64 files changed, 456 insertions, 409 deletions
diff --git a/net/9p/trans_virtio.c b/net/9p/trans_virtio.c
index 74dea377fe5b..de2e950a0a7a 100644
--- a/net/9p/trans_virtio.c
+++ b/net/9p/trans_virtio.c
@@ -655,7 +655,7 @@ static struct p9_trans_module p9_virtio_trans = {
        .create = p9_virtio_create,
        .close = p9_virtio_close,
        .request = p9_virtio_request,
-        //.zc_request = p9_virtio_zc_request,
+        .zc_request = p9_virtio_zc_request,
        .cancel = p9_virtio_cancel,
        /*
         * We leave one entry for input and one entry for response
diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c
index a0b253ecadaf..a5bb0a769eb9 100644
--- a/net/batman-adv/bat_iv_ogm.c
+++ b/net/batman-adv/bat_iv_ogm.c
@@ -1288,7 +1288,8 @@ static int batadv_iv_ogm_receive(struct sk_buff *skb,
        batadv_ogm_packet = (struct batadv_ogm_packet *)packet_buff;
        /* unpack the aggregated packets and process them one by one */
-        do {
+        while (batadv_iv_ogm_aggr_packet(buff_pos, packet_len,
+                                         batadv_ogm_packet->tt_num_changes)) {
                tt_buff = packet_buff + buff_pos + BATADV_OGM_HLEN;
                batadv_iv_ogm_process(ethhdr, batadv_ogm_packet, tt_buff,
@@ -1299,8 +1300,7 @@ static int batadv_iv_ogm_receive(struct sk_buff *skb,
                packet_pos = packet_buff + buff_pos;
                batadv_ogm_packet = (struct batadv_ogm_packet *)packet_pos;
-        } while (batadv_iv_ogm_aggr_packet(buff_pos, packet_len,
+        }
-                                           batadv_ogm_packet->tt_num_changes));
        kfree_skb(skb);
        return NET_RX_SUCCESS;
diff --git a/net/bridge/br_device.c b/net/bridge/br_device.c
index d5f1d3fd4b28..314c73ed418f 100644
--- a/net/bridge/br_device.c
+++ b/net/bridge/br_device.c
@@ -66,7 +66,7 @@ netdev_tx_t br_dev_xmit(struct sk_buff *skb, struct net_device *dev)
                        goto out;
                }
-                mdst = br_mdb_get(br, skb);
+                mdst = br_mdb_get(br, skb, vid);
                if (mdst || BR_INPUT_SKB_CB_MROUTERS_ONLY(skb))
                        br_multicast_deliver(mdst, skb);
                else
diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
index 480330151898..828e2bcc1f52 100644
--- a/net/bridge/br_input.c
+++ b/net/bridge/br_input.c
@@ -97,7 +97,7 @@ int br_handle_frame_finish(struct sk_buff *skb)
        if (is_broadcast_ether_addr(dest))
                skb2 = skb;
        else if (is_multicast_ether_addr(dest)) {
-                mdst = br_mdb_get(br, skb);
+                mdst = br_mdb_get(br, skb, vid);
                if (mdst || BR_INPUT_SKB_CB_MROUTERS_ONLY(skb)) {
                        if ((mdst && mdst->mglist) ||
                            br_multicast_is_router(br))
diff --git a/net/bridge/br_mdb.c b/net/bridge/br_mdb.c
index 9f97b850fc65..ee79f3f20383 100644
--- a/net/bridge/br_mdb.c
+++ b/net/bridge/br_mdb.c
@@ -80,6 +80,7 @@ static int br_mdb_fill_info(struct sk_buff *skb, struct netlink_callback *cb,
                                port = p->port;
                                if (port) {
                                        struct br_mdb_entry e;
+                                        memset(&e, 0, sizeof(e));
                                        e.ifindex = port->dev->ifindex;
                                        e.state = p->state;
                                        if (p->addr.proto == htons(ETH_P_IP))
@@ -136,6 +137,7 @@ static int br_mdb_dump(struct sk_buff *skb, struct netlink_callback *cb)
                                break;
                        bpm = nlmsg_data(nlh);
+                        memset(bpm, 0, sizeof(*bpm));
                        bpm->ifindex = dev->ifindex;
                        if (br_mdb_fill_info(skb, cb, dev) < 0)
                                goto out;
@@ -171,6 +173,7 @@ static int nlmsg_populate_mdb_fill(struct sk_buff *skb,
                return -EMSGSIZE;
        bpm = nlmsg_data(nlh);
+        memset(bpm, 0, sizeof(*bpm));
        bpm->family  = AF_BRIDGE;
        bpm->ifindex = dev->ifindex;
        nest = nla_nest_start(skb, MDBA_MDB);
@@ -228,6 +231,7 @@ void br_mdb_notify(struct net_device *dev, struct net_bridge_port *port,
 {
        struct br_mdb_entry entry;
+        memset(&entry, 0, sizeof(entry));
        entry.ifindex = port->dev->ifindex;
        entry.addr.proto = group->proto;
        entry.addr.u.ip4 = group->u.ip4;
diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
index 10e6fce1bb62..923fbeaf7afd 100644
--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -132,7 +132,7 @@ static struct net_bridge_mdb_entry *br_mdb_ip6_get(
 #endif
 struct net_bridge_mdb_entry *br_mdb_get(struct net_bridge *br,
-                                        struct sk_buff *skb)
+                                        struct sk_buff *skb, u16 vid)
 {
        struct net_bridge_mdb_htable *mdb = rcu_dereference(br->mdb);
        struct br_ip ip;
@@ -144,6 +144,7 @@ struct net_bridge_mdb_entry *br_mdb_get(struct net_bridge *br,
                return NULL;
        ip.proto = skb->protocol;
+        ip.vid = vid;
        switch (skb->protocol) {
        case htons(ETH_P_IP):
diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c
index 27aa3ee517ce..299fc5f40a26 100644
--- a/net/bridge/br_netlink.c
+++ b/net/bridge/br_netlink.c
@@ -29,6 +29,7 @@ static inline size_t br_port_info_size(void)
                + nla_total_size(1)     /* IFLA_BRPORT_MODE */
                + nla_total_size(1)     /* IFLA_BRPORT_GUARD */
                + nla_total_size(1)     /* IFLA_BRPORT_PROTECT */
+                + nla_total_size(1)     /* IFLA_BRPORT_FAST_LEAVE */
                + 0;
 }
@@ -329,6 +330,7 @@ static int br_setport(struct net_bridge_port *p, struct nlattr *tb[])
        br_set_port_flag(p, tb, IFLA_BRPORT_MODE, BR_HAIRPIN_MODE);
        br_set_port_flag(p, tb, IFLA_BRPORT_GUARD, BR_BPDU_GUARD);
        br_set_port_flag(p, tb, IFLA_BRPORT_FAST_LEAVE, BR_MULTICAST_FAST_LEAVE);
+        br_set_port_flag(p, tb, IFLA_BRPORT_PROTECT, BR_ROOT_BLOCK);
        if (tb[IFLA_BRPORT_COST]) {
                err = br_stp_set_path_cost(p, nla_get_u32(tb[IFLA_BRPORT_COST]));
diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
index 6d314c4e6bcb..3cbf5beb3d4b 100644
--- a/net/bridge/br_private.h
+++ b/net/bridge/br_private.h
@@ -442,7 +442,7 @@ extern int br_multicast_rcv(struct net_bridge *br,
                            struct net_bridge_port *port,
                            struct sk_buff *skb);
 extern struct net_bridge_mdb_entry *br_mdb_get(struct net_bridge *br,
-                                               struct sk_buff *skb);
+                                               struct sk_buff *skb, u16 vid);
 extern void br_multicast_add_port(struct net_bridge_port *port);
 extern void br_multicast_del_port(struct net_bridge_port *port);
 extern void br_multicast_enable_port(struct net_bridge_port *port);
@@ -504,7 +504,7 @@ static inline int br_multicast_rcv(struct net_bridge *br,
 }
 static inline struct net_bridge_mdb_entry *br_mdb_get(struct net_bridge *br,
-                                                      struct sk_buff *skb)
+                                                      struct sk_buff *skb, u16 vid)
 {
        return NULL;
 }
diff --git a/net/ceph/osdmap.c b/net/ceph/osdmap.c
index 69bc4bf89e3e..4543b9aba40c 100644
--- a/net/ceph/osdmap.c
+++ b/net/ceph/osdmap.c
@@ -654,6 +654,24 @@ static int osdmap_set_max_osd(struct ceph_osdmap *map, int max)
        return 0;
 }
+static int __decode_pgid(void **p, void *end, struct ceph_pg *pg)
+{
+        u8 v;
+        ceph_decode_need(p, end, 1+8+4+4, bad);
+        v = ceph_decode_8(p);
+        if (v != 1)
+                goto bad;
+        pg->pool = ceph_decode_64(p);
+        pg->seed = ceph_decode_32(p);
+        *p += 4; /* skip preferred */
+        return 0;
+bad:
+        dout("error decoding pgid\n");
+        return -EINVAL;
+}
 /*
 * decode a full map.
 */
@@ -745,13 +763,12 @@ struct ceph_osdmap *osdmap_decode(void **p, void *end)
        for (i = 0; i < len; i++) {
                int n, j;
                struct ceph_pg pgid;
-                struct ceph_pg_v1 pgid_v1;
                struct ceph_pg_mapping *pg;
-                ceph_decode_need(p, end, sizeof(u32) + sizeof(u64), bad);
+                err = __decode_pgid(p, end, &pgid);
-                ceph_decode_copy(p, &pgid_v1, sizeof(pgid_v1));
+                if (err)
-                pgid.pool = le32_to_cpu(pgid_v1.pool);
+                        goto bad;
-                pgid.seed = le16_to_cpu(pgid_v1.ps);
+                ceph_decode_need(p, end, sizeof(u32), bad);
                n = ceph_decode_32(p);
                err = -EINVAL;
                if (n > (UINT_MAX - sizeof(*pg)) / sizeof(u32))
@@ -818,8 +835,8 @@ struct ceph_osdmap *osdmap_apply_incremental(void **p, void *end,
        u16 version;
        ceph_decode_16_safe(p, end, version, bad);
-        if (version > 6) {
+        if (version != 6) {
-                pr_warning("got unknown v %d > %d of inc osdmap\n", version, 6);
+                pr_warning("got unknown v %d != 6 of inc osdmap\n", version);
                goto bad;
        }
@@ -963,15 +980,14 @@ struct ceph_osdmap *osdmap_apply_incremental(void **p, void *end,
        while (len--) {
                struct ceph_pg_mapping *pg;
                int j;
-                struct ceph_pg_v1 pgid_v1;
                struct ceph_pg pgid;
                u32 pglen;
-                ceph_decode_need(p, end, sizeof(u64) + sizeof(u32), bad);
-                ceph_decode_copy(p, &pgid_v1, sizeof(pgid_v1));
-                pgid.pool = le32_to_cpu(pgid_v1.pool);
-                pgid.seed = le16_to_cpu(pgid_v1.ps);
-                pglen = ceph_decode_32(p);
+                err = __decode_pgid(p, end, &pgid);
+                if (err)
+                        goto bad;
+                ceph_decode_need(p, end, sizeof(u32), bad);
+                pglen = ceph_decode_32(p);
                if (pglen) {
                        ceph_decode_need(p, end, pglen*sizeof(u32), bad);
diff --git a/net/core/dev.c b/net/core/dev.c
index 8f152f904f70..d540ced1f6c6 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -2219,9 +2219,9 @@ struct sk_buff *skb_mac_gso_segment(struct sk_buff *skb,
        struct sk_buff *segs = ERR_PTR(-EPROTONOSUPPORT);
        struct packet_offload *ptype;
        __be16 type = skb->protocol;
+        int vlan_depth = ETH_HLEN;
        while (type == htons(ETH_P_8021Q)) {
-                int vlan_depth = ETH_HLEN;
                struct vlan_hdr *vh;
                if (unlikely(!pskb_may_pull(skb, vlan_depth + VLAN_HLEN)))
@@ -3444,6 +3444,7 @@ ncls:
                }
                switch (rx_handler(&skb)) {
                case RX_HANDLER_CONSUMED:
+                        ret = NET_RX_SUCCESS;
                        goto unlock;
                case RX_HANDLER_ANOTHER:
                        goto another_round;
diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
index 9d4c7201400d..e187bf06d673 100644
--- a/net/core/flow_dissector.c
+++ b/net/core/flow_dissector.c
@@ -140,6 +140,8 @@ ipv6:
                        flow->ports = *ports;
        }
+        flow->thoff = (u16) nhoff;
        return true;
 }
 EXPORT_SYMBOL(skb_flow_dissect);
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index b376410ff259..5fb8d7e47294 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -979,6 +979,7 @@ static int rtnl_fill_ifinfo(struct sk_buff *skb, struct net_device *dev,
                         * report anything.
