74 files changed, 732 insertions, 294 deletions

diff --git a/net/8021q/vlan_core.c b/net/8021q/vlan_core.c
index 4a78c4de9f20..6ee48aac776f 100644
--- a/net/8021q/vlan_core.c
+++ b/net/8021q/vlan_core.c
@@ -91,7 +91,12 @@ EXPORT_SYMBOL(__vlan_find_dev_deep);
 
 struct net_device *vlan_dev_real_dev(const struct net_device *dev)
 {
-        return vlan_dev_priv(dev)->real_dev;
+        struct net_device *ret = vlan_dev_priv(dev)->real_dev;
+
+        while (is_vlan_dev(ret))
+                ret = vlan_dev_priv(ret)->real_dev;
+
+        return ret;
 }
 EXPORT_SYMBOL(vlan_dev_real_dev);
 
diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c
index e14531f1ce1c..264de88db320 100644
--- a/net/batman-adv/bridge_loop_avoidance.c
+++ b/net/batman-adv/bridge_loop_avoidance.c
@@ -1529,6 +1529,8 @@ out:
  * in these cases, the skb is further handled by this function and
  * returns 1, otherwise it returns 0 and the caller shall further
  * process the skb.
+ *
+ * This call might reallocate skb data.
  */
 int batadv_bla_tx(struct batadv_priv *bat_priv, struct sk_buff *skb,
                   unsigned short vid)
diff --git a/net/batman-adv/gateway_client.c b/net/batman-adv/gateway_client.c
index f105219f4a4b..7614af31daff 100644
--- a/net/batman-adv/gateway_client.c
+++ b/net/batman-adv/gateway_client.c
@@ -508,6 +508,7 @@ out:
         return 0;
 }
 
+/* this call might reallocate skb data */
 static bool batadv_is_type_dhcprequest(struct sk_buff *skb, int header_len)
 {
         int ret = false;
@@ -568,6 +569,7 @@ out:
         return ret;
 }
 
+/* this call might reallocate skb data */
 bool batadv_gw_is_dhcp_target(struct sk_buff *skb, unsigned int *header_len)
 {
         struct ethhdr *ethhdr;
@@ -619,6 +621,12 @@ bool batadv_gw_is_dhcp_target(struct sk_buff *skb, unsigned int *header_len)
 
         if (!pskb_may_pull(skb, *header_len + sizeof(*udphdr)))
                 return false;
+
+        /* skb->data might have been reallocated by pskb_may_pull() */
+        ethhdr = (struct ethhdr *)skb->data;
+        if (ntohs(ethhdr->h_proto) == ETH_P_8021Q)
+                ethhdr = (struct ethhdr *)(skb->data + VLAN_HLEN);
+
         udphdr = (struct udphdr *)(skb->data + *header_len);
         *header_len += sizeof(*udphdr);
 
@@ -634,12 +642,14 @@ bool batadv_gw_is_dhcp_target(struct sk_buff *skb, unsigned int *header_len)
         return true;
 }
 
+/* this call might reallocate skb data */
 bool batadv_gw_out_of_range(struct batadv_priv *bat_priv,
-                            struct sk_buff *skb, struct ethhdr *ethhdr)
+                            struct sk_buff *skb)
 {
         struct batadv_neigh_node *neigh_curr = NULL, *neigh_old = NULL;
         struct batadv_orig_node *orig_dst_node = NULL;
         struct batadv_gw_node *curr_gw = NULL;
+        struct ethhdr *ethhdr;
         bool ret, out_of_range = false;
         unsigned int header_len = 0;
         uint8_t curr_tq_avg;
@@ -648,6 +658,7 @@ bool batadv_gw_out_of_range(struct batadv_priv *bat_priv,
         if (!ret)
                 goto out;
 
+        ethhdr = (struct ethhdr *)skb->data;
         orig_dst_node = batadv_transtable_search(bat_priv, ethhdr->h_source,
                                                  ethhdr->h_dest);
         if (!orig_dst_node)
diff --git a/net/batman-adv/gateway_client.h b/net/batman-adv/gateway_client.h
index 039902dca4a6..1037d75da51f 100644
--- a/net/batman-adv/gateway_client.h
+++ b/net/batman-adv/gateway_client.h
@@ -34,7 +34,6 @@ void batadv_gw_node_delete(struct batadv_priv *bat_priv,
 void batadv_gw_node_purge(struct batadv_priv *bat_priv);
 int batadv_gw_client_seq_print_text(struct seq_file *seq, void *offset);
 bool batadv_gw_is_dhcp_target(struct sk_buff *skb, unsigned int *header_len);
-bool batadv_gw_out_of_range(struct batadv_priv *bat_priv,
-                            struct sk_buff *skb, struct ethhdr *ethhdr);
+bool batadv_gw_out_of_range(struct batadv_priv *bat_priv, struct sk_buff *skb);
 
