NETDEV_UP, ifa);
+                inet6addr_notifier_call_chain(NETDEV_UP, ifa);
         else {
                 kfree(ifa);
                 ifa = ERR_PTR(err);
@@ -927,7 +925,7 @@ static void ipv6_del_addr(struct inet6_ifaddr *ifp)
 
         ipv6_ifa_notify(RTM_DELADDR, ifp);
 
-        atomic_notifier_call_chain(&inet6addr_chain, NETDEV_DOWN, ifp);
+        inet6addr_notifier_call_chain(NETDEV_DOWN, ifp);
 
         /*
          * Purge or update corresponding prefix
@@ -2988,7 +2986,7 @@ static int addrconf_ifdown(struct net_device *dev, int how)
 
                 if (state != INET6_IFADDR_STATE_DEAD) {
                         __ipv6_ifa_notify(RTM_DELADDR, ifa);
-                        atomic_notifier_call_chain(&inet6addr_chain, NETDEV_DOWN, ifa);
+                        inet6addr_notifier_call_chain(NETDEV_DOWN, ifa);
                 }
                 in6_ifa_put(ifa);
 
@@ -4869,22 +4867,6 @@ static struct pernet_operations addrconf_ops = {
         .exit = addrconf_exit_net,
 };
 
-/*
- *      Device notifier
- */
-
-int register_inet6addr_notifier(struct notifier_block *nb)
-{
-        return atomic_notifier_chain_register(&inet6addr_chain, nb);
-}
-EXPORT_SYMBOL(register_inet6addr_notifier);
-
-int unregister_inet6addr_notifier(struct notifier_block *nb)
-{
-        return atomic_notifier_chain_unregister(&inet6addr_chain, nb);
-}
-EXPORT_SYMBOL(unregister_inet6addr_notifier);
-
 static struct rtnl_af_ops inet6_ops = {
         .family           = AF_INET6,
         .fill_link_af     = inet6_fill_link_af,
diff --git a/net/ipv6/addrconf_core.c b/net/ipv6/addrconf_core.c
index d051e5f4bf34..72104562c864 100644
--- a/net/ipv6/addrconf_core.c
+++ b/net/ipv6/addrconf_core.c
@@ -78,3 +78,22 @@ int __ipv6_addr_type(const struct in6_addr *addr)
 }
 EXPORT_SYMBOL(__ipv6_addr_type);
 
+static ATOMIC_NOTIFIER_HEAD(inet6addr_chain);
+
+int register_inet6addr_notifier(struct notifier_block *nb)
+{
+        return atomic_notifier_chain_register(&inet6addr_chain, nb);
+}
+EXPORT_SYMBOL(register_inet6addr_notifier);
+
+int unregister_inet6addr_notifier(struct notifier_block *nb)
+{
+        return atomic_notifier_chain_unregister(&inet6addr_chain, nb);
+}
+EXPORT_SYMBOL(unregister_inet6addr_notifier);
+
+int inet6addr_notifier_call_chain(unsigned long val, void *v)
+{
+        return atomic_notifier_call_chain(&inet6addr_chain, val, v);
+}
+EXPORT_SYMBOL(inet6addr_notifier_call_chain);
diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c
index 196ab9347ad1..0ba10e53a629 100644
--- a/net/ipv6/reassembly.c
+++ b/net/ipv6/reassembly.c
@@ -330,9 +330,17 @@ found:
         }
 
         if (fq->q.last_in == (INET_FRAG_FIRST_IN | INET_FRAG_LAST_IN) &&
-            fq->q.meat == fq->q.len)
-                return ip6_frag_reasm(fq, prev, dev);
+            fq->q.meat == fq->q.len) {
+                int res;
+                unsigned long orefdst = skb->_skb_refdst;
+
+                skb->_skb_refdst = 0UL;
+                res = ip6_frag_reasm(fq, prev, dev);
+                skb->_skb_refdst = orefdst;
+                return res;
+        }
 