                         */
                        ivi.spoofchk = -1;
+                        memset(ivi.mac, 0, sizeof(ivi.mac));
                        if (dev->netdev_ops->ndo_get_vf_config(dev, i, &ivi))
                                break;
                        vf_mac.vf =
@@ -2620,7 +2621,7 @@ static int rtnetlink_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
                struct rtattr *attr = (void *)nlh + NLMSG_ALIGN(min_len);
                while (RTA_OK(attr, attrlen)) {
-                        unsigned int flavor = attr->rta_type;
+                        unsigned int flavor = attr->rta_type & NLA_TYPE_MASK;
                        if (flavor) {
                                if (flavor > rta_max[sz_idx])
                                        return -EINVAL;
diff --git a/net/dcb/dcbnl.c b/net/dcb/dcbnl.c
index 1b588e23cf80..21291f1abcd6 100644
--- a/net/dcb/dcbnl.c
+++ b/net/dcb/dcbnl.c
@@ -284,6 +284,7 @@ static int dcbnl_getperm_hwaddr(struct net_device *netdev, struct nlmsghdr *nlh,
        if (!netdev->dcbnl_ops->getpermhwaddr)
                return -EOPNOTSUPP;
+        memset(perm_addr, 0, sizeof(perm_addr));
        netdev->dcbnl_ops->getpermhwaddr(netdev, perm_addr);
        return nla_put(skb, DCB_ATTR_PERM_HWADDR, sizeof(perm_addr), perm_addr);
@@ -1042,6 +1043,7 @@ static int dcbnl_ieee_fill(struct sk_buff *skb, struct net_device *netdev)
        if (ops->ieee_getets) {
                struct ieee_ets ets;
+                memset(&ets, 0, sizeof(ets));
                err = ops->ieee_getets(netdev, &ets);
                if (!err &&
                    nla_put(skb, DCB_ATTR_IEEE_ETS, sizeof(ets), &ets))
@@ -1050,6 +1052,7 @@ static int dcbnl_ieee_fill(struct sk_buff *skb, struct net_device *netdev)
        if (ops->ieee_getmaxrate) {
                struct ieee_maxrate maxrate;
+                memset(&maxrate, 0, sizeof(maxrate));
                err = ops->ieee_getmaxrate(netdev, &maxrate);
                if (!err) {
                        err = nla_put(skb, DCB_ATTR_IEEE_MAXRATE,
@@ -1061,6 +1064,7 @@ static int dcbnl_ieee_fill(struct sk_buff *skb, struct net_device *netdev)
        if (ops->ieee_getpfc) {
                struct ieee_pfc pfc;
+                memset(&pfc, 0, sizeof(pfc));
                err = ops->ieee_getpfc(netdev, &pfc);
                if (!err &&
                    nla_put(skb, DCB_ATTR_IEEE_PFC, sizeof(pfc), &pfc))
@@ -1094,6 +1098,7 @@ static int dcbnl_ieee_fill(struct sk_buff *skb, struct net_device *netdev)
        /* get peer info if available */
        if (ops->ieee_peer_getets) {
                struct ieee_ets ets;
+                memset(&ets, 0, sizeof(ets));
                err = ops->ieee_peer_getets(netdev, &ets);
                if (!err &&
                    nla_put(skb, DCB_ATTR_IEEE_PEER_ETS, sizeof(ets), &ets))
@@ -1102,6 +1107,7 @@ static int dcbnl_ieee_fill(struct sk_buff *skb, struct net_device *netdev)
        if (ops->ieee_peer_getpfc) {
                struct ieee_pfc pfc;
+                memset(&pfc, 0, sizeof(pfc));
                err = ops->ieee_peer_getpfc(netdev, &pfc);
                if (!err &&
                    nla_put(skb, DCB_ATTR_IEEE_PEER_PFC, sizeof(pfc), &pfc))
@@ -1280,6 +1286,7 @@ static int dcbnl_cee_fill(struct sk_buff *skb, struct net_device *netdev)
        /* peer info if available */
        if (ops->cee_peer_getpg) {
                struct cee_pg pg;
+                memset(&pg, 0, sizeof(pg));
                err = ops->cee_peer_getpg(netdev, &pg);
                if (!err &&
                    nla_put(skb, DCB_ATTR_CEE_PEER_PG, sizeof(pg), &pg))
@@ -1288,6 +1295,7 @@ static int dcbnl_cee_fill(struct sk_buff *skb, struct net_device *netdev)
        if (ops->cee_peer_getpfc) {
                struct cee_pfc pfc;
+                memset(&pfc, 0, sizeof(pfc));
                err = ops->cee_peer_getpfc(netdev, &pfc);
                if (!err &&
                    nla_put(skb, DCB_ATTR_CEE_PEER_PFC, sizeof(pfc), &pfc))
diff --git a/net/ieee802154/6lowpan.h b/net/ieee802154/6lowpan.h
index 8c2251fb0a3f..bba5f8336317 100644
--- a/net/ieee802154/6lowpan.h
+++ b/net/ieee802154/6lowpan.h
@@ -84,7 +84,7 @@
        (memcmp(addr1, addr2, length >> 3) == 0)
 /* local link, i.e. FE80::/10 */
-#define is_addr_link_local(a) (((a)->s6_addr16[0]) == 0x80FE)
+#define is_addr_link_local(a) (((a)->s6_addr16[0]) == htons(0xFE80))
 /*
 * check whether we can compress the IID to 16 bits,
diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
index 7d1874be1df3..786d97aee751 100644
--- a/net/ipv4/inet_connection_sock.c
+++ b/net/ipv4/inet_connection_sock.c
@@ -735,6 +735,7 @@ EXPORT_SYMBOL(inet_csk_destroy_sock);
 * tcp/dccp_create_openreq_child().
 */
 void inet_csk_prepare_forced_close(struct sock *sk)
+        __releases(&sk->sk_lock.slock)
 {
        /* sk_clone_lock locked the socket and set refcnt to 2 */
        bh_unlock_sock(sk);
diff --git a/net/ipv4/inet_fragment.c b/net/ipv4/inet_fragment.c
index 245ae078a07f..f4fd23de9b13 100644
--- a/net/ipv4/inet_fragment.c
+++ b/net/ipv4/inet_fragment.c
@@ -21,6 +21,7 @@
 #include <linux/rtnetlink.h>
 #include <linux/slab.h>
+#include <net/sock.h>
 #include <net/inet_frag.h>
 static void inet_frag_secret_rebuild(unsigned long dummy)
@@ -277,6 +278,7 @@ struct inet_frag_queue *inet_frag_find(struct netns_frags *nf,
        __releases(&f->lock)
 {
        struct inet_frag_queue *q;
+        int depth = 0;
        hlist_for_each_entry(q, &f->hash[hash], list) {
                if (q->net == nf && f->match(q, key)) {
@@ -284,9 +286,25 @@ struct inet_frag_queue *inet_frag_find(struct netns_frags *nf,
                        read_unlock(&f->lock);
                        return q;
                }
+                depth++;
        }
        read_unlock(&f->lock);
-        return inet_frag_create(nf, f, key);
+        if (depth <= INETFRAGS_MAXDEPTH)
+                return inet_frag_create(nf, f, key);
+        else
+                return ERR_PTR(-ENOBUFS);
 }
 EXPORT_SYMBOL(inet_frag_find);
+void inet_frag_maybe_warn_overflow(struct inet_frag_queue *q,
+                                   const char *prefix)
+{
+        static const char msg[] = "inet_frag_find: Fragment hash bucket"
+                " list length grew over limit " __stringify(INETFRAGS_MAXDEPTH)
+                ". Dropping fragment.\n";
+        if (PTR_ERR(q) == -ENOBUFS)
+                LIMIT_NETDEBUG(KERN_WARNING "%s%s", prefix, msg);
+}
+EXPORT_SYMBOL(inet_frag_maybe_warn_overflow);
diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
index b6d30acb600c..a6445b843ef4 100644
--- a/net/ipv4/ip_fragment.c
+++ b/net/ipv4/ip_fragment.c
@@ -292,14 +292,11 @@ static inline struct ipq *ip_find(struct net *net, struct iphdr *iph, u32 user)
        hash = ipqhashfn(iph->id, iph->saddr, iph->daddr, iph->protocol);
        q = inet_frag_find(&net->ipv4.frags, &ip4_frags, &arg, hash);
-        if (q == NULL)
+        if (IS_ERR_OR_NULL(q)) {
-                goto out_nomem;
+                inet_frag_maybe_warn_overflow(q, pr_fmt());
+                return NULL;
+        }
        return container_of(q, struct ipq, q);
-out_nomem:
-        LIMIT_NETDEBUG(KERN_ERR pr_fmt("ip_frag_create: no memory left !\n"));
-        return NULL;
 }
 /* Is the fragment too far ahead to be part of ipq? */
diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
index d0ef0e674ec5..91d66dbde9c0 100644
--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
@@ -798,10 +798,7 @@ static netdev_tx_t ipgre_tunnel_xmit(struct sk_buff *skb, struct net_device *dev
        if (dev->header_ops && dev->type == ARPHRD_IPGRE) {
                gre_hlen = 0;
-                if (skb->protocol == htons(ETH_P_IP))
+                tiph = (const struct iphdr *)skb->data;
-                        tiph = (const struct iphdr *)skb->data;
-                else
-                        tiph = &tunnel->parms.iph;
        } else {
                gre_hlen = tunnel->hlen;
                tiph = &tunnel->parms.iph;
diff --git a/net/ipv4/ip_options.c b/net/ipv4/ip_options.c
index 310a3647c83d..ec7264514a82 100644
--- a/net/ipv4/ip_options.c
+++ b/net/ipv4/ip_options.c
@@ -370,7 +370,6 @@ int ip_options_compile(struct net *net,
                                }
                                switch (optptr[3]&0xF) {
                                      case IPOPT_TS_TSONLY:
-                                        opt->ts = optptr - iph;
                                        if (skb)
                                                timeptr = &optptr[optptr[2]-1];
                                        opt->ts_needtime = 1;
@@ -381,7 +380,6 @@ int ip_options_compile(struct net *net,
                                                pp_ptr = optptr + 2;
                                                goto error;
                                        }
-                                        opt->ts = optptr - iph;
                                        if (rt)  {
                                                spec_dst_fill(&spec_dst, skb);
                                                memcpy(&optptr[optptr[2]-1], &spec_dst, 4);
@@ -396,7 +394,6 @@ int ip_options_compile(struct net *net,
                                                pp_ptr = optptr + 2;
                                                goto error;
                                        }
-                                        opt->ts = optptr - iph;
                                        {
                                                __be32 addr;
                                                memcpy(&addr, &optptr[optptr[2]-1], 4);
@@ -429,12 +426,12 @@ int ip_options_compile(struct net *net,
                                        pp_ptr = optptr + 3;
                                        goto error;
                                }
-                                opt->ts = optptr - iph;
                                if (skb) {
                                        optptr[3] = (optptr[3]&0xF)|((overflow+1)<<4);
                                        opt->is_changed = 1;
                                }
                        }
+                        opt->ts = optptr - iph;
                        break;
                      case IPOPT_RA:
                        if (optlen < 4) {
diff --git a/net/ipv4/ipconfig.c b/net/ipv4/ipconfig.c
index 98cbc6877019..bf6c5cf31aed 100644
--- a/net/ipv4/ipconfig.c
+++ b/net/ipv4/ipconfig.c
@@ -1522,7 +1522,8 @@ static int __init ip_auto_config(void)
                }
        for (i++; i < CONF_NAMESERVERS_MAX; i++)
                if (ic_nameservers[i] != NONE)
-                        pr_cont(", nameserver%u=%pI4\n", i, &ic_nameservers[i]);
+                        pr_cont(", nameserver%u=%pI4", i, &ic_nameservers[i]);
+        pr_cont("\n");
 #endif /* !SILENT */
        return 0;
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index ce2d43e1f09f..0d755c50994b 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -36,19 +36,6 @@ config NF_CONNTRACK_PROC_COMPAT
          If unsure, say Y.
-config IP_NF_QUEUE
-        tristate "IP Userspace queueing via NETLINK (OBSOLETE)"
-        depends on NETFILTER_ADVANCED
-        help
-          Netfilter has the ability to queue packets to user space: the
-          netlink device can be used to access them using this driver.
-          This option enables the old IPv4-only "ip_queue" implementation
-          which has been obsoleted by the new "nfnetlink_queue" code (see
-          CONFIG_NETFILTER_NETLINK_QUEUE).
-          To compile it as a module, choose M here.  If unsure, say N.
 config IP_NF_IPTABLES
        tristate "IP tables support (required for filtering/masq/NAT)"
        default m if NETFILTER_ADVANCED=n
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 47e854fcae24..e22020790709 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -775,7 +775,7 @@ struct sk_buff *sk_stream_alloc_skb(struct sock *sk, int size, gfp_t gfp)
                         * Make sure that we have exactly size bytes
                         * available to the caller, no more, no less.
                         */
-                        skb->avail_size = size;
+                        skb->reserved_tailroom = skb->end - skb->tail - size;
                        return skb;
                }
                __kfree_skb(skb);
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 4a8ec457310f..d09203c63264 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -274,13 +274,6 @@ static void tcp_v4_mtu_reduced(struct sock *sk)
        struct inet_sock *inet = inet_sk(sk);
        u32 mtu = tcp_sk(sk)->mtu_info;
-        /* We are not interested in TCP_LISTEN and open_requests (SYN-ACKs
-         * send out by Linux are always <576bytes so they should go through
-         * unfragmented).