 #endif /* _NET_BATMAN_ADV_GATEWAY_CLIENT_H_ */
diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c
index 700d0b49742d..0f04e1c302b4 100644
--- a/net/batman-adv/soft-interface.c
+++ b/net/batman-adv/soft-interface.c
@@ -180,6 +180,9 @@ static int batadv_interface_tx(struct sk_buff *skb,
         if (batadv_bla_tx(bat_priv, skb, vid))
                 goto dropped;
 
+        /* skb->data might have been reallocated by batadv_bla_tx() */
+        ethhdr = (struct ethhdr *)skb->data;
+
         /* Register the client MAC in the transtable */
         if (!is_multicast_ether_addr(ethhdr->h_source))
                 batadv_tt_local_add(soft_iface, ethhdr->h_source, skb->skb_iif);
@@ -220,6 +223,10 @@ static int batadv_interface_tx(struct sk_buff *skb,
                 default:
                         break;
                 }
+
+                /* reminder: ethhdr might have become unusable from here on
+                 * (batadv_gw_is_dhcp_target() might have reallocated skb data)
+                 */
         }
 
         /* ethernet packet should be broadcasted */
@@ -266,7 +273,7 @@ static int batadv_interface_tx(struct sk_buff *skb,
         /* unicast packet */
         } else {
                 if (atomic_read(&bat_priv->gw_mode) != BATADV_GW_MODE_OFF) {
-                        ret = batadv_gw_out_of_range(bat_priv, skb, ethhdr);
+                        ret = batadv_gw_out_of_range(bat_priv, skb);
                         if (ret)
                                 goto dropped;
                 }
diff --git a/net/batman-adv/unicast.c b/net/batman-adv/unicast.c
index dc8b5d4dd636..857e1b8349ee 100644
--- a/net/batman-adv/unicast.c
+++ b/net/batman-adv/unicast.c
@@ -326,7 +326,9 @@ static bool batadv_unicast_push_and_fill_skb(struct sk_buff *skb, int hdr_size,
  * @skb: the skb containing the payload to encapsulate
  * @orig_node: the destination node
  *
- * Returns false if the payload could not be encapsulated or true otherwise
+ * Returns false if the payload could not be encapsulated or true otherwise.
+ *
+ * This call might reallocate skb data.
  */
 static bool batadv_unicast_prepare_skb(struct sk_buff *skb,
                                        struct batadv_orig_node *orig_node)
@@ -343,7 +345,9 @@ static bool batadv_unicast_prepare_skb(struct sk_buff *skb,
  * @orig_node: the destination node
  * @packet_subtype: the batman 4addr packet subtype to use
  *
- * Returns false if the payload could not be encapsulated or true otherwise
+ * Returns false if the payload could not be encapsulated or true otherwise.
+ *
+ * This call might reallocate skb data.
  */
 bool batadv_unicast_4addr_prepare_skb(struct batadv_priv *bat_priv,
                                       struct sk_buff *skb,
@@ -401,7 +405,7 @@ int batadv_unicast_generic_send_skb(struct batadv_priv *bat_priv,
         struct batadv_neigh_node *neigh_node;
         int data_len = skb->len;
         int ret = NET_RX_DROP;
-        unsigned int dev_mtu;
+        unsigned int dev_mtu, header_len;
 
         /* get routing information */
         if (is_multicast_ether_addr(ethhdr->h_dest)) {
@@ -428,11 +432,17 @@ find_router:
 
         switch (packet_type) {
         case BATADV_UNICAST:
-                batadv_unicast_prepare_skb(skb, orig_node);
+                if (!batadv_unicast_prepare_skb(skb, orig_node))
+                        goto out;
+
+                header_len = sizeof(struct batadv_unicast_packet);
                 break;
         case BATADV_UNICAST_4ADDR:
-                batadv_unicast_4addr_prepare_skb(bat_priv, skb, orig_node,
-                                                 packet_subtype);
+                if (!batadv_unicast_4addr_prepare_skb(bat_priv, skb, orig_node,
+                                                      packet_subtype))
+                        goto out;
+
+                header_len = sizeof(struct batadv_unicast_4addr_packet);
                 break;
         default:
                 /* this function supports UNICAST and UNICAST_4ADDR only. It
@@ -441,6 +451,7 @@ find_router:
                 goto out;
         }
 
+        ethhdr = (struct ethhdr *)(skb->data + header_len);
         unicast_packet = (struct batadv_unicast_packet *)skb->data;
 