+        skb_dst_drop(skb);
         inet_frag_lru_move(&fq->q);
         return -1;
 
diff --git a/net/netfilter/ipset/ip_set_hash_ipportnet.c b/net/netfilter/ipset/ip_set_hash_ipportnet.c
index f2627226a087..10a30b4fc7db 100644
--- a/net/netfilter/ipset/ip_set_hash_ipportnet.c
+++ b/net/netfilter/ipset/ip_set_hash_ipportnet.c
@@ -104,6 +104,15 @@ hash_ipportnet4_data_flags(struct hash_ipportnet4_elem *dst, u32 flags)
         dst->nomatch = !!(flags & IPSET_FLAG_NOMATCH);
 }
 
+static inline void
+hash_ipportnet4_data_reset_flags(struct hash_ipportnet4_elem *dst, u32 *flags)
+{
+        if (dst->nomatch) {
+                *flags = IPSET_FLAG_NOMATCH;
+                dst->nomatch = 0;
+        }
+}
+
 static inline int
 hash_ipportnet4_data_match(const struct hash_ipportnet4_elem *elem)
 {
@@ -414,6 +423,15 @@ hash_ipportnet6_data_flags(struct hash_ipportnet6_elem *dst, u32 flags)
         dst->nomatch = !!(flags & IPSET_FLAG_NOMATCH);
 }
 
+static inline void
+hash_ipportnet6_data_reset_flags(struct hash_ipportnet6_elem *dst, u32 *flags)
+{
+        if (dst->nomatch) {
+                *flags = IPSET_FLAG_NOMATCH;
+                dst->nomatch = 0;
+        }
+}
+
 static inline int
 hash_ipportnet6_data_match(const struct hash_ipportnet6_elem *elem)
 {
diff --git a/net/netfilter/ipset/ip_set_hash_net.c b/net/netfilter/ipset/ip_set_hash_net.c
index 4b677cf6bf7d..d6a59154d710 100644
--- a/net/netfilter/ipset/ip_set_hash_net.c
+++ b/net/netfilter/ipset/ip_set_hash_net.c
@@ -87,7 +87,16 @@ hash_net4_data_copy(struct hash_net4_elem *dst,
 static inline void
 hash_net4_data_flags(struct hash_net4_elem *dst, u32 flags)
 {
-        dst->nomatch = flags & IPSET_FLAG_NOMATCH;
+        dst->nomatch = !!(flags & IPSET_FLAG_NOMATCH);
+}
+
+static inline void
+hash_net4_data_reset_flags(struct hash_net4_elem *dst, u32 *flags)
+{
+        if (dst->nomatch) {
+                *flags = IPSET_FLAG_NOMATCH;
+                dst->nomatch = 0;
+        }
 }
 
 static inline int
@@ -308,7 +317,16 @@ hash_net6_data_copy(struct hash_net6_elem *dst,
 static inline void
 hash_net6_data_flags(struct hash_net6_elem *dst, u32 flags)
 {
-        dst->nomatch = flags & IPSET_FLAG_NOMATCH;
+        dst->nomatch = !!(flags & IPSET_FLAG_NOMATCH);
+}
+
+static inline void
+hash_net6_data_reset_flags(struct hash_net6_elem *dst, u32 *flags)
+{
+        if (dst->nomatch) {
+                *flags = IPSET_FLAG_NOMATCH;
+                dst->nomatch = 0;
+        }
 }
 
 static inline int
diff --git a/net/netfilter/ipset/ip_set_hash_netiface.c b/net/netfilter/ipset/ip_set_hash_netiface.c
index 6ba985f1c96f..f2b0a3c30130 100644
--- a/net/netfilter/ipset/ip_set_hash_netiface.c
+++ b/net/netfilter/ipset/ip_set_hash_netiface.c
@@ -198,7 +198,16 @@ hash_netiface4_data_copy(struct hash_netiface4_elem *dst,
 static inline void
 hash_netiface4_data_flags(struct hash_netiface4_elem *dst, u32 flags)
 {
-        dst->nomatch = flags & IPSET_FLAG_NOMATCH;
+        dst->nomatch = !!(flags & IPSET_FLAG_NOMATCH);
+}
+
+static inline void
+hash_netiface4_data_reset_flags(struct hash_netiface4_elem *dst, u32 *flags)
+{
+        if (dst->nomatch) {
+                *flags = IPSET_FLAG_NOMATCH;
+                dst->nomatch = 0;
+        }
 }
 