-         */
-        if (sk->sk_state == TCP_LISTEN)
-                return;
        dst = inet_csk_update_pmtu(sk, mtu);
        if (!dst)
                return;
@@ -408,6 +401,13 @@ void tcp_v4_err(struct sk_buff *icmp_skb, u32 info)
                        goto out;
                if (code == ICMP_FRAG_NEEDED) { /* PMTU discovery (RFC1191) */
+                        /* We are not interested in TCP_LISTEN and open_requests
+                         * (SYN-ACKs send out by Linux are always <576bytes so
+                         * they should go through unfragmented).
+                         */
+                        if (sk->sk_state == TCP_LISTEN)
+                                goto out;
                        tp->mtu_info = info;
                        if (!sock_owned_by_user(sk)) {
                                tcp_v4_mtu_reduced(sk);
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index e2b4461074da..817fbb396bc8 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -1298,7 +1298,6 @@ static void __pskb_trim_head(struct sk_buff *skb, int len)
        eat = min_t(int, len, skb_headlen(skb));
        if (eat) {
                __skb_pull(skb, eat);
-                skb->avail_size -= eat;
                len -= eat;
                if (!len)
                        return;
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 265c42cf963c..0a073a263720 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1762,9 +1762,16 @@ int udp_rcv(struct sk_buff *skb)
 void udp_destroy_sock(struct sock *sk)
 {
+        struct udp_sock *up = udp_sk(sk);
        bool slow = lock_sock_fast(sk);
        udp_flush_pending_frames(sk);
        unlock_sock_fast(sk, slow);
+        if (static_key_false(&udp_encap_needed) && up->encap_type) {
+                void (*encap_destroy)(struct sock *sk);
+                encap_destroy = ACCESS_ONCE(up->encap_destroy);
+                if (encap_destroy)
+                        encap_destroy(sk);
+        }
 }
 /*
diff --git a/net/ipv6/ip6_input.c b/net/ipv6/ip6_input.c
index b1876e52091e..e33fe0ab2568 100644
--- a/net/ipv6/ip6_input.c
+++ b/net/ipv6/ip6_input.c
@@ -281,7 +281,8 @@ int ip6_mc_input(struct sk_buff *skb)
         *      IPv6 multicast router mode is now supported ;)
         */
        if (dev_net(skb->dev)->ipv6.devconf_all->mc_forwarding &&
-            !(ipv6_addr_type(&hdr->daddr) & IPV6_ADDR_LINKLOCAL) &&
+            !(ipv6_addr_type(&hdr->daddr) &
+              (IPV6_ADDR_LOOPBACK|IPV6_ADDR_LINKLOCAL)) &&
            likely(!(IP6CB(skb)->flags & IP6SKB_FORWARDED))) {
                /*
                 * Okay, we try to forward - split and duplicate
diff --git a/net/ipv6/netfilter/ip6t_NPT.c b/net/ipv6/netfilter/ip6t_NPT.c
index 83acc1405a18..33608c610276 100644
--- a/net/ipv6/netfilter/ip6t_NPT.c
+++ b/net/ipv6/netfilter/ip6t_NPT.c
@@ -114,6 +114,7 @@ ip6t_dnpt_tg(struct sk_buff *skb, const struct xt_action_param *par)
 static struct xt_target ip6t_npt_target_reg[] __read_mostly = {
        {
                .name           = "SNPT",
+                .table          = "mangle",
                .target         = ip6t_snpt_tg,
                .targetsize     = sizeof(struct ip6t_npt_tginfo),
                .checkentry     = ip6t_npt_checkentry,
@@ -124,6 +125,7 @@ static struct xt_target ip6t_npt_target_reg[] __read_mostly = {
        },
        {
                .name           = "DNPT",
+                .table          = "mangle",
                .target         = ip6t_dnpt_tg,
                .targetsize     = sizeof(struct ip6t_npt_tginfo),
                .checkentry     = ip6t_npt_checkentry,
diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
index 54087e96d7b8..6700069949dd 100644
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -14,6 +14,8 @@
 * 2 of the License, or (at your option) any later version.
 */
+#define pr_fmt(fmt) "IPv6-nf: " fmt
 #include <linux/errno.h>
 #include <linux/types.h>
 #include <linux/string.h>
@@ -180,13 +182,11 @@ static inline struct frag_queue *fq_find(struct net *net, __be32 id,
        q = inet_frag_find(&net->nf_frag.frags, &nf_frags, &arg, hash);
        local_bh_enable();
-        if (q == NULL)
+        if (IS_ERR_OR_NULL(q)) {
-                goto oom;
+                inet_frag_maybe_warn_overflow(q, pr_fmt());
+                return NULL;
+        }
        return container_of(q, struct frag_queue, q);
-oom:
-        return NULL;
 }
diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c
index 3c6a77290c6e..196ab9347ad1 100644
--- a/net/ipv6/reassembly.c
+++ b/net/ipv6/reassembly.c
@@ -26,6 +26,9 @@
 *      YOSHIFUJI,H. @USAGI     Always remove fragment header to
 *                              calculate ICV correctly.
 */
+#define pr_fmt(fmt) "IPv6: " fmt
 #include <linux/errno.h>
 #include <linux/types.h>
 #include <linux/string.h>
@@ -185,9 +188,10 @@ fq_find(struct net *net, __be32 id, const struct in6_addr *src, const struct in6
        hash = inet6_hash_frag(id, src, dst, ip6_frags.rnd);
        q = inet_frag_find(&net->ipv6.frags, &ip6_frags, &arg, hash);
-        if (q == NULL)
+        if (IS_ERR_OR_NULL(q)) {
+                inet_frag_maybe_warn_overflow(q, pr_fmt());
                return NULL;
+        }
        return container_of(q, struct frag_queue, q);
 }
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 9b6460055df5..f6d629fd6aee 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -389,6 +389,13 @@ static void tcp_v6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
        }
        if (type == ICMPV6_PKT_TOOBIG) {
+                /* We are not interested in TCP_LISTEN and open_requests
+                 * (SYN-ACKs send out by Linux are always <576bytes so
+                 * they should go through unfragmented).
+                 */
+                if (sk->sk_state == TCP_LISTEN)
+                        goto out;
                tp->mtu_info = ntohl(info);
                if (!sock_owned_by_user(sk))
                        tcp_v6_mtu_reduced(sk);
diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
index 599e1ba6d1ce..d8e5e852fc7a 100644
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -1285,10 +1285,18 @@ do_confirm:
 void udpv6_destroy_sock(struct sock *sk)
 {
+        struct udp_sock *up = udp_sk(sk);
        lock_sock(sk);
        udp_v6_flush_pending_frames(sk);
        release_sock(sk);
+        if (static_key_false(&udpv6_encap_needed) && up->encap_type) {
+                void (*encap_destroy)(struct sock *sk);
+                encap_destroy = ACCESS_ONCE(up->encap_destroy);
+                if (encap_destroy)
+                        encap_destroy(sk);
+        }
        inet6_destroy_sock(sk);
 }
diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
index d07e3a626446..d28e7f014cc6 100644
--- a/net/irda/af_irda.c
+++ b/net/irda/af_irda.c
@@ -2583,8 +2583,10 @@ bed:
                                    NULL, NULL, NULL);
                /* Check if the we got some results */
-                if (!self->cachedaddr)
+                if (!self->cachedaddr) {
-                        return -EAGAIN;         /* Didn't find any devices */
+                        err = -EAGAIN;          /* Didn't find any devices */
+                        goto out;
+                }
                daddr = self->cachedaddr;
                /* Cleanup */
                self->cachedaddr = 0;
diff --git a/net/key/af_key.c b/net/key/af_key.c
index 556fdafdd1ea..8555f331ea60 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -2201,7 +2201,7 @@ static int pfkey_spdadd(struct sock *sk, struct sk_buff *skb, const struct sadb_
                      XFRM_POLICY_BLOCK : XFRM_POLICY_ALLOW);
        xp->priority = pol->sadb_x_policy_priority;
-        sa = ext_hdrs[SADB_EXT_ADDRESS_SRC-1],
+        sa = ext_hdrs[SADB_EXT_ADDRESS_SRC-1];
        xp->family = pfkey_sadb_addr2xfrm_addr(sa, &xp->selector.saddr);
        if (!xp->family) {
                err = -EINVAL;
@@ -2214,7 +2214,7 @@ static int pfkey_spdadd(struct sock *sk, struct sk_buff *skb, const struct sadb_
        if (xp->selector.sport)
                xp->selector.sport_mask = htons(0xffff);
-        sa = ext_hdrs[SADB_EXT_ADDRESS_DST-1],
+        sa = ext_hdrs[SADB_EXT_ADDRESS_DST-1];
        pfkey_sadb_addr2xfrm_addr(sa, &xp->selector.daddr);
        xp->selector.prefixlen_d = sa->sadb_address_prefixlen;
@@ -2315,7 +2315,7 @@ static int pfkey_spddelete(struct sock *sk, struct sk_buff *skb, const struct sa
        memset(&sel, 0, sizeof(sel));
-        sa = ext_hdrs[SADB_EXT_ADDRESS_SRC-1],
+        sa = ext_hdrs[SADB_EXT_ADDRESS_SRC-1];
        sel.family = pfkey_sadb_addr2xfrm_addr(sa, &sel.saddr);
        sel.prefixlen_s = sa->sadb_address_prefixlen;
        sel.proto = pfkey_proto_to_xfrm(sa->sadb_address_proto);
@@ -2323,7 +2323,7 @@ static int pfkey_spddelete(struct sock *sk, struct sk_buff *skb, const struct sa
        if (sel.sport)
                sel.sport_mask = htons(0xffff);
-        sa = ext_hdrs[SADB_EXT_ADDRESS_DST-1],
+        sa = ext_hdrs[SADB_EXT_ADDRESS_DST-1];
        pfkey_sadb_addr2xfrm_addr(sa, &sel.daddr);
        sel.prefixlen_d = sa->sadb_address_prefixlen;
        sel.proto = pfkey_proto_to_xfrm(sa->sadb_address_proto);
diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
index d36875f3427e..8aecf5df6656 100644
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -114,7 +114,6 @@ struct l2tp_net {
 static void l2tp_session_set_header_len(struct l2tp_session *session, int version);
 static void l2tp_tunnel_free(struct l2tp_tunnel *tunnel);
-static void l2tp_tunnel_closeall(struct l2tp_tunnel *tunnel);
 static inline struct l2tp_net *l2tp_pernet(struct net *net)
 {
@@ -192,6 +191,7 @@ struct sock *l2tp_tunnel_sock_lookup(struct l2tp_tunnel *tunnel)
        } else {
                /* Socket is owned by kernelspace */
                sk = tunnel->sock;
+                sock_hold(sk);
        }
 out:
@@ -210,6 +210,7 @@ void l2tp_tunnel_sock_put(struct sock *sk)
                }
                sock_put(sk);
        }
+        sock_put(sk);
 }
 EXPORT_SYMBOL_GPL(l2tp_tunnel_sock_put);
@@ -373,10 +374,8 @@ static void l2tp_recv_queue_skb(struct l2tp_session *session, struct sk_buff *sk
        struct sk_buff *skbp;
        struct sk_buff *tmp;
        u32 ns = L2TP_SKB_CB(skb)->ns;
-        struct l2tp_stats *sstats;
        spin_lock_bh(&session->reorder_q.lock);
-        sstats = &session->stats;
        skb_queue_walk_safe(&session->reorder_q, skbp, tmp) {
                if (L2TP_SKB_CB(skbp)->ns > ns) {
                        __skb_queue_before(&session->reorder_q, skbp, skb);
@@ -384,9 +383,7 @@ static void l2tp_recv_queue_skb(struct l2tp_session *session, struct sk_buff *sk
                                 "%s: pkt %hu, inserted before %hu, reorder_q len=%d\n",
                                 session->name, ns, L2TP_SKB_CB(skbp)->ns,
                                 skb_queue_len(&session->reorder_q));
-                        u64_stats_update_begin(&sstats->syncp);
+                        atomic_long_inc(&session->stats.rx_oos_packets);
-                        sstats->rx_oos_packets++;
-                        u64_stats_update_end(&sstats->syncp);
                        goto out;
                }
        }
@@ -403,23 +400,16 @@ static void l2tp_recv_dequeue_skb(struct l2tp_session *session, struct sk_buff *
 {
        struct l2tp_tunnel *tunnel = session->tunnel;
        int length = L2TP_SKB_CB(skb)->length;
-        struct l2tp_stats *tstats, *sstats;
        /* We're about to requeue the skb, so return resources
         * to its current owner (a socket receive buffer).