         /* inform the destination node that we are still missing a correct route
diff --git a/net/bridge/br_device.c b/net/bridge/br_device.c
index 69363bd37f64..89659d4ed1f9 100644
--- a/net/bridge/br_device.c
+++ b/net/bridge/br_device.c
@@ -71,7 +71,7 @@ netdev_tx_t br_dev_xmit(struct sk_buff *skb, struct net_device *dev)
 
                 mdst = br_mdb_get(br, skb, vid);
                 if ((mdst || BR_INPUT_SKB_CB_MROUTERS_ONLY(skb)) &&
-                    br_multicast_querier_exists(br))
+                    br_multicast_querier_exists(br, eth_hdr(skb)))
                         br_multicast_deliver(mdst, skb);
                 else
                         br_flood_deliver(br, skb, false);
diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c
index 60aca9109a50..ffd5874f2592 100644
--- a/net/bridge/br_fdb.c
+++ b/net/bridge/br_fdb.c
@@ -161,7 +161,7 @@ void br_fdb_change_mac_address(struct net_bridge *br, const u8 *newaddr)
         if (!pv)
                 return;
 
-        for_each_set_bit_from(vid, pv->vlan_bitmap, BR_VLAN_BITMAP_LEN) {
+        for_each_set_bit_from(vid, pv->vlan_bitmap, VLAN_N_VID) {
                 f = __br_fdb_get(br, br->dev->dev_addr, vid);
                 if (f && f->is_local && !f->dst)
                         fdb_delete(br, f);
@@ -730,7 +730,7 @@ int br_fdb_add(struct ndmsg *ndm, struct nlattr *tb[],
                 /* VID was specified, so use it. */
                 err = __br_fdb_add(ndm, p, addr, nlh_flags, vid);
         } else {
-                if (!pv || bitmap_empty(pv->vlan_bitmap, BR_VLAN_BITMAP_LEN)) {
+                if (!pv || bitmap_empty(pv->vlan_bitmap, VLAN_N_VID)) {
                         err = __br_fdb_add(ndm, p, addr, nlh_flags, 0);
                         goto out;
                 }
@@ -739,7 +739,7 @@ int br_fdb_add(struct ndmsg *ndm, struct nlattr *tb[],
                  * specify a VLAN.  To be nice, add/update entry for every
                  * vlan on this port.
                  */
-                for_each_set_bit(vid, pv->vlan_bitmap, BR_VLAN_BITMAP_LEN) {
+                for_each_set_bit(vid, pv->vlan_bitmap, VLAN_N_VID) {
                         err = __br_fdb_add(ndm, p, addr, nlh_flags, vid);
                         if (err)
                                 goto out;
@@ -817,7 +817,7 @@ int br_fdb_delete(struct ndmsg *ndm, struct nlattr *tb[],
 
                 err = __br_fdb_delete(p, addr, vid);
         } else {
-                if (!pv || bitmap_empty(pv->vlan_bitmap, BR_VLAN_BITMAP_LEN)) {
+                if (!pv || bitmap_empty(pv->vlan_bitmap, VLAN_N_VID)) {
                         err = __br_fdb_delete(p, addr, 0);
                         goto out;
                 }
@@ -827,7 +827,7 @@ int br_fdb_delete(struct ndmsg *ndm, struct nlattr *tb[],
                  * vlan on this port.
                  */
                 err = -ENOENT;
-                for_each_set_bit(vid, pv->vlan_bitmap, BR_VLAN_BITMAP_LEN) {
+                for_each_set_bit(vid, pv->vlan_bitmap, VLAN_N_VID) {
                         err &= __br_fdb_delete(p, addr, vid);
                 }
         }
diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
index 8c561c0aa636..a2fd37ec35f7 100644
--- a/net/bridge/br_input.c
+++ b/net/bridge/br_input.c
@@ -102,7 +102,7 @@ int br_handle_frame_finish(struct sk_buff *skb)
         } else if (is_multicast_ether_addr(dest)) {
                 mdst = br_mdb_get(br, skb, vid);
                 if ((mdst || BR_INPUT_SKB_CB_MROUTERS_ONLY(skb)) &&
-                    br_multicast_querier_exists(br)) {
+                    br_multicast_querier_exists(br, eth_hdr(skb))) {
                         if ((mdst && mdst->mglist) ||
                             br_multicast_is_router(br))
                                 skb2 = skb;
diff --git a/net/bridge/br_mdb.c b/net/bridge/br_mdb.c
index 0daae3ec2355..6319c4333c39 100644
--- a/net/bridge/br_mdb.c
+++ b/net/bridge/br_mdb.c
@@ -414,16 +414,20 @@ static int __br_mdb_del(struct net_bridge *br, struct br_mdb_entry *entry)
         if (!netif_running(br->dev) || br->multicast_disabled)
                 return -EINVAL;
 
-        if (timer_pending(&br->multicast_querier_timer))
-                return -EBUSY;
-
         ip.proto = entry->addr.proto;
-        if (ip.proto == htons(ETH_P_IP))
+        if (ip.proto == htons(ETH_P_IP)) {
+                if (timer_pending(&br->ip4_querier.timer))
+                        return -EBUSY;
+
                 ip.u.ip4 = entry->addr.u.ip4;
 #if IS_ENABLED(CONFIG_IPV6)
-        else
+        } else {
+                if (timer_pending(&br->ip6_querier.timer))
+                        return -EBUSY;
+
                 ip.u.ip6 = entry->addr.u.ip6;
 #endif
+        }
 
         spin_lock_bh(&br->multicast_lock);
         mdb = mlock_dereference(br->mdb, br);
diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
index 61c5e819380e..bbcb43582496 100644
--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -33,7 +33,8 @@
 