 static inline int
@@ -494,7 +503,7 @@ hash_netiface6_data_copy(struct hash_netiface6_elem *dst,
 static inline void
 hash_netiface6_data_flags(struct hash_netiface6_elem *dst, u32 flags)
 {
-        dst->nomatch = flags & IPSET_FLAG_NOMATCH;
+        dst->nomatch = !!(flags & IPSET_FLAG_NOMATCH);
 }
 
 static inline int
@@ -504,6 +513,15 @@ hash_netiface6_data_match(const struct hash_netiface6_elem *elem)
 }
 
 static inline void
+hash_netiface6_data_reset_flags(struct hash_netiface6_elem *dst, u32 *flags)
+{
+        if (dst->nomatch) {
+                *flags = IPSET_FLAG_NOMATCH;
+                dst->nomatch = 0;
+        }
+}
+
+static inline void
 hash_netiface6_data_zero_out(struct hash_netiface6_elem *elem)
 {
         elem->elem = 0;
diff --git a/net/netfilter/ipset/ip_set_hash_netport.c b/net/netfilter/ipset/ip_set_hash_netport.c
index af20c0c5ced2..349deb672a2d 100644
--- a/net/netfilter/ipset/ip_set_hash_netport.c
+++ b/net/netfilter/ipset/ip_set_hash_netport.c
@@ -104,6 +104,15 @@ hash_netport4_data_flags(struct hash_netport4_elem *dst, u32 flags)
         dst->nomatch = !!(flags & IPSET_FLAG_NOMATCH);
 }
 
+static inline void
+hash_netport4_data_reset_flags(struct hash_netport4_elem *dst, u32 *flags)
+{
+        if (dst->nomatch) {
+                *flags = IPSET_FLAG_NOMATCH;
+                dst->nomatch = 0;
+        }
+}
+
 static inline int
 hash_netport4_data_match(const struct hash_netport4_elem *elem)
 {
@@ -375,6 +384,15 @@ hash_netport6_data_flags(struct hash_netport6_elem *dst, u32 flags)
         dst->nomatch = !!(flags & IPSET_FLAG_NOMATCH);
 }
 
+static inline void
+hash_netport6_data_reset_flags(struct hash_netport6_elem *dst, u32 *flags)
+{
+        if (dst->nomatch) {
+                *flags = IPSET_FLAG_NOMATCH;
+                dst->nomatch = 0;
+        }
+}
+
 static inline int
 hash_netport6_data_match(const struct hash_netport6_elem *elem)
 {
diff --git a/net/netfilter/ipset/ip_set_list_set.c b/net/netfilter/ipset/ip_set_list_set.c
index 8371c2bac2e4..09c744aa8982 100644
--- a/net/netfilter/ipset/ip_set_list_set.c
+++ b/net/netfilter/ipset/ip_set_list_set.c
@@ -174,9 +174,13 @@ list_set_add(struct list_set *map, u32 i, ip_set_id_t id,
 {
         const struct set_elem *e = list_set_elem(map, i);
 
-        if (i == map->size - 1 && e->id != IPSET_INVALID_ID)
-                /* Last element replaced: e.g. add new,before,last */
-                ip_set_put_byindex(e->id);
+        if (e->id != IPSET_INVALID_ID) {
+                const struct set_elem *x = list_set_elem(map, map->size - 1);
+
+                /* Last element replaced or pushed off */
+                if (x->id != IPSET_INVALID_ID)
+                        ip_set_put_byindex(x->id);
+        }
         if (with_timeout(map->timeout))
                 list_elem_tadd(map, i, id, ip_set_timeout_set(timeout));
         else
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index 0e7d423324c3..e0c4373b4747 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -1593,10 +1593,8 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff,
                 end += strlen("\r\n\r\n") + clen;
 