         */
        skb_orphan(skb);
-        tstats = &tunnel->stats;
+        atomic_long_inc(&tunnel->stats.rx_packets);
-        u64_stats_update_begin(&tstats->syncp);
+        atomic_long_add(length, &tunnel->stats.rx_bytes);
-        sstats = &session->stats;
+        atomic_long_inc(&session->stats.rx_packets);
-        u64_stats_update_begin(&sstats->syncp);
+        atomic_long_add(length, &session->stats.rx_bytes);
-        tstats->rx_packets++;
-        tstats->rx_bytes += length;
-        sstats->rx_packets++;
-        sstats->rx_bytes += length;
-        u64_stats_update_end(&tstats->syncp);
-        u64_stats_update_end(&sstats->syncp);
        if (L2TP_SKB_CB(skb)->has_seq) {
                /* Bump our Nr */
@@ -450,7 +440,6 @@ static void l2tp_recv_dequeue(struct l2tp_session *session)
 {
        struct sk_buff *skb;
        struct sk_buff *tmp;
-        struct l2tp_stats *sstats;
        /* If the pkt at the head of the queue has the nr that we
         * expect to send up next, dequeue it and any other
@@ -458,13 +447,10 @@ static void l2tp_recv_dequeue(struct l2tp_session *session)
         */
 start:
        spin_lock_bh(&session->reorder_q.lock);
-        sstats = &session->stats;
        skb_queue_walk_safe(&session->reorder_q, skb, tmp) {
                if (time_after(jiffies, L2TP_SKB_CB(skb)->expires)) {
-                        u64_stats_update_begin(&sstats->syncp);
+                        atomic_long_inc(&session->stats.rx_seq_discards);
-                        sstats->rx_seq_discards++;
+                        atomic_long_inc(&session->stats.rx_errors);
-                        sstats->rx_errors++;
-                        u64_stats_update_end(&sstats->syncp);
                        l2tp_dbg(session, L2TP_MSG_SEQ,
                                 "%s: oos pkt %u len %d discarded (too old), waiting for %u, reorder_q_len=%d\n",
                                 session->name, L2TP_SKB_CB(skb)->ns,
@@ -623,7 +609,6 @@ void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb,
        struct l2tp_tunnel *tunnel = session->tunnel;
        int offset;
        u32 ns, nr;
-        struct l2tp_stats *sstats = &session->stats;
        /* The ref count is increased since we now hold a pointer to
         * the session. Take care to decrement the refcnt when exiting
@@ -640,9 +625,7 @@ void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb,
                                  "%s: cookie mismatch (%u/%u). Discarding.\n",
                                  tunnel->name, tunnel->tunnel_id,
                                  session->session_id);
-                        u64_stats_update_begin(&sstats->syncp);
+                        atomic_long_inc(&session->stats.rx_cookie_discards);
-                        sstats->rx_cookie_discards++;
-                        u64_stats_update_end(&sstats->syncp);
                        goto discard;
                }
                ptr += session->peer_cookie_len;
@@ -711,9 +694,7 @@ void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb,
                        l2tp_warn(session, L2TP_MSG_SEQ,
                                  "%s: recv data has no seq numbers when required. Discarding.\n",
                                  session->name);
-                        u64_stats_update_begin(&sstats->syncp);
+                        atomic_long_inc(&session->stats.rx_seq_discards);
-                        sstats->rx_seq_discards++;
-                        u64_stats_update_end(&sstats->syncp);
                        goto discard;
                }
@@ -732,9 +713,7 @@ void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb,
                        l2tp_warn(session, L2TP_MSG_SEQ,
                                  "%s: recv data has no seq numbers when required. Discarding.\n",
                                  session->name);
-                        u64_stats_update_begin(&sstats->syncp);
+                        atomic_long_inc(&session->stats.rx_seq_discards);
-                        sstats->rx_seq_discards++;
-                        u64_stats_update_end(&sstats->syncp);
                        goto discard;
                }
        }
@@ -788,9 +767,7 @@ void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb,
                         * packets
                         */
                        if (L2TP_SKB_CB(skb)->ns != session->nr) {
-                                u64_stats_update_begin(&sstats->syncp);
+                                atomic_long_inc(&session->stats.rx_seq_discards);
-                                sstats->rx_seq_discards++;
-                                u64_stats_update_end(&sstats->syncp);
                                l2tp_dbg(session, L2TP_MSG_SEQ,
                                         "%s: oos pkt %u len %d discarded, waiting for %u, reorder_q_len=%d\n",
                                         session->name, L2TP_SKB_CB(skb)->ns,
@@ -816,9 +793,7 @@ void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb,
        return;
 discard:
-        u64_stats_update_begin(&sstats->syncp);
+        atomic_long_inc(&session->stats.rx_errors);
-        sstats->rx_errors++;
-        u64_stats_update_end(&sstats->syncp);
        kfree_skb(skb);
        if (session->deref)
@@ -828,6 +803,23 @@ discard:
 }
 EXPORT_SYMBOL(l2tp_recv_common);
+/* Drop skbs from the session's reorder_q
+ */
+int l2tp_session_queue_purge(struct l2tp_session *session)
+{
+        struct sk_buff *skb = NULL;
+        BUG_ON(!session);
+        BUG_ON(session->magic != L2TP_SESSION_MAGIC);
+        while ((skb = skb_dequeue(&session->reorder_q))) {
+                atomic_long_inc(&session->stats.rx_errors);
+                kfree_skb(skb);
+                if (session->deref)
+                        (*session->deref)(session);
+        }
+        return 0;
+}
+EXPORT_SYMBOL_GPL(l2tp_session_queue_purge);
 /* Internal UDP receive frame. Do the real work of receiving an L2TP data frame
 * here. The skb is not on a list when we get here.
 * Returns 0 if the packet was a data packet and was successfully passed on.
@@ -843,7 +835,6 @@ static int l2tp_udp_recv_core(struct l2tp_tunnel *tunnel, struct sk_buff *skb,
        u32 tunnel_id, session_id;
        u16 version;
        int length;
-        struct l2tp_stats *tstats;
        if (tunnel->sock && l2tp_verify_udp_checksum(tunnel->sock, skb))
                goto discard_bad_csum;
@@ -932,10 +923,7 @@ static int l2tp_udp_recv_core(struct l2tp_tunnel *tunnel, struct sk_buff *skb,
 discard_bad_csum:
        LIMIT_NETDEBUG("%s: UDP: bad checksum\n", tunnel->name);
        UDP_INC_STATS_USER(tunnel->l2tp_net, UDP_MIB_INERRORS, 0);
-        tstats = &tunnel->stats;
+        atomic_long_inc(&tunnel->stats.rx_errors);
-        u64_stats_update_begin(&tstats->syncp);
-        tstats->rx_errors++;
-        u64_stats_update_end(&tstats->syncp);
        kfree_skb(skb);
        return 0;
@@ -1062,7 +1050,6 @@ static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb,
        struct l2tp_tunnel *tunnel = session->tunnel;
        unsigned int len = skb->len;
        int error;
-        struct l2tp_stats *tstats, *sstats;
        /* Debug */
        if (session->send_seq)
@@ -1091,21 +1078,15 @@ static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb,
                error = ip_queue_xmit(skb, fl);
        /* Update stats */
-        tstats = &tunnel->stats;
-        u64_stats_update_begin(&tstats->syncp);
-        sstats = &session->stats;
-        u64_stats_update_begin(&sstats->syncp);
        if (error >= 0) {
-                tstats->tx_packets++;
+                atomic_long_inc(&tunnel->stats.tx_packets);
-                tstats->tx_bytes += len;
+                atomic_long_add(len, &tunnel->stats.tx_bytes);
-                sstats->tx_packets++;
+                atomic_long_inc(&session->stats.tx_packets);
-                sstats->tx_bytes += len;
+                atomic_long_add(len, &session->stats.tx_bytes);
        } else {
-                tstats->tx_errors++;
+                atomic_long_inc(&tunnel->stats.tx_errors);
-                sstats->tx_errors++;
+                atomic_long_inc(&session->stats.tx_errors);
        }
-        u64_stats_update_end(&tstats->syncp);
-        u64_stats_update_end(&sstats->syncp);
        return 0;
 }
@@ -1282,6 +1263,7 @@ static void l2tp_tunnel_destruct(struct sock *sk)
                /* No longer an encapsulation socket. See net/ipv4/udp.c */
                (udp_sk(sk))->encap_type = 0;
                (udp_sk(sk))->encap_rcv = NULL;
+                (udp_sk(sk))->encap_destroy = NULL;
                break;
        case L2TP_ENCAPTYPE_IP:
                break;
@@ -1311,7 +1293,7 @@ end:
 /* When the tunnel is closed, all the attached sessions need to go too.
 */
-static void l2tp_tunnel_closeall(struct l2tp_tunnel *tunnel)
+void l2tp_tunnel_closeall(struct l2tp_tunnel *tunnel)
 {
        int hash;
        struct hlist_node *walk;
@@ -1334,25 +1316,13 @@ again:
                        hlist_del_init(&session->hlist);
-                        /* Since we should hold the sock lock while
-                         * doing any unbinding, we need to release the
-                         * lock we're holding before taking that lock.
-                         * Hold a reference to the sock so it doesn't
-                         * disappear as we're jumping between locks.
-                         */
                        if (session->ref != NULL)
                                (*session->ref)(session);
                        write_unlock_bh(&tunnel->hlist_lock);
-                        if (tunnel->version != L2TP_HDR_VER_2) {
+                        __l2tp_session_unhash(session);
-                                struct l2tp_net *pn = l2tp_pernet(tunnel->l2tp_net);
+                        l2tp_session_queue_purge(session);
-                                spin_lock_bh(&pn->l2tp_session_hlist_lock);
-                                hlist_del_init_rcu(&session->global_hlist);
-                                spin_unlock_bh(&pn->l2tp_session_hlist_lock);
-                                synchronize_rcu();
-                        }
                        if (session->session_close != NULL)
                                (*session->session_close)(session);
@@ -1360,6 +1330,8 @@ again:
                        if (session->deref != NULL)
                                (*session->deref)(session);
+                        l2tp_session_dec_refcount(session);
                        write_lock_bh(&tunnel->hlist_lock);
                        /* Now restart from the beginning of this hash
@@ -1372,6 +1344,17 @@ again:
        }
        write_unlock_bh(&tunnel->hlist_lock);
 }
+EXPORT_SYMBOL_GPL(l2tp_tunnel_closeall);
+/* Tunnel socket destroy hook for UDP encapsulation */
+static void l2tp_udp_encap_destroy(struct sock *sk)
+{
+        struct l2tp_tunnel *tunnel = l2tp_sock_to_tunnel(sk);
+        if (tunnel) {
+                l2tp_tunnel_closeall(tunnel);
+                sock_put(sk);
+        }
+}
 /* Really kill the tunnel.
 * Come here only when all sessions have been cleared from the tunnel.
@@ -1397,19 +1380,21 @@ static void l2tp_tunnel_del_work(struct work_struct *work)
                return;
        sock = sk->sk_socket;
-        BUG_ON(!sock);
-        /* If the tunnel socket was created directly by the kernel, use the
+        /* If the tunnel socket was created by userspace, then go through the
-         * sk_* API to release the socket now.  Otherwise go through the
+         * inet layer to shut the socket down, and let userspace close it.
-         * inet_* layer to shut the socket down, and let userspace close it.
+         * Otherwise, if we created the socket directly within the kernel, use
+         * the sk API to release it here.
         * In either case the tunnel resources are freed in the socket
         * destructor when the tunnel socket goes away.
         */
-        if (sock->file == NULL) {
+        if (tunnel->fd >= 0) {
-                kernel_sock_shutdown(sock, SHUT_RDWR);
+                if (sock)
-                sk_release_kernel(sk);
+                        inet_shutdown(sock, 2);
        } else {
-                inet_shutdown(sock, 2);
+                if (sock)
+                        kernel_sock_shutdown(sock, SHUT_RDWR);
+                sk_release_kernel(sk);
        }
        l2tp_tunnel_sock_put(sk);
@@ -1668,6 +1653,7 @@ int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32
                /* Mark socket as an encapsulation socket. See net/ipv4/udp.c */
                udp_sk(sk)->encap_type = UDP_ENCAP_L2TPINUDP;
                udp_sk(sk)->encap_rcv = l2tp_udp_encap_recv;
+                udp_sk(sk)->encap_destroy = l2tp_udp_encap_destroy;
 #if IS_ENABLED(CONFIG_IPV6)
                if (sk->sk_family == PF_INET6)
                        udpv6_encap_enable();
@@ -1723,6 +1709,7 @@ EXPORT_SYMBOL_GPL(l2tp_tunnel_create);
 */
 int l2tp_tunnel_delete(struct l2tp_tunnel *tunnel)
 {
+        l2tp_tunnel_closeall(tunnel);
        return (false == queue_work(l2tp_wq, &tunnel->del_work));
 }
 EXPORT_SYMBOL_GPL(l2tp_tunnel_delete);
@@ -1731,62 +1718,71 @@ EXPORT_SYMBOL_GPL(l2tp_tunnel_delete);
 */
 void l2tp_session_free(struct l2tp_session *session)
 {
-        struct l2tp_tunnel *tunnel;
+        struct l2tp_tunnel *tunnel = session->tunnel;
        BUG_ON(atomic_read(&session->ref_count) != 0);
-        tunnel = session->tunnel;
+        if (tunnel) {
-        if (tunnel != NULL) {
                BUG_ON(tunnel->magic != L2TP_TUNNEL_MAGIC);
+                if (session->session_id != 0)
+                        atomic_dec(&l2tp_session_count);
+                sock_put(tunnel->sock);
+                session->tunnel = NULL;
+                l2tp_tunnel_dec_refcount(tunnel);
+        }
+        kfree(session);
-                /* Delete the session from the hash */
+        return;
+}
+EXPORT_SYMBOL_GPL(l2tp_session_free);
+/* Remove an l2tp session from l2tp_core's hash lists.
+ * Provides a tidyup interface for pseudowire code which can't just route all
+ * shutdown via. l2tp_session_delete and a pseudowire-specific session_close
+ * callback.