 #include "br_private.h"
 
-static void br_multicast_start_querier(struct net_bridge *br);
+static void br_multicast_start_querier(struct net_bridge *br,
+                                       struct bridge_mcast_query *query);
 unsigned int br_mdb_rehash_seq;
 
 static inline int br_ip_equal(const struct br_ip *a, const struct br_ip *b)
@@ -755,20 +756,35 @@ static void br_multicast_local_router_expired(unsigned long data)
 {
 }
 
-static void br_multicast_querier_expired(unsigned long data)
+static void br_multicast_querier_expired(struct net_bridge *br,
+                                         struct bridge_mcast_query *query)
 {
-        struct net_bridge *br = (void *)data;
-
         spin_lock(&br->multicast_lock);
         if (!netif_running(br->dev) || br->multicast_disabled)
                 goto out;
 
-        br_multicast_start_querier(br);
+        br_multicast_start_querier(br, query);
 
 out:
         spin_unlock(&br->multicast_lock);
 }
 
+static void br_ip4_multicast_querier_expired(unsigned long data)
+{
+        struct net_bridge *br = (void *)data;
+
+        br_multicast_querier_expired(br, &br->ip4_query);
+}
+
+#if IS_ENABLED(CONFIG_IPV6)
+static void br_ip6_multicast_querier_expired(unsigned long data)
+{
+        struct net_bridge *br = (void *)data;
+
+        br_multicast_querier_expired(br, &br->ip6_query);
+}
+#endif
+
 static void __br_multicast_send_query(struct net_bridge *br,
                                       struct net_bridge_port *port,
                                       struct br_ip *ip)
@@ -789,37 +805,45 @@ static void __br_multicast_send_query(struct net_bridge *br,
 }
 
 static void br_multicast_send_query(struct net_bridge *br,
-                                    struct net_bridge_port *port, u32 sent)
+                                    struct net_bridge_port *port,
+                                    struct bridge_mcast_query *query)
 {
         unsigned long time;
         struct br_ip br_group;
+        struct bridge_mcast_querier *querier = NULL;
 
         if (!netif_running(br->dev) || br->multicast_disabled ||
-            !br->multicast_querier ||
-            timer_pending(&br->multicast_querier_timer))
+            !br->multicast_querier)
                 return;
 
         memset(&br_group.u, 0, sizeof(br_group.u));
 
-        br_group.proto = htons(ETH_P_IP);
-        __br_multicast_send_query(br, port, &br_group);
-
+        if (port ? (query == &port->ip4_query) :
+                   (query == &br->ip4_query)) {
+                querier = &br->ip4_querier;
+                br_group.proto = htons(ETH_P_IP);
 #if IS_ENABLED(CONFIG_IPV6)
-        br_group.proto = htons(ETH_P_IPV6);
-        __br_multicast_send_query(br, port, &br_group);
+        } else {
+                querier = &br->ip6_querier;
+                br_group.proto = htons(ETH_P_IPV6);
 #endif
+        }
+
+        if (!querier || timer_pending(&querier->timer))
+                return;
+
+        __br_multicast_send_query(br, port, &br_group);
 
         time = jiffies;
-        time += sent < br->multicast_startup_query_count ?
+        time += query->startup_sent < br->multicast_startup_query_count ?
                 br->multicast_startup_query_interval :
                 br->multicast_query_interval;
-        mod_timer(port ? &port->multicast_query_timer :
-                         &br->multicast_query_timer, time);
+        mod_timer(&query->timer, time);
 }
 
-static void br_multicast_port_query_expired(unsigned long data)
+static void br_multicast_port_query_expired(struct net_bridge_port *port,
+                                            struct bridge_mcast_query *query)
 {
-        struct net_bridge_port *port = (void *)data;
         struct net_bridge *br = port->br;
 
         spin_lock(&br->multicast_lock);
@@ -827,25 +851,43 @@ static void br_multicast_port_query_expired(unsigned long data)
             port->state == BR_STATE_BLOCKING)
                 goto out;
 
-        if (port->multicast_startup_queries_sent <
-            br->multicast_startup_query_count)
-                port->multicast_startup_queries_sent++;
+        if (query->startup_sent < br->multicast_startup_query_count)
+                query->startup_sent++;
 