                 msglen = origlen = end - dptr;
-                if (msglen > datalen) {
-                        nf_ct_helper_log(skb, ct, "incomplete/bad SIP message");
-                        return NF_DROP;
-                }
+                if (msglen > datalen)
+                        return NF_ACCEPT;
 
                 ret = process_sip_msg(skb, ct, protoff, dataoff,
                                       &dptr, &msglen);
diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
index 8d5769c6d16e..ad24be070e53 100644
--- a/net/netfilter/nf_nat_core.c
+++ b/net/netfilter/nf_nat_core.c
@@ -467,33 +467,22 @@ EXPORT_SYMBOL_GPL(nf_nat_packet);
 struct nf_nat_proto_clean {
         u8      l3proto;
         u8      l4proto;
-        bool    hash;
 };
 
-/* Clear NAT section of all conntracks, in case we're loaded again. */
-static int nf_nat_proto_clean(struct nf_conn *i, void *data)
+/* kill conntracks with affected NAT section */
+static int nf_nat_proto_remove(struct nf_conn *i, void *data)
 {
         const struct nf_nat_proto_clean *clean = data;
         struct nf_conn_nat *nat = nfct_nat(i);
 
         if (!nat)
                 return 0;
-        if (!(i->status & IPS_SRC_NAT_DONE))
-                return 0;
+
         if ((clean->l3proto && nf_ct_l3num(i) != clean->l3proto) ||
             (clean->l4proto && nf_ct_protonum(i) != clean->l4proto))
                 return 0;
 
-        if (clean->hash) {
-                spin_lock_bh(&nf_nat_lock);
-                hlist_del_rcu(&nat->bysource);
-                spin_unlock_bh(&nf_nat_lock);
-        } else {
-                memset(nat, 0, sizeof(*nat));
-                i->status &= ~(IPS_NAT_MASK | IPS_NAT_DONE_MASK |
-                               IPS_SEQ_ADJUST);
-        }
-        return 0;
+        return i->status & IPS_NAT_MASK ? 1 : 0;
 }
 
 static void nf_nat_l4proto_clean(u8 l3proto, u8 l4proto)
@@ -505,16 +494,8 @@ static void nf_nat_l4proto_clean(u8 l3proto, u8 l4proto)
         struct net *net;
 
         rtnl_lock();
-        /* Step 1 - remove from bysource hash */
-        clean.hash = true;
         for_each_net(net)
-                nf_ct_iterate_cleanup(net, nf_nat_proto_clean, &clean);
-        synchronize_rcu();
-
-        /* Step 2 - clean NAT section */
-        clean.hash = false;
-        for_each_net(net)
-                nf_ct_iterate_cleanup(net, nf_nat_proto_clean, &clean);
+                nf_ct_iterate_cleanup(net, nf_nat_proto_remove, &clean);
         rtnl_unlock();
 }
 
@@ -526,16 +507,9 @@ static void nf_nat_l3proto_clean(u8 l3proto)
         struct net *net;
 
         rtnl_lock();
-        /* Step 1 - remove from bysource hash */
-        clean.hash = true;
-        for_each_net(net)
-                nf_ct_iterate_cleanup(net, nf_nat_proto_clean, &clean);
-        synchronize_rcu();
 
-        /* Step 2 - clean NAT section */
-        clean.hash = false;
         for_each_net(net)
-                nf_ct_iterate_cleanup(net, nf_nat_proto_clean, &clean);
+                nf_ct_iterate_cleanup(net, nf_nat_proto_remove, &clean);
         rtnl_unlock();
 }
 
@@ -773,7 +747,7 @@ static void __net_exit nf_nat_net_exit(struct net *net)
 {
         struct nf_nat_proto_clean clean = {};
 
-        nf_ct_iterate_cleanup(net, &nf_nat_proto_clean, &clean);
+        nf_ct_iterate_cleanup(net, &nf_nat_proto_remove, &clean);
         synchronize_rcu();
         nf_ct_free_hashtable(net->ct.nat_bysource, net->ct.nat_htable_size);
 }