+ */
+void __l2tp_session_unhash(struct l2tp_session *session)
+{
+        struct l2tp_tunnel *tunnel = session->tunnel;
+        /* Remove the session from core hashes */
+        if (tunnel) {
+                /* Remove from the per-tunnel hash */
                write_lock_bh(&tunnel->hlist_lock);
                hlist_del_init(&session->hlist);
                write_unlock_bh(&tunnel->hlist_lock);
-                /* Unlink from the global hash if not L2TPv2 */
+                /* For L2TPv3 we have a per-net hash: remove from there, too */
                if (tunnel->version != L2TP_HDR_VER_2) {
                        struct l2tp_net *pn = l2tp_pernet(tunnel->l2tp_net);
                        spin_lock_bh(&pn->l2tp_session_hlist_lock);
                        hlist_del_init_rcu(&session->global_hlist);
                        spin_unlock_bh(&pn->l2tp_session_hlist_lock);
                        synchronize_rcu();
                }
-                if (session->session_id != 0)
-                        atomic_dec(&l2tp_session_count);
-                sock_put(tunnel->sock);
-                /* This will delete the tunnel context if this
-                 * is the last session on the tunnel.
-                 */
-                session->tunnel = NULL;
-                l2tp_tunnel_dec_refcount(tunnel);
        }
-        kfree(session);
-        return;
 }
-EXPORT_SYMBOL_GPL(l2tp_session_free);
+EXPORT_SYMBOL_GPL(__l2tp_session_unhash);
 /* This function is used by the netlink SESSION_DELETE command and by
   pseudowire modules.
 */
 int l2tp_session_delete(struct l2tp_session *session)
 {
+        if (session->ref)
+                (*session->ref)(session);
+        __l2tp_session_unhash(session);
+        l2tp_session_queue_purge(session);
        if (session->session_close != NULL)
                (*session->session_close)(session);
+        if (session->deref)
+                (*session->ref)(session);
        l2tp_session_dec_refcount(session);
        return 0;
 }
 EXPORT_SYMBOL_GPL(l2tp_session_delete);
 /* We come here whenever a session's send_seq, cookie_len or
 * l2specific_len parameters are set.
 */
diff --git a/net/l2tp/l2tp_core.h b/net/l2tp/l2tp_core.h
index 8eb8f1d47f3a..485a490fd990 100644
--- a/net/l2tp/l2tp_core.h
+++ b/net/l2tp/l2tp_core.h
@@ -36,16 +36,15 @@ enum {
 struct sk_buff;
 struct l2tp_stats {
-        u64                     tx_packets;
+        atomic_long_t           tx_packets;
-        u64                     tx_bytes;
+        atomic_long_t           tx_bytes;
-        u64                     tx_errors;
+        atomic_long_t           tx_errors;
-        u64                     rx_packets;
+        atomic_long_t           rx_packets;
-        u64                     rx_bytes;
+        atomic_long_t           rx_bytes;
-        u64                     rx_seq_discards;
+        atomic_long_t           rx_seq_discards;
-        u64                     rx_oos_packets;
+        atomic_long_t           rx_oos_packets;
-        u64                     rx_errors;
+        atomic_long_t           rx_errors;
-        u64                     rx_cookie_discards;
+        atomic_long_t           rx_cookie_discards;
-        struct u64_stats_sync   syncp;
 };
 struct l2tp_tunnel;
@@ -240,11 +239,14 @@ extern struct l2tp_tunnel *l2tp_tunnel_find(struct net *net, u32 tunnel_id);
 extern struct l2tp_tunnel *l2tp_tunnel_find_nth(struct net *net, int nth);
 extern int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32 peer_tunnel_id, struct l2tp_tunnel_cfg *cfg, struct l2tp_tunnel **tunnelp);
+extern void l2tp_tunnel_closeall(struct l2tp_tunnel *tunnel);
 extern int l2tp_tunnel_delete(struct l2tp_tunnel *tunnel);
 extern struct l2tp_session *l2tp_session_create(int priv_size, struct l2tp_tunnel *tunnel, u32 session_id, u32 peer_session_id, struct l2tp_session_cfg *cfg);
+extern void __l2tp_session_unhash(struct l2tp_session *session);
 extern int l2tp_session_delete(struct l2tp_session *session);
 extern void l2tp_session_free(struct l2tp_session *session);
 extern void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb, unsigned char *ptr, unsigned char *optr, u16 hdrflags, int length, int (*payload_hook)(struct sk_buff *skb));
+extern int l2tp_session_queue_purge(struct l2tp_session *session);
 extern int l2tp_udp_encap_recv(struct sock *sk, struct sk_buff *skb);
 extern int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb, int hdr_len);
diff --git a/net/l2tp/l2tp_debugfs.c b/net/l2tp/l2tp_debugfs.c
index c3813bc84552..072d7202e182 100644
--- a/net/l2tp/l2tp_debugfs.c
+++ b/net/l2tp/l2tp_debugfs.c
@@ -146,14 +146,14 @@ static void l2tp_dfs_seq_tunnel_show(struct seq_file *m, void *v)
                   tunnel->sock ? atomic_read(&tunnel->sock->sk_refcnt) : 0,
                   atomic_read(&tunnel->ref_count));
-        seq_printf(m, " %08x rx %llu/%llu/%llu rx %llu/%llu/%llu\n",
+        seq_printf(m, " %08x rx %ld/%ld/%ld rx %ld/%ld/%ld\n",
                   tunnel->debug,
-                   (unsigned long long)tunnel->stats.tx_packets,
+                   atomic_long_read(&tunnel->stats.tx_packets),
-                   (unsigned long long)tunnel->stats.tx_bytes,
+                   atomic_long_read(&tunnel->stats.tx_bytes),
-                   (unsigned long long)tunnel->stats.tx_errors,
+                   atomic_long_read(&tunnel->stats.tx_errors),
-                   (unsigned long long)tunnel->stats.rx_packets,
+                   atomic_long_read(&tunnel->stats.rx_packets),
-                   (unsigned long long)tunnel->stats.rx_bytes,
+                   atomic_long_read(&tunnel->stats.rx_bytes),
-                   (unsigned long long)tunnel->stats.rx_errors);
+                   atomic_long_read(&tunnel->stats.rx_errors));
        if (tunnel->show != NULL)
                tunnel->show(m, tunnel);
@@ -203,14 +203,14 @@ static void l2tp_dfs_seq_session_show(struct seq_file *m, void *v)
                seq_printf(m, "\n");
        }
-        seq_printf(m, "   %hu/%hu tx %llu/%llu/%llu rx %llu/%llu/%llu\n",
+        seq_printf(m, "   %hu/%hu tx %ld/%ld/%ld rx %ld/%ld/%ld\n",
                   session->nr, session->ns,
-                   (unsigned long long)session->stats.tx_packets,
+                   atomic_long_read(&session->stats.tx_packets),
-                   (unsigned long long)session->stats.tx_bytes,
+                   atomic_long_read(&session->stats.tx_bytes),
-                   (unsigned long long)session->stats.tx_errors,
+                   atomic_long_read(&session->stats.tx_errors),
-                   (unsigned long long)session->stats.rx_packets,
+                   atomic_long_read(&session->stats.rx_packets),
-                   (unsigned long long)session->stats.rx_bytes,
+                   atomic_long_read(&session->stats.rx_bytes),
-                   (unsigned long long)session->stats.rx_errors);
+                   atomic_long_read(&session->stats.rx_errors));
        if (session->show != NULL)
                session->show(m, session);
diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c
index 7f41b7051269..571db8dd2292 100644
--- a/net/l2tp/l2tp_ip.c
+++ b/net/l2tp/l2tp_ip.c
@@ -228,10 +228,16 @@ static void l2tp_ip_close(struct sock *sk, long timeout)
 static void l2tp_ip_destroy_sock(struct sock *sk)
 {
        struct sk_buff *skb;
+        struct l2tp_tunnel *tunnel = l2tp_sock_to_tunnel(sk);
        while ((skb = __skb_dequeue_tail(&sk->sk_write_queue)) != NULL)
                kfree_skb(skb);
+        if (tunnel) {
+                l2tp_tunnel_closeall(tunnel);
+                sock_put(sk);
+        }
        sk_refcnt_debug_dec(sk);
 }
diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
index 41f2f8126ebc..c74f5a91ff6a 100644
--- a/net/l2tp/l2tp_ip6.c
+++ b/net/l2tp/l2tp_ip6.c
@@ -241,10 +241,17 @@ static void l2tp_ip6_close(struct sock *sk, long timeout)
 static void l2tp_ip6_destroy_sock(struct sock *sk)
 {
+        struct l2tp_tunnel *tunnel = l2tp_sock_to_tunnel(sk);
        lock_sock(sk);
        ip6_flush_pending_frames(sk);
        release_sock(sk);
+        if (tunnel) {
+                l2tp_tunnel_closeall(tunnel);
+                sock_put(sk);
+        }
        inet6_destroy_sock(sk);
 }
diff --git a/net/l2tp/l2tp_netlink.c b/net/l2tp/l2tp_netlink.c
index c1bab22db85e..0825ff26e113 100644
--- a/net/l2tp/l2tp_netlink.c
+++ b/net/l2tp/l2tp_netlink.c
@@ -246,8 +246,6 @@ static int l2tp_nl_tunnel_send(struct sk_buff *skb, u32 portid, u32 seq, int fla
 #if IS_ENABLED(CONFIG_IPV6)
        struct ipv6_pinfo *np = NULL;
 #endif
-        struct l2tp_stats stats;
-        unsigned int start;
        hdr = genlmsg_put(skb, portid, seq, &l2tp_nl_family, flags,
                          L2TP_CMD_TUNNEL_GET);
@@ -265,28 +263,22 @@ static int l2tp_nl_tunnel_send(struct sk_buff *skb, u32 portid, u32 seq, int fla
        if (nest == NULL)
                goto nla_put_failure;
-        do {
+        if (nla_put_u64(skb, L2TP_ATTR_TX_PACKETS,
-                start = u64_stats_fetch_begin(&tunnel->stats.syncp);
+                    atomic_long_read(&tunnel->stats.tx_packets)) ||
-                stats.tx_packets = tunnel->stats.tx_packets;
+            nla_put_u64(skb, L2TP_ATTR_TX_BYTES,
-                stats.tx_bytes = tunnel->stats.tx_bytes;
+                    atomic_long_read(&tunnel->stats.tx_bytes)) ||
-                stats.tx_errors = tunnel->stats.tx_errors;
+            nla_put_u64(skb, L2TP_ATTR_TX_ERRORS,
-                stats.rx_packets = tunnel->stats.rx_packets;
+                    atomic_long_read(&tunnel->stats.tx_errors)) ||
-                stats.rx_bytes = tunnel->stats.rx_bytes;
+            nla_put_u64(skb, L2TP_ATTR_RX_PACKETS,
-                stats.rx_errors = tunnel->stats.rx_errors;
+                    atomic_long_read(&tunnel->stats.rx_packets)) ||
-                stats.rx_seq_discards = tunnel->stats.rx_seq_discards;
+            nla_put_u64(skb, L2TP_ATTR_RX_BYTES,
-                stats.rx_oos_packets = tunnel->stats.rx_oos_packets;
+                    atomic_long_read(&tunnel->stats.rx_bytes)) ||
-        } while (u64_stats_fetch_retry(&tunnel->stats.syncp, start));
-        if (nla_put_u64(skb, L2TP_ATTR_TX_PACKETS, stats.tx_packets) ||
-            nla_put_u64(skb, L2TP_ATTR_TX_BYTES, stats.tx_bytes) ||
-            nla_put_u64(skb, L2TP_ATTR_TX_ERRORS, stats.tx_errors) ||
-            nla_put_u64(skb, L2TP_ATTR_RX_PACKETS, stats.rx_packets) ||
-            nla_put_u64(skb, L2TP_ATTR_RX_BYTES, stats.rx_bytes) ||
            nla_put_u64(skb, L2TP_ATTR_RX_SEQ_DISCARDS,
-                        stats.rx_seq_discards) ||
+                    atomic_long_read(&tunnel->stats.rx_seq_discards)) ||
            nla_put_u64(skb, L2TP_ATTR_RX_OOS_PACKETS,
-                        stats.rx_oos_packets) ||
+                    atomic_long_read(&tunnel->stats.rx_oos_packets)) ||
-            nla_put_u64(skb, L2TP_ATTR_RX_ERRORS, stats.rx_errors))
+            nla_put_u64(skb, L2TP_ATTR_RX_ERRORS,
+                    atomic_long_read(&tunnel->stats.rx_errors)))
                goto nla_put_failure;
        nla_nest_end(skb, nest);
@@ -612,8 +604,6 @@ static int l2tp_nl_session_send(struct sk_buff *skb, u32 portid, u32 seq, int fl
        struct nlattr *nest;
        struct l2tp_tunnel *tunnel = session->tunnel;
        struct sock *sk = NULL;
-        struct l2tp_stats stats;
-        unsigned int start;
        sk = tunnel->sock;
@@ -656,28 +646,22 @@ static int l2tp_nl_session_send(struct sk_buff *skb, u32 portid, u32 seq, int fl
        if (nest == NULL)
                goto nla_put_failure;
-        do {
+        if (nla_put_u64(skb, L2TP_ATTR_TX_PACKETS,
-                start = u64_stats_fetch_begin(&session->stats.syncp);