-        br_multicast_send_query(port->br, port,
-                                port->multicast_startup_queries_sent);
+        br_multicast_send_query(port->br, port, query);
 
 out:
         spin_unlock(&br->multicast_lock);
 }
 
+static void br_ip4_multicast_port_query_expired(unsigned long data)
+{
+        struct net_bridge_port *port = (void *)data;
+
+        br_multicast_port_query_expired(port, &port->ip4_query);
+}
+
+#if IS_ENABLED(CONFIG_IPV6)
+static void br_ip6_multicast_port_query_expired(unsigned long data)
+{
+        struct net_bridge_port *port = (void *)data;
+
+        br_multicast_port_query_expired(port, &port->ip6_query);
+}
+#endif
+
 void br_multicast_add_port(struct net_bridge_port *port)
 {
         port->multicast_router = 1;
 
         setup_timer(&port->multicast_router_timer, br_multicast_router_expired,
                     (unsigned long)port);
-        setup_timer(&port->multicast_query_timer,
-                    br_multicast_port_query_expired, (unsigned long)port);
+        setup_timer(&port->ip4_query.timer, br_ip4_multicast_port_query_expired,
+                    (unsigned long)port);
+#if IS_ENABLED(CONFIG_IPV6)
+        setup_timer(&port->ip6_query.timer, br_ip6_multicast_port_query_expired,
+                    (unsigned long)port);
+#endif
 }
 
 void br_multicast_del_port(struct net_bridge_port *port)
@@ -853,13 +895,13 @@ void br_multicast_del_port(struct net_bridge_port *port)
         del_timer_sync(&port->multicast_router_timer);
 }
 
-static void __br_multicast_enable_port(struct net_bridge_port *port)
+static void br_multicast_enable(struct bridge_mcast_query *query)
 {
-        port->multicast_startup_queries_sent = 0;
+        query->startup_sent = 0;
 
-        if (try_to_del_timer_sync(&port->multicast_query_timer) >= 0 ||
-            del_timer(&port->multicast_query_timer))
-                mod_timer(&port->multicast_query_timer, jiffies);
+        if (try_to_del_timer_sync(&query->timer) >= 0 ||
+            del_timer(&query->timer))
+                mod_timer(&query->timer, jiffies);
 }
 
 void br_multicast_enable_port(struct net_bridge_port *port)
@@ -870,7 +912,10 @@ void br_multicast_enable_port(struct net_bridge_port *port)
         if (br->multicast_disabled || !netif_running(br->dev))
                 goto out;
 
-        __br_multicast_enable_port(port);
+        br_multicast_enable(&port->ip4_query);
+#if IS_ENABLED(CONFIG_IPV6)
+        br_multicast_enable(&port->ip6_query);
+#endif
 
 out:
         spin_unlock(&br->multicast_lock);
@@ -889,7 +934,10 @@ void br_multicast_disable_port(struct net_bridge_port *port)
         if (!hlist_unhashed(&port->rlist))
                 hlist_del_init_rcu(&port->rlist);
         del_timer(&port->multicast_router_timer);
-        del_timer(&port->multicast_query_timer);
+        del_timer(&port->ip4_query.timer);
+#if IS_ENABLED(CONFIG_IPV6)
+        del_timer(&port->ip6_query.timer);
+#endif
         spin_unlock(&br->multicast_lock);
 }
 
@@ -1014,14 +1062,15 @@ static int br_ip6_multicast_mld2_report(struct net_bridge *br,
 }
 #endif
 
-static void br_multicast_update_querier_timer(struct net_bridge *br,
-                                              unsigned long max_delay)
+static void
+br_multicast_update_querier_timer(struct net_bridge *br,
+                                  struct bridge_mcast_querier *querier,
+                                  unsigned long max_delay)
 {
-        if (!timer_pending(&br->multicast_querier_timer))
-                br->multicast_querier_delay_time = jiffies + max_delay;
+        if (!timer_pending(&querier->timer))
+                querier->delay_time = jiffies + max_delay;
 
-        mod_timer(&br->multicast_querier_timer,
-                  jiffies + br->multicast_querier_interval);
+        mod_timer(&querier->timer, jiffies + br->multicast_querier_interval);
 }
 
 /*
@@ -1074,12 +1123,13 @@ timer:
 
 static void br_multicast_query_received(struct net_bridge *br,
                                         struct net_bridge_port *port,
+                                        struct bridge_mcast_querier *querier,
                                         int saddr,
                                         unsigned long max_delay)
 {
         if (saddr)
-                br_multicast_update_querier_timer(br, max_delay);
-        else if (timer_pending(&br->multicast_querier_timer))
+                br_multicast_update_querier_timer(br, querier, max_delay);
+        else if (timer_pending(&querier->timer))
                 return;
 
         br_multicast_mark_router(br, port);
@@ -1129,7 +1179,8 @@ static int br_ip4_multicast_query(struct net_bridge *br,
                             IGMPV3_MRC(ih3->code) * (HZ / IGMP_TIMER_SCALE) : 1;
         }
 