+                atomic_long_read(&session->stats.tx_packets)) ||
-                stats.tx_packets = session->stats.tx_packets;
+            nla_put_u64(skb, L2TP_ATTR_TX_BYTES,
-                stats.tx_bytes = session->stats.tx_bytes;
+                atomic_long_read(&session->stats.tx_bytes)) ||
-                stats.tx_errors = session->stats.tx_errors;
+            nla_put_u64(skb, L2TP_ATTR_TX_ERRORS,
-                stats.rx_packets = session->stats.rx_packets;
+                atomic_long_read(&session->stats.tx_errors)) ||
-                stats.rx_bytes = session->stats.rx_bytes;
+            nla_put_u64(skb, L2TP_ATTR_RX_PACKETS,
-                stats.rx_errors = session->stats.rx_errors;
+                atomic_long_read(&session->stats.rx_packets)) ||
-                stats.rx_seq_discards = session->stats.rx_seq_discards;
+            nla_put_u64(skb, L2TP_ATTR_RX_BYTES,
-                stats.rx_oos_packets = session->stats.rx_oos_packets;
+                atomic_long_read(&session->stats.rx_bytes)) ||
-        } while (u64_stats_fetch_retry(&session->stats.syncp, start));
-        if (nla_put_u64(skb, L2TP_ATTR_TX_PACKETS, stats.tx_packets) ||
-            nla_put_u64(skb, L2TP_ATTR_TX_BYTES, stats.tx_bytes) ||
-            nla_put_u64(skb, L2TP_ATTR_TX_ERRORS, stats.tx_errors) ||
-            nla_put_u64(skb, L2TP_ATTR_RX_PACKETS, stats.rx_packets) ||
-            nla_put_u64(skb, L2TP_ATTR_RX_BYTES, stats.rx_bytes) ||
            nla_put_u64(skb, L2TP_ATTR_RX_SEQ_DISCARDS,
-                        stats.rx_seq_discards) ||
+                atomic_long_read(&session->stats.rx_seq_discards)) ||
            nla_put_u64(skb, L2TP_ATTR_RX_OOS_PACKETS,
-                        stats.rx_oos_packets) ||
+                atomic_long_read(&session->stats.rx_oos_packets)) ||
-            nla_put_u64(skb, L2TP_ATTR_RX_ERRORS, stats.rx_errors))
+            nla_put_u64(skb, L2TP_ATTR_RX_ERRORS,
+                atomic_long_read(&session->stats.rx_errors)))
                goto nla_put_failure;
        nla_nest_end(skb, nest);
diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
index 6a53371dba1f..637a341c1e2d 100644
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -97,6 +97,7 @@
 #include <net/ip.h>
 #include <net/udp.h>
 #include <net/xfrm.h>
+#include <net/inet_common.h>
 #include <asm/byteorder.h>
 #include <linux/atomic.h>
@@ -259,7 +260,7 @@ static void pppol2tp_recv(struct l2tp_session *session, struct sk_buff *skb, int
                          session->name);
                /* Not bound. Nothing we can do, so discard. */
-                session->stats.rx_errors++;
+                atomic_long_inc(&session->stats.rx_errors);
                kfree_skb(skb);
        }
@@ -447,34 +448,16 @@ static void pppol2tp_session_close(struct l2tp_session *session)
 {
        struct pppol2tp_session *ps = l2tp_session_priv(session);
        struct sock *sk = ps->sock;
-        struct sk_buff *skb;
+        struct socket *sock = sk->sk_socket;
        BUG_ON(session->magic != L2TP_SESSION_MAGIC);
-        if (session->session_id == 0)
-                goto out;
-        if (sk != NULL) {
-                lock_sock(sk);
-                if (sk->sk_state & (PPPOX_CONNECTED | PPPOX_BOUND)) {
-                        pppox_unbind_sock(sk);
-                        sk->sk_state = PPPOX_DEAD;
-                        sk->sk_state_change(sk);
-                }
-                /* Purge any queued data */
-                skb_queue_purge(&sk->sk_receive_queue);
-                skb_queue_purge(&sk->sk_write_queue);
-                while ((skb = skb_dequeue(&session->reorder_q))) {
-                        kfree_skb(skb);
-                        sock_put(sk);
-                }
-                release_sock(sk);
+        if (sock) {
+                inet_shutdown(sock, 2);
+                /* Don't let the session go away before our socket does */
+                l2tp_session_inc_refcount(session);
        }
-out:
        return;
 }
@@ -483,19 +466,12 @@ out:
 */
 static void pppol2tp_session_destruct(struct sock *sk)
 {
-        struct l2tp_session *session;
+        struct l2tp_session *session = sk->sk_user_data;
+        if (session) {
-        if (sk->sk_user_data != NULL) {
-                session = sk->sk_user_data;
-                if (session == NULL)
-                        goto out;
                sk->sk_user_data = NULL;
                BUG_ON(session->magic != L2TP_SESSION_MAGIC);
                l2tp_session_dec_refcount(session);
        }
-out:
        return;
 }
@@ -525,16 +501,13 @@ static int pppol2tp_release(struct socket *sock)
        session = pppol2tp_sock_to_session(sk);
        /* Purge any queued data */
-        skb_queue_purge(&sk->sk_receive_queue);
-        skb_queue_purge(&sk->sk_write_queue);
        if (session != NULL) {
-                struct sk_buff *skb;
+                __l2tp_session_unhash(session);
-                while ((skb = skb_dequeue(&session->reorder_q))) {
+                l2tp_session_queue_purge(session);
-                        kfree_skb(skb);
-                        sock_put(sk);
-                }
                sock_put(sk);
        }
+        skb_queue_purge(&sk->sk_receive_queue);
+        skb_queue_purge(&sk->sk_write_queue);
        release_sock(sk);
@@ -880,18 +853,6 @@ out:
        return error;
 }
-/* Called when deleting sessions via the netlink interface.
- */
-static int pppol2tp_session_delete(struct l2tp_session *session)
-{
-        struct pppol2tp_session *ps = l2tp_session_priv(session);
-        if (ps->sock == NULL)
-                l2tp_session_dec_refcount(session);
-        return 0;
-}
 #endif /* CONFIG_L2TP_V3 */
 /* getname() support.
@@ -1025,14 +986,14 @@ end:
 static void pppol2tp_copy_stats(struct pppol2tp_ioc_stats *dest,
                                struct l2tp_stats *stats)
 {
-        dest->tx_packets = stats->tx_packets;
+        dest->tx_packets = atomic_long_read(&stats->tx_packets);
-        dest->tx_bytes = stats->tx_bytes;
+        dest->tx_bytes = atomic_long_read(&stats->tx_bytes);
-        dest->tx_errors = stats->tx_errors;
+        dest->tx_errors = atomic_long_read(&stats->tx_errors);
-        dest->rx_packets = stats->rx_packets;
+        dest->rx_packets = atomic_long_read(&stats->rx_packets);
-        dest->rx_bytes = stats->rx_bytes;
+        dest->rx_bytes = atomic_long_read(&stats->rx_bytes);
-        dest->rx_seq_discards = stats->rx_seq_discards;
+        dest->rx_seq_discards = atomic_long_read(&stats->rx_seq_discards);
-        dest->rx_oos_packets = stats->rx_oos_packets;
+        dest->rx_oos_packets = atomic_long_read(&stats->rx_oos_packets);
-        dest->rx_errors = stats->rx_errors;
+        dest->rx_errors = atomic_long_read(&stats->rx_errors);
 }
 /* Session ioctl helper.
@@ -1666,14 +1627,14 @@ static void pppol2tp_seq_tunnel_show(struct seq_file *m, void *v)
                   tunnel->name,
                   (tunnel == tunnel->sock->sk_user_data) ? 'Y' : 'N',
                   atomic_read(&tunnel->ref_count) - 1);
-        seq_printf(m, " %08x %llu/%llu/%llu %llu/%llu/%llu\n",
+        seq_printf(m, " %08x %ld/%ld/%ld %ld/%ld/%ld\n",
                   tunnel->debug,
-                   (unsigned long long)tunnel->stats.tx_packets,
+                   atomic_long_read(&tunnel->stats.tx_packets),
-                   (unsigned long long)tunnel->stats.tx_bytes,
+                   atomic_long_read(&tunnel->stats.tx_bytes),
-                   (unsigned long long)tunnel->stats.tx_errors,
+                   atomic_long_read(&tunnel->stats.tx_errors),
-                   (unsigned long long)tunnel->stats.rx_packets,
+                   atomic_long_read(&tunnel->stats.rx_packets),
-                   (unsigned long long)tunnel->stats.rx_bytes,
+                   atomic_long_read(&tunnel->stats.rx_bytes),
-                   (unsigned long long)tunnel->stats.rx_errors);
+                   atomic_long_read(&tunnel->stats.rx_errors));
 }
 static void pppol2tp_seq_session_show(struct seq_file *m, void *v)
@@ -1708,14 +1669,14 @@ static void pppol2tp_seq_session_show(struct seq_file *m, void *v)
                   session->lns_mode ? "LNS" : "LAC",
                   session->debug,
                   jiffies_to_msecs(session->reorder_timeout));
-        seq_printf(m, "   %hu/%hu %llu/%llu/%llu %llu/%llu/%llu\n",
+        seq_printf(m, "   %hu/%hu %ld/%ld/%ld %ld/%ld/%ld\n",
                   session->nr, session->ns,
-                   (unsigned long long)session->stats.tx_packets,
+                   atomic_long_read(&session->stats.tx_packets),
-                   (unsigned long long)session->stats.tx_bytes,
+                   atomic_long_read(&session->stats.tx_bytes),
-                   (unsigned long long)session->stats.tx_errors,
+                   atomic_long_read(&session->stats.tx_errors),
-                   (unsigned long long)session->stats.rx_packets,
+                   atomic_long_read(&session->stats.rx_packets),
-                   (unsigned long long)session->stats.rx_bytes,
+                   atomic_long_read(&session->stats.rx_bytes),
-                   (unsigned long long)session->stats.rx_errors);
+                   atomic_long_read(&session->stats.rx_errors));
        if (po)
                seq_printf(m, "   interface %s\n", ppp_dev_name(&po->chan));
@@ -1839,7 +1800,7 @@ static const struct pppox_proto pppol2tp_proto = {
 static const struct l2tp_nl_cmd_ops pppol2tp_nl_cmd_ops = {
        .session_create = pppol2tp_session_create,
-        .session_delete = pppol2tp_session_delete,
+        .session_delete = l2tp_session_delete,
 };
 #endif /* CONFIG_L2TP_V3 */
diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
index 47edf5a40a59..61f49d241712 100644
--- a/net/netfilter/ipvs/ip_vs_core.c
+++ b/net/netfilter/ipvs/ip_vs_core.c
@@ -1394,10 +1394,8 @@ ip_vs_in_icmp(struct sk_buff *skb, int *related, unsigned int hooknum)
                        skb_reset_network_header(skb);
                        IP_VS_DBG(12, "ICMP for IPIP %pI4->%pI4: mtu=%u\n",
                                &ip_hdr(skb)->saddr, &ip_hdr(skb)->daddr, mtu);
-                        rcu_read_lock();
                        ipv4_update_pmtu(skb, dev_net(skb->dev),
                                         mtu, 0, 0, 0, 0);
-                        rcu_read_unlock();
                        /* Client uses PMTUD? */
                        if (!(cih->frag_off & htons(IP_DF)))
                                goto ignore_ipip;
@@ -1577,7 +1575,8 @@ ip_vs_in(unsigned int hooknum, struct sk_buff *skb, int af)
        }
        /* ipvs enabled in this netns ? */
        net = skb_net(skb);
-        if (!net_ipvs(net)->enable)
+        ipvs = net_ipvs(net);
+        if (unlikely(sysctl_backup_only(ipvs) || !ipvs->enable))
                return NF_ACCEPT;
        ip_vs_fill_iph_skb(af, skb, &iph);
@@ -1654,7 +1653,6 @@ ip_vs_in(unsigned int hooknum, struct sk_buff *skb, int af)
        }
        IP_VS_DBG_PKT(11, af, pp, skb, 0, "Incoming packet");
-        ipvs = net_ipvs(net);
        /* Check the server status */
        if (cp->dest && !(cp->dest->flags & IP_VS_DEST_F_AVAILABLE)) {
                /* the destination server is not available */
@@ -1815,13 +1813,15 @@ ip_vs_forward_icmp(unsigned int hooknum, struct sk_buff *skb,
 {
        int r;
        struct net *net;
+        struct netns_ipvs *ipvs;
        if (ip_hdr(skb)->protocol != IPPROTO_ICMP)
                return NF_ACCEPT;
        /* ipvs enabled in this netns ? */
        net = skb_net(skb);
-        if (!net_ipvs(net)->enable)
+        ipvs = net_ipvs(net);
+        if (unlikely(sysctl_backup_only(ipvs) || !ipvs->enable))