-        br_multicast_query_received(br, port, !!iph->saddr, max_delay);
+        br_multicast_query_received(br, port, &br->ip4_querier, !!iph->saddr,
+                                    max_delay);
 
         if (!group)
                 goto out;
@@ -1195,7 +1246,7 @@ static int br_ip6_multicast_query(struct net_bridge *br,
                 max_delay = msecs_to_jiffies(ntohs(mld->mld_maxdelay));
                 if (max_delay)
                         group = &mld->mld_mca;
-        } else if (skb->len >= sizeof(*mld2q)) {
+        } else {
                 if (!pskb_may_pull(skb, sizeof(*mld2q))) {
                         err = -EINVAL;
                         goto out;
@@ -1203,11 +1254,12 @@ static int br_ip6_multicast_query(struct net_bridge *br,
                 mld2q = (struct mld2_query *)icmp6_hdr(skb);
                 if (!mld2q->mld2q_nsrcs)
                         group = &mld2q->mld2q_mca;
-                max_delay = mld2q->mld2q_mrc ? MLDV2_MRC(ntohs(mld2q->mld2q_mrc)) : 1;
+
+                max_delay = max(msecs_to_jiffies(MLDV2_MRC(ntohs(mld2q->mld2q_mrc))), 1UL);
         }
 
-        br_multicast_query_received(br, port, !ipv6_addr_any(&ip6h->saddr),
-                                    max_delay);
+        br_multicast_query_received(br, port, &br->ip6_querier,
+                                    !ipv6_addr_any(&ip6h->saddr), max_delay);
 
         if (!group)
                 goto out;
@@ -1244,7 +1296,9 @@ out:
 
 static void br_multicast_leave_group(struct net_bridge *br,
                                      struct net_bridge_port *port,
-                                     struct br_ip *group)
+                                     struct br_ip *group,
+                                     struct bridge_mcast_querier *querier,
+                                     struct bridge_mcast_query *query)
 {
         struct net_bridge_mdb_htable *mdb;
         struct net_bridge_mdb_entry *mp;
@@ -1255,7 +1309,7 @@ static void br_multicast_leave_group(struct net_bridge *br,
         spin_lock(&br->multicast_lock);
         if (!netif_running(br->dev) ||
             (port && port->state == BR_STATE_DISABLED) ||
-            timer_pending(&br->multicast_querier_timer))
+            timer_pending(&querier->timer))
                 goto out;
 
         mdb = mlock_dereference(br->mdb, br);
@@ -1263,14 +1317,13 @@ static void br_multicast_leave_group(struct net_bridge *br,
         if (!mp)
                 goto out;
 
-        if (br->multicast_querier &&
-            !timer_pending(&br->multicast_querier_timer)) {
+        if (br->multicast_querier) {
                 __br_multicast_send_query(br, port, &mp->addr);
 
                 time = jiffies + br->multicast_last_member_count *
                                  br->multicast_last_member_interval;
-                mod_timer(port ? &port->multicast_query_timer :
-                                 &br->multicast_query_timer, time);
+
+                mod_timer(&query->timer, time);
 
                 for (p = mlock_dereference(mp->ports, br);
                      p != NULL;
@@ -1323,7 +1376,6 @@ static void br_multicast_leave_group(struct net_bridge *br,
                         mod_timer(&mp->timer, time);
                 }
         }
-
 out:
         spin_unlock(&br->multicast_lock);
 }
@@ -1334,6 +1386,8 @@ static void br_ip4_multicast_leave_group(struct net_bridge *br,
                                          __u16 vid)
 {
         struct br_ip br_group;
+        struct bridge_mcast_query *query = port ? &port->ip4_query :
+                                                  &br->ip4_query;
 
         if (ipv4_is_local_multicast(group))
                 return;
@@ -1342,7 +1396,7 @@ static void br_ip4_multicast_leave_group(struct net_bridge *br,
         br_group.proto = htons(ETH_P_IP);
         br_group.vid = vid;
 
-        br_multicast_leave_group(br, port, &br_group);
+        br_multicast_leave_group(br, port, &br_group, &br->ip4_querier, query);
 }
 
 #if IS_ENABLED(CONFIG_IPV6)
@@ -1352,6 +1406,9 @@ static void br_ip6_multicast_leave_group(struct net_bridge *br,
                                          __u16 vid)
 {
         struct br_ip br_group;
+        struct bridge_mcast_query *query = port ? &port->ip6_query :
+                                                  &br->ip6_query;
+
 
         if (!ipv6_is_transient_multicast(group))
                 return;
@@ -1360,7 +1417,7 @@ static void br_ip6_multicast_leave_group(struct net_bridge *br,
         br_group.proto = htons(ETH_P_IPV6);
         br_group.vid = vid;
 
-        br_multicast_leave_group(br, port, &br_group);
+        br_multicast_leave_group(br, port, &br_group, &br->ip6_querier, query);
 }
 #endif
 
@@ -1622,19 +1679,32 @@ int br_multicast_rcv(struct net_bridge *br, struct net_bridge_port *port,
         return 0;
 }
 