                return NF_ACCEPT;
        return ip_vs_in_icmp(skb, &r, hooknum);
@@ -1835,6 +1835,7 @@ ip_vs_forward_icmp_v6(unsigned int hooknum, struct sk_buff *skb,
 {
        int r;
        struct net *net;
+        struct netns_ipvs *ipvs;
        struct ip_vs_iphdr iphdr;
        ip_vs_fill_iph_skb(AF_INET6, skb, &iphdr);
@@ -1843,7 +1844,8 @@ ip_vs_forward_icmp_v6(unsigned int hooknum, struct sk_buff *skb,
        /* ipvs enabled in this netns ? */
        net = skb_net(skb);
-        if (!net_ipvs(net)->enable)
+        ipvs = net_ipvs(net);
+        if (unlikely(sysctl_backup_only(ipvs) || !ipvs->enable))
                return NF_ACCEPT;
        return ip_vs_in_icmp_v6(skb, &r, hooknum, &iphdr);
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index c68198bf9128..9e2d1cccd1eb 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -1808,6 +1808,12 @@ static struct ctl_table vs_vars[] = {
                .mode           = 0644,
                .proc_handler   = proc_dointvec,
        },
+        {
+                .procname       = "backup_only",
+                .maxlen         = sizeof(int),
+                .mode           = 0644,
+                .proc_handler   = proc_dointvec,
+        },
 #ifdef CONFIG_IP_VS_DEBUG
        {
                .procname       = "debug_level",
@@ -3741,6 +3747,7 @@ static int __net_init ip_vs_control_net_init_sysctl(struct net *net)
        tbl[idx++].data = &ipvs->sysctl_nat_icmp_send;
        ipvs->sysctl_pmtu_disc = 1;
        tbl[idx++].data = &ipvs->sysctl_pmtu_disc;
+        tbl[idx++].data = &ipvs->sysctl_backup_only;
        ipvs->sysctl_hdr = register_net_sysctl(net, "net/ipv4/vs", tbl);
diff --git a/net/netfilter/ipvs/ip_vs_proto_sctp.c b/net/netfilter/ipvs/ip_vs_proto_sctp.c
index ae8ec6f27688..cd1d7298f7ba 100644
--- a/net/netfilter/ipvs/ip_vs_proto_sctp.c
+++ b/net/netfilter/ipvs/ip_vs_proto_sctp.c
@@ -906,7 +906,7 @@ set_sctp_state(struct ip_vs_proto_data *pd, struct ip_vs_conn *cp,
        sctp_chunkhdr_t _sctpch, *sch;
        unsigned char chunk_type;
        int event, next_state;
-        int ihl;
+        int ihl, cofs;
 #ifdef CONFIG_IP_VS_IPV6
        ihl = cp->af == AF_INET ? ip_hdrlen(skb) : sizeof(struct ipv6hdr);
@@ -914,8 +914,8 @@ set_sctp_state(struct ip_vs_proto_data *pd, struct ip_vs_conn *cp,
        ihl = ip_hdrlen(skb);
 #endif
-        sch = skb_header_pointer(skb, ihl + sizeof(sctp_sctphdr_t),
+        cofs = ihl + sizeof(sctp_sctphdr_t);
-                                sizeof(_sctpch), &_sctpch);
+        sch = skb_header_pointer(skb, cofs, sizeof(_sctpch), &_sctpch);
        if (sch == NULL)
                return;
@@ -933,10 +933,12 @@ set_sctp_state(struct ip_vs_proto_data *pd, struct ip_vs_conn *cp,
         */
        if ((sch->type == SCTP_CID_COOKIE_ECHO) ||
            (sch->type == SCTP_CID_COOKIE_ACK)) {
-                sch = skb_header_pointer(skb, (ihl + sizeof(sctp_sctphdr_t) +
+                int clen = ntohs(sch->length);
-                                sch->length), sizeof(_sctpch), &_sctpch);
-                if (sch) {
+                if (clen >= sizeof(sctp_chunkhdr_t)) {
-                        if (sch->type == SCTP_CID_ABORT)
+                        sch = skb_header_pointer(skb, cofs + ALIGN(clen, 4),
+                                                 sizeof(_sctpch), &_sctpch);
+                        if (sch && sch->type == SCTP_CID_ABORT)
                                chunk_type = sch->type;
                }
        }
diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c
index a9740bd6fe54..94b4b9853f60 100644
--- a/net/netfilter/nf_conntrack_helper.c
+++ b/net/netfilter/nf_conntrack_helper.c
@@ -339,6 +339,13 @@ void nf_ct_helper_log(struct sk_buff *skb, const struct nf_conn *ct,
 {
        const struct nf_conn_help *help;
        const struct nf_conntrack_helper *helper;
+        struct va_format vaf;
+        va_list args;
+        va_start(args, fmt);
+        vaf.fmt = fmt;
+        vaf.va = &args;
        /* Called from the helper function, this call never fails */
        help = nfct_help(ct);
@@ -347,7 +354,9 @@ void nf_ct_helper_log(struct sk_buff *skb, const struct nf_conn *ct,
        helper = rcu_dereference(help->helper);
        nf_log_packet(nf_ct_l3num(ct), 0, skb, NULL, NULL, NULL,
-                      "nf_ct_%s: dropping packet: %s ", helper->name, fmt);
+                      "nf_ct_%s: dropping packet: %pV ", helper->name, &vaf);
+        va_end(args);
 }
 EXPORT_SYMBOL_GPL(nf_ct_helper_log);
diff --git a/net/netfilter/nf_conntrack_proto_dccp.c b/net/netfilter/nf_conntrack_proto_dccp.c
index 432f95780003..ba65b2041eb4 100644
--- a/net/netfilter/nf_conntrack_proto_dccp.c
+++ b/net/netfilter/nf_conntrack_proto_dccp.c
@@ -969,6 +969,10 @@ static int __init nf_conntrack_proto_dccp_init(void)
 {
        int ret;
+        ret = register_pernet_subsys(&dccp_net_ops);
+        if (ret < 0)
+                goto out_pernet;
        ret = nf_ct_l4proto_register(&dccp_proto4);
        if (ret < 0)
                goto out_dccp4;
@@ -977,16 +981,12 @@ static int __init nf_conntrack_proto_dccp_init(void)
        if (ret < 0)
                goto out_dccp6;
-        ret = register_pernet_subsys(&dccp_net_ops);
-        if (ret < 0)
-                goto out_pernet;
        return 0;
-out_pernet:
-        nf_ct_l4proto_unregister(&dccp_proto6);
 out_dccp6:
        nf_ct_l4proto_unregister(&dccp_proto4);
 out_dccp4:
+        unregister_pernet_subsys(&dccp_net_ops);
+out_pernet:
        return ret;
 }
diff --git a/net/netfilter/nf_conntrack_proto_gre.c b/net/netfilter/nf_conntrack_proto_gre.c
index bd7d01d9c7e7..155ce9f8a0db 100644
--- a/net/netfilter/nf_conntrack_proto_gre.c
+++ b/net/netfilter/nf_conntrack_proto_gre.c
@@ -420,18 +420,18 @@ static int __init nf_ct_proto_gre_init(void)
 {
        int ret;
-        ret = nf_ct_l4proto_register(&nf_conntrack_l4proto_gre4);
-        if (ret < 0)
-                goto out_gre4;
        ret = register_pernet_subsys(&proto_gre_net_ops);
        if (ret < 0)
                goto out_pernet;
+        ret = nf_ct_l4proto_register(&nf_conntrack_l4proto_gre4);
+        if (ret < 0)
+                goto out_gre4;
        return 0;
-out_pernet:
-        nf_ct_l4proto_unregister(&nf_conntrack_l4proto_gre4);
 out_gre4:
+        unregister_pernet_subsys(&proto_gre_net_ops);
+out_pernet:
        return ret;
 }
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index 480f616d5936..ec83536def9a 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -888,6 +888,10 @@ static int __init nf_conntrack_proto_sctp_init(void)
 {
        int ret;
+        ret = register_pernet_subsys(&sctp_net_ops);
+        if (ret < 0)
+                goto out_pernet;
        ret = nf_ct_l4proto_register(&nf_conntrack_l4proto_sctp4);
        if (ret < 0)
                goto out_sctp4;
@@ -896,16 +900,12 @@ static int __init nf_conntrack_proto_sctp_init(void)
        if (ret < 0)
                goto out_sctp6;
-        ret = register_pernet_subsys(&sctp_net_ops);
-        if (ret < 0)
-                goto out_pernet;
        return 0;
-out_pernet:
-        nf_ct_l4proto_unregister(&nf_conntrack_l4proto_sctp6);
 out_sctp6:
        nf_ct_l4proto_unregister(&nf_conntrack_l4proto_sctp4);
 out_sctp4:
+        unregister_pernet_subsys(&sctp_net_ops);
+out_pernet:
        return ret;
 }
diff --git a/net/netfilter/nf_conntrack_proto_udplite.c b/net/netfilter/nf_conntrack_proto_udplite.c
index 157489581c31..ca969f6273f7 100644
--- a/net/netfilter/nf_conntrack_proto_udplite.c
+++ b/net/netfilter/nf_conntrack_proto_udplite.c
@@ -371,6 +371,10 @@ static int __init nf_conntrack_proto_udplite_init(void)
 {
        int ret;
+        ret = register_pernet_subsys(&udplite_net_ops);
+        if (ret < 0)
+                goto out_pernet;
        ret = nf_ct_l4proto_register(&nf_conntrack_l4proto_udplite4);
        if (ret < 0)
                goto out_udplite4;
@@ -379,16 +383,12 @@ static int __init nf_conntrack_proto_udplite_init(void)
        if (ret < 0)
                goto out_udplite6;
-        ret = register_pernet_subsys(&udplite_net_ops);
-        if (ret < 0)
-                goto out_pernet;
        return 0;
-out_pernet:
-        nf_ct_l4proto_unregister(&nf_conntrack_l4proto_udplite6);
 out_udplite6:
        nf_ct_l4proto_unregister(&nf_conntrack_l4proto_udplite4);
 out_udplite4:
+        unregister_pernet_subsys(&udplite_net_ops);
+out_pernet:
        return ret;
 }
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
index d578ec251712..0b1b32cda307 100644
--- a/net/netfilter/nfnetlink.c
+++ b/net/netfilter/nfnetlink.c
@@ -62,11 +62,6 @@ void nfnl_unlock(__u8 subsys_id)
 }
 EXPORT_SYMBOL_GPL(nfnl_unlock);
-static struct mutex *nfnl_get_lock(__u8 subsys_id)
-{
-        return &table[subsys_id].mutex;
-}
 int nfnetlink_subsys_register(const struct nfnetlink_subsystem *n)
 {
        nfnl_lock(n->subsys_id);
@@ -199,7 +194,7 @@ replay:
                        rcu_read_unlock();
                        nfnl_lock(subsys_id);
                        if (rcu_dereference_protected(table[subsys_id].subsys,
-                                lockdep_is_held(nfnl_get_lock(subsys_id))) != ss ||
+                                lockdep_is_held(&table[subsys_id].mutex)) != ss ||
                            nfnetlink_find_client(type, ss) != nc)
                                err = -EAGAIN;
                        else if (nc->call)
diff --git a/net/netfilter/nfnetlink_queue_core.c b/net/netfilter/nfnetlink_queue_core.c
index 858fd52c1040..1cb48540f86a 100644
--- a/net/netfilter/nfnetlink_queue_core.c
+++ b/net/netfilter/nfnetlink_queue_core.c
@@ -112,7 +112,7 @@ instance_create(u_int16_t queue_num, int portid)
        inst->queue_num = queue_num;
        inst->peer_portid = portid;
        inst->queue_maxlen = NFQNL_QMAX_DEFAULT;
-        inst->copy_range = 0xfffff;
+        inst->copy_range = 0xffff;
        inst->copy_mode = NFQNL_COPY_NONE;
        spin_lock_init(&inst->lock);
        INIT_LIST_HEAD(&inst->queue_list);
diff --git a/net/netfilter/xt_AUDIT.c b/net/netfilter/xt_AUDIT.c
index ba92824086f3..3228d7f24eb4 100644
--- a/net/netfilter/xt_AUDIT.c
+++ b/net/netfilter/xt_AUDIT.c
@@ -124,6 +124,9 @@ audit_tg(struct sk_buff *skb, const struct xt_action_param *par)
        const struct xt_audit_info *info = par->targinfo;
        struct audit_buffer *ab;
+        if (audit_enabled == 0)
+                goto errout;
        ab = audit_log_start(NULL, GFP_ATOMIC, AUDIT_NETFILTER_PKT);
        if (ab == NULL)
                goto errout;
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
index 847d495cd4de..8a6c6ea466d8 100644
--- a/net/netlabel/netlabel_unlabeled.c
+++ b/net/netlabel/netlabel_unlabeled.c
@@ -1189,8 +1189,6 @@ static int netlbl_unlabel_staticlist(struct sk_buff *skb,
        struct netlbl_unlhsh_walk_arg cb_arg;
        u32 skip_bkt = cb->args[0];
        u32 skip_chain = cb->args[1];
-        u32 skip_addr4 = cb->args[2];
-        u32 skip_addr6 = cb->args[3];
        u32 iter_bkt;
        u32 iter_chain = 0, iter_addr4 = 0, iter_addr6 = 0;
        struct netlbl_unlhsh_iface *iface;
@@ -1215,7 +1213,7 @@ static int netlbl_unlabel_staticlist(struct sk_buff *skb,
                                continue;
                        netlbl_af4list_foreach_rcu(addr4,
                                                   &iface->addr4_list) {
-                                if (iter_addr4++ < skip_addr4)
+                                if (iter_addr4++ < cb->args[2])
                                        continue;
                                if (netlbl_unlabel_staticlist_gen(
                                              NLBL_UNLABEL_C_STATICLIST,
@@ -1231,7 +1229,7 @@ static int netlbl_unlabel_staticlist(struct sk_buff *skb,