-static void br_multicast_query_expired(unsigned long data)
+static void br_multicast_query_expired(struct net_bridge *br,
+                                       struct bridge_mcast_query *query)
+{
+        spin_lock(&br->multicast_lock);
+        if (query->startup_sent < br->multicast_startup_query_count)
+                query->startup_sent++;
+
+        br_multicast_send_query(br, NULL, query);
+        spin_unlock(&br->multicast_lock);
+}
+
+static void br_ip4_multicast_query_expired(unsigned long data)
 {
         struct net_bridge *br = (void *)data;
 
-        spin_lock(&br->multicast_lock);
-        if (br->multicast_startup_queries_sent <
-            br->multicast_startup_query_count)
-                br->multicast_startup_queries_sent++;
+        br_multicast_query_expired(br, &br->ip4_query);
+}
 
-        br_multicast_send_query(br, NULL, br->multicast_startup_queries_sent);
+#if IS_ENABLED(CONFIG_IPV6)
+static void br_ip6_multicast_query_expired(unsigned long data)
+{
+        struct net_bridge *br = (void *)data;
 
-        spin_unlock(&br->multicast_lock);
+        br_multicast_query_expired(br, &br->ip6_query);
 }
+#endif
 
 void br_multicast_init(struct net_bridge *br)
 {
@@ -1654,25 +1724,43 @@ void br_multicast_init(struct net_bridge *br)
         br->multicast_querier_interval = 255 * HZ;
         br->multicast_membership_interval = 260 * HZ;
 
-        br->multicast_querier_delay_time = 0;
+        br->ip4_querier.delay_time = 0;
+#if IS_ENABLED(CONFIG_IPV6)
+        br->ip6_querier.delay_time = 0;
+#endif
 
         spin_lock_init(&br->multicast_lock);
         setup_timer(&br->multicast_router_timer,
                     br_multicast_local_router_expired, 0);
-        setup_timer(&br->multicast_querier_timer,
-                    br_multicast_querier_expired, (unsigned long)br);
-        setup_timer(&br->multicast_query_timer, br_multicast_query_expired,
+        setup_timer(&br->ip4_querier.timer, br_ip4_multicast_querier_expired,
+                    (unsigned long)br);
+        setup_timer(&br->ip4_query.timer, br_ip4_multicast_query_expired,
                     (unsigned long)br);
+#if IS_ENABLED(CONFIG_IPV6)
+        setup_timer(&br->ip6_querier.timer, br_ip6_multicast_querier_expired,
+                    (unsigned long)br);
+        setup_timer(&br->ip6_query.timer, br_ip6_multicast_query_expired,
+                    (unsigned long)br);
+#endif
 }
 
-void br_multicast_open(struct net_bridge *br)
+static void __br_multicast_open(struct net_bridge *br,
+                                struct bridge_mcast_query *query)
 {
-        br->multicast_startup_queries_sent = 0;
+        query->startup_sent = 0;
 
         if (br->multicast_disabled)
                 return;
 
-        mod_timer(&br->multicast_query_timer, jiffies);
+        mod_timer(&query->timer, jiffies);
+}
+
+void br_multicast_open(struct net_bridge *br)
+{
+        __br_multicast_open(br, &br->ip4_query);
+#if IS_ENABLED(CONFIG_IPV6)
+        __br_multicast_open(br, &br->ip6_query);
+#endif
 }
 
 void br_multicast_stop(struct net_bridge *br)
@@ -1684,8 +1772,12 @@ void br_multicast_stop(struct net_bridge *br)
         int i;
 
         del_timer_sync(&br->multicast_router_timer);
-        del_timer_sync(&br->multicast_querier_timer);
-        del_timer_sync(&br->multicast_query_timer);
+        del_timer_sync(&br->ip4_querier.timer);
+        del_timer_sync(&br->ip4_query.timer);
+#if IS_ENABLED(CONFIG_IPV6)
+        del_timer_sync(&br->ip6_querier.timer);
+        del_timer_sync(&br->ip6_query.timer);
+#endif
 
         spin_lock_bh(&br->multicast_lock);
         mdb = mlock_dereference(br->mdb, br);
@@ -1788,18 +1880,24 @@ unlock:
         return err;
 }
 
-static void br_multicast_start_querier(struct net_bridge *br)
+static void br_multicast_start_querier(struct net_bridge *br,
+                                       struct bridge_mcast_query *query)
 {
         struct net_bridge_port *port;
 
-        br_multicast_open(br);
+        __br_multicast_open(br, query);
 
         list_for_each_entry(port, &br->port_list, list) {
                 if (port->state == BR_STATE_DISABLED ||
                     port->state == BR_STATE_BLOCKING)
                         continue;
 
-                __br_multicast_enable_port(port);
+                if (query == &br->ip4_query)
+                        br_multicast_enable(&port->ip4_query);
+#if IS_ENABLED(CONFIG_IPV6)
+                else
+                        br_multicast_enable(&port->ip6_query);
+#endif
         }
 }
 