 #if IS_ENABLED(CONFIG_IPV6)
                        netlbl_af6list_foreach_rcu(addr6,
                                                   &iface->addr6_list) {
-                                if (iter_addr6++ < skip_addr6)
+                                if (iter_addr6++ < cb->args[3])
                                        continue;
                                if (netlbl_unlabel_staticlist_gen(
                                              NLBL_UNLABEL_C_STATICLIST,
@@ -1250,10 +1248,10 @@ static int netlbl_unlabel_staticlist(struct sk_buff *skb,
 unlabel_staticlist_return:
        rcu_read_unlock();
-        cb->args[0] = skip_bkt;
+        cb->args[0] = iter_bkt;
-        cb->args[1] = skip_chain;
+        cb->args[1] = iter_chain;
-        cb->args[2] = skip_addr4;
+        cb->args[2] = iter_addr4;
-        cb->args[3] = skip_addr6;
+        cb->args[3] = iter_addr6;
        return skb->len;
 }
@@ -1273,12 +1271,9 @@ static int netlbl_unlabel_staticlistdef(struct sk_buff *skb,
 {
        struct netlbl_unlhsh_walk_arg cb_arg;
        struct netlbl_unlhsh_iface *iface;
-        u32 skip_addr4 = cb->args[0];
+        u32 iter_addr4 = 0, iter_addr6 = 0;
-        u32 skip_addr6 = cb->args[1];
-        u32 iter_addr4 = 0;
        struct netlbl_af4list *addr4;
 #if IS_ENABLED(CONFIG_IPV6)
-        u32 iter_addr6 = 0;
        struct netlbl_af6list *addr6;
 #endif
@@ -1292,7 +1287,7 @@ static int netlbl_unlabel_staticlistdef(struct sk_buff *skb,
                goto unlabel_staticlistdef_return;
        netlbl_af4list_foreach_rcu(addr4, &iface->addr4_list) {
-                if (iter_addr4++ < skip_addr4)
+                if (iter_addr4++ < cb->args[0])
                        continue;
                if (netlbl_unlabel_staticlist_gen(NLBL_UNLABEL_C_STATICLISTDEF,
                                              iface,
@@ -1305,7 +1300,7 @@ static int netlbl_unlabel_staticlistdef(struct sk_buff *skb,
        }
 #if IS_ENABLED(CONFIG_IPV6)
        netlbl_af6list_foreach_rcu(addr6, &iface->addr6_list) {
-                if (iter_addr6++ < skip_addr6)
+                if (iter_addr6++ < cb->args[1])
                        continue;
                if (netlbl_unlabel_staticlist_gen(NLBL_UNLABEL_C_STATICLISTDEF,
                                              iface,
@@ -1320,8 +1315,8 @@ static int netlbl_unlabel_staticlistdef(struct sk_buff *skb,
 unlabel_staticlistdef_return:
        rcu_read_unlock();
-        cb->args[0] = skip_addr4;
+        cb->args[0] = iter_addr4;
-        cb->args[1] = skip_addr6;
+        cb->args[1] = iter_addr6;
        return skb->len;
 }
diff --git a/net/netlink/genetlink.c b/net/netlink/genetlink.c
index f2aabb6f4105..5a55be3f17a5 100644
--- a/net/netlink/genetlink.c
+++ b/net/netlink/genetlink.c
@@ -142,6 +142,7 @@ int genl_register_mc_group(struct genl_family *family,
        int err = 0;
        BUG_ON(grp->name[0] == '\0');
+        BUG_ON(memchr(grp->name, '\0', GENL_NAMSIZ) == NULL);
        genl_lock();
diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c
index ac2defeeba83..d4d5363c7ba7 100644
--- a/net/openvswitch/actions.c
+++ b/net/openvswitch/actions.c
@@ -58,7 +58,7 @@ static int __pop_vlan_tci(struct sk_buff *skb, __be16 *current_tci)
        if (skb->ip_summed == CHECKSUM_COMPLETE)
                skb->csum = csum_sub(skb->csum, csum_partial(skb->data
-                                        + ETH_HLEN, VLAN_HLEN, 0));
+                                        + (2 * ETH_ALEN), VLAN_HLEN, 0));
        vhdr = (struct vlan_hdr *)(skb->data + ETH_HLEN);
        *current_tci = vhdr->h_vlan_TCI;
@@ -115,7 +115,7 @@ static int push_vlan(struct sk_buff *skb, const struct ovs_action_push_vlan *vla
                if (skb->ip_summed == CHECKSUM_COMPLETE)
                        skb->csum = csum_add(skb->csum, csum_partial(skb->data
-                                        + ETH_HLEN, VLAN_HLEN, 0));
+                                        + (2 * ETH_ALEN), VLAN_HLEN, 0));
        }
        __vlan_hwaccel_put_tag(skb, ntohs(vlan->vlan_tci) & ~VLAN_TAG_PRESENT);
diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c
index e87a26506dba..a4b724708a1a 100644
--- a/net/openvswitch/datapath.c
+++ b/net/openvswitch/datapath.c
@@ -394,6 +394,7 @@ static int queue_userspace_packet(struct net *net, int dp_ifindex,
        skb_copy_and_csum_dev(skb, nla_data(nla));
+        genlmsg_end(user_skb, upcall);
        err = genlmsg_unicast(net, user_skb, upcall_info->portid);
 out:
@@ -1690,6 +1691,7 @@ static int ovs_vport_cmd_new(struct sk_buff *skb, struct genl_info *info)
        if (IS_ERR(vport))
                goto exit_unlock;
+        err = 0;
        reply = ovs_vport_cmd_build_info(vport, info->snd_portid, info->snd_seq,
                                         OVS_VPORT_CMD_NEW);
        if (IS_ERR(reply)) {
@@ -1771,6 +1773,7 @@ static int ovs_vport_cmd_del(struct sk_buff *skb, struct genl_info *info)
        if (IS_ERR(reply))
                goto exit_unlock;
+        err = 0;
        ovs_dp_detach_port(vport);
        genl_notify(reply, genl_info_net(info), info->snd_portid,
diff --git a/net/openvswitch/flow.c b/net/openvswitch/flow.c
index 20605ecf100b..fe0e4215c73d 100644
--- a/net/openvswitch/flow.c
+++ b/net/openvswitch/flow.c
@@ -482,7 +482,11 @@ static __be16 parse_ethertype(struct sk_buff *skb)
                return htons(ETH_P_802_2);
        __skb_pull(skb, sizeof(struct llc_snap_hdr));
-        return llc->ethertype;
+        if (ntohs(llc->ethertype) >= 1536)
+                return llc->ethertype;
+        return htons(ETH_P_802_2);
 }
 static int parse_icmpv6(struct sk_buff *skb, struct sw_flow_key *key,
diff --git a/net/openvswitch/vport-netdev.c b/net/openvswitch/vport-netdev.c
index 670cbc3518de..2130d61c384a 100644
--- a/net/openvswitch/vport-netdev.c
+++ b/net/openvswitch/vport-netdev.c
@@ -43,8 +43,7 @@ static void netdev_port_receive(struct vport *vport, struct sk_buff *skb)
        /* Make our own copy of the packet.  Otherwise we will mangle the
         * packet for anyone who came before us (e.g. tcpdump via AF_PACKET).
-         * (No one comes after us, since we tell handle_bridge() that we took
+         */
-         * the packet.) */
        skb = skb_share_check(skb, GFP_ATOMIC);
        if (unlikely(!skb))
                return;
diff --git a/net/openvswitch/vport.c b/net/openvswitch/vport.c
index ba717cc038b3..f6b8132ce4cb 100644
--- a/net/openvswitch/vport.c
+++ b/net/openvswitch/vport.c
@@ -325,8 +325,7 @@ int ovs_vport_get_options(const struct vport *vport, struct sk_buff *skb)
 * @skb: skb that was received
 *
 * Must be called with rcu_read_lock.  The packet cannot be shared and
- * skb->data should point to the Ethernet header.  The caller must have already
+ * skb->data should point to the Ethernet header.
- * called compute_ip_summed() to initialize the checksumming fields.
 */
 void ovs_vport_receive(struct vport *vport, struct sk_buff *skb)
 {
diff --git a/net/rds/stats.c b/net/rds/stats.c
index 7be790d60b90..73be187d389e 100644
--- a/net/rds/stats.c
+++ b/net/rds/stats.c
@@ -87,6 +87,7 @@ void rds_stats_info_copy(struct rds_info_iterator *iter,
        for (i = 0; i < nr; i++) {
                BUG_ON(strlen(names[i]) >= sizeof(ctr.name));
                strncpy(ctr.name, names[i], sizeof(ctr.name) - 1);
+                ctr.name[sizeof(ctr.name) - 1] = '\0';
                ctr.value = values[i];
                rds_info_copy(iter, &ctr, sizeof(ctr));
diff --git a/net/sctp/associola.c b/net/sctp/associola.c
index 43cd0dd9149d..d2709e2b7be6 100644
--- a/net/sctp/associola.c
+++ b/net/sctp/associola.c
@@ -1079,7 +1079,7 @@ struct sctp_transport *sctp_assoc_lookup_tsn(struct sctp_association *asoc,
                        transports) {
                if (transport == active)
-                        break;
+                        continue;
                list_for_each_entry(chunk, &transport->transmitted,
                                transmitted_list) {
                        if (key == chunk->subh.data_hdr->tsn) {
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index 5131fcfedb03..de1a0138317f 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -2082,7 +2082,7 @@ sctp_disposition_t sctp_sf_do_5_2_4_dupcook(struct net *net,
        }
        /* Delete the tempory new association. */
-        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
+        sctp_add_cmd_sf(commands, SCTP_CMD_SET_ASOC, SCTP_ASOC(new_asoc));
        sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
        /* Restore association pointer to provide SCTP command interpeter
diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c
index f7d34e7b6f81..5ead60550895 100644
--- a/net/sunrpc/auth_gss/svcauth_gss.c
+++ b/net/sunrpc/auth_gss/svcauth_gss.c
@@ -447,17 +447,21 @@ static int rsc_parse(struct cache_detail *cd,
        else {
                int N, i;
+                /*
+                 * NOTE: we skip uid_valid()/gid_valid() checks here:
+                 * instead, * -1 id's are later mapped to the
+                 * (export-specific) anonymous id by nfsd_setuser.
+                 *
+                 * (But supplementary gid's get no such special
+                 * treatment so are checked for validity here.)
+                 */
                /* uid */
                rsci.cred.cr_uid = make_kuid(&init_user_ns, id);
-                if (!uid_valid(rsci.cred.cr_uid))
-                        goto out;
                /* gid */
                if (get_int(&mesg, &id))
                        goto out;
                rsci.cred.cr_gid = make_kgid(&init_user_ns, id);
-                if (!gid_valid(rsci.cred.cr_gid))
-                        goto out;
                /* number of additional gid's */
                if (get_int(&mesg, &N))
diff --git a/net/sunrpc/rpc_pipe.c b/net/sunrpc/rpc_pipe.c
index 7b9b40224a27..a9129f8d7070 100644
--- a/net/sunrpc/rpc_pipe.c
+++ b/net/sunrpc/rpc_pipe.c
@@ -1174,6 +1174,8 @@ static struct file_system_type rpc_pipe_fs_type = {
        .mount          = rpc_mount,
        .kill_sb        = rpc_kill_sb,
 };
+MODULE_ALIAS_FS("rpc_pipefs");
+MODULE_ALIAS("rpc_pipefs");
 static void
 init_once(void *foo)
@@ -1218,6 +1220,3 @@ void unregister_rpc_pipefs(void)
        kmem_cache_destroy(rpc_inode_cachep);
        unregister_filesystem(&rpc_pipe_fs_type);
 }
-/* Make 'mount -t rpc_pipefs ...' autoload this module. */
-MODULE_ALIAS("rpc_pipefs");
diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c
index c1d8476b7692..3d02130828da 100644
--- a/net/sunrpc/xprtsock.c
+++ b/net/sunrpc/xprtsock.c
@@ -849,6 +849,14 @@ static void xs_tcp_close(struct rpc_xprt *xprt)
                xs_tcp_shutdown(xprt);
 }
+static void xs_local_destroy(struct rpc_xprt *xprt)
+{
+        xs_close(xprt);
+        xs_free_peer_addresses(xprt);
+        xprt_free(xprt);
+        module_put(THIS_MODULE);
+}
 /**
 * xs_destroy - prepare to shutdown a transport
 * @xprt: doomed transport
@@ -862,10 +870,7 @@ static void xs_destroy(struct rpc_xprt *xprt)
        cancel_delayed_work_sync(&transport->connect_worker);
-        xs_close(xprt);
+        xs_local_destroy(xprt);
-        xs_free_peer_addresses(xprt);
-        xprt_free(xprt);
-        module_put(THIS_MODULE);
 }
 static inline struct rpc_xprt *xprt_from_sock(struct sock *sk)
@@ -2482,7 +2487,7 @@ static struct rpc_xprt_ops xs_local_ops = {
        .send_request           = xs_local_send_request,
        .set_retrans_timeout    = xprt_set_retrans_timeout_def,
        .close                  = xs_close,
-        .destroy                = xs_destroy,
+        .destroy                = xs_local_destroy,
        .print_stats            = xs_local_print_stats,
 };