@@ -1834,7 +1932,10 @@ rollback:
                         goto rollback;
         }
 
-        br_multicast_start_querier(br);
+        br_multicast_start_querier(br, &br->ip4_query);
+#if IS_ENABLED(CONFIG_IPV6)
+        br_multicast_start_querier(br, &br->ip6_query);
+#endif
 
 unlock:
         spin_unlock_bh(&br->multicast_lock);
@@ -1857,10 +1958,18 @@ int br_multicast_set_querier(struct net_bridge *br, unsigned long val)
                 goto unlock;
 
         max_delay = br->multicast_query_response_interval;
-        if (!timer_pending(&br->multicast_querier_timer))
-                br->multicast_querier_delay_time = jiffies + max_delay;
 
-        br_multicast_start_querier(br);
+        if (!timer_pending(&br->ip4_querier.timer))
+                br->ip4_querier.delay_time = jiffies + max_delay;
+
+        br_multicast_start_querier(br, &br->ip4_query);
+
+#if IS_ENABLED(CONFIG_IPV6)
+        if (!timer_pending(&br->ip6_querier.timer))
+                br->ip6_querier.delay_time = jiffies + max_delay;
+
+        br_multicast_start_querier(br, &br->ip6_query);
+#endif
 
 unlock:
         spin_unlock_bh(&br->multicast_lock);
diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c
index 1fc30abd3a52..b9259efa636e 100644
--- a/net/bridge/br_netlink.c
+++ b/net/bridge/br_netlink.c
@@ -132,7 +132,7 @@ static int br_fill_ifinfo(struct sk_buff *skb,
                 else
                         pv = br_get_vlan_info(br);
 
-                if (!pv || bitmap_empty(pv->vlan_bitmap, BR_VLAN_BITMAP_LEN))
+                if (!pv || bitmap_empty(pv->vlan_bitmap, VLAN_N_VID))
                         goto done;
 
                 af = nla_nest_start(skb, IFLA_AF_SPEC);
@@ -140,7 +140,7 @@ static int br_fill_ifinfo(struct sk_buff *skb,
                         goto nla_put_failure;
 
                 pvid = br_get_pvid(pv);
-                for_each_set_bit(vid, pv->vlan_bitmap, BR_VLAN_BITMAP_LEN) {
+                for_each_set_bit(vid, pv->vlan_bitmap, VLAN_N_VID) {
                         vinfo.vid = vid;
                         vinfo.flags = 0;
                         if (vid == pvid)
diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
index 2f7da41851bf..263ba9034468 100644
--- a/net/bridge/br_private.h
+++ b/net/bridge/br_private.h
@@ -66,6 +66,20 @@ struct br_ip
         __u16           vid;
 };
 
+#ifdef CONFIG_BRIDGE_IGMP_SNOOPING
+/* our own querier */
+struct bridge_mcast_query {
+        struct timer_list       timer;
+        u32                     startup_sent;
+};
+
+/* other querier */
+struct bridge_mcast_querier {
+        struct timer_list               timer;
+        unsigned long                   delay_time;
+};
+#endif
+
 struct net_port_vlans {
         u16                             port_idx;
         u16                             pvid;
@@ -162,10 +176,12 @@ struct net_bridge_port
 #define BR_FLOOD                0x00000040
 
 #ifdef CONFIG_BRIDGE_IGMP_SNOOPING
-        u32                             multicast_startup_queries_sent;
+        struct bridge_mcast_query       ip4_query;
+#if IS_ENABLED(CONFIG_IPV6)
+        struct bridge_mcast_query       ip6_query;
+#endif /* IS_ENABLED(CONFIG_IPV6) */
         unsigned char                   multicast_router;
         struct timer_list               multicast_router_timer;
-        struct timer_list               multicast_query_timer;
         struct hlist_head               mglist;
         struct hlist_node               rlist;
 #endif
@@ -258,7 +274,6 @@ struct net_bridge
         u32                             hash_max;
 
         u32                             multicast_last_member_count;
-        u32                             multicast_startup_queries_sent;
         u32                             multicast_startup_query_count;
 
         unsigned long                   multicast_last_member_interval;
@@ -267,15 +282,18 @@ struct net_bridge
         unsigned long                   multicast_query_interval;
         unsigned long                   multicast_query_response_interval;
         unsigned long                   multicast_startup_query_interval;
-        unsigned long                   multicast_querier_delay_time;
 
         spinlock_t                      multicast_lock;
         struct net_bridge_mdb_htable __rcu *mdb;
         struct hlist_head               router_list;
 
         struct timer_list               multicast_router_timer;
-        struct timer_list               multicast_querier_timer;
-        struct timer_list               multicast_query_timer;
+        struct bridge_mcast_querier     ip4_querier;
+        struct bridge_mcast_query       ip4_query;
+#if IS_ENABLED(CONFIG_IPV6)
+        struct bridge_mcast_querier     ip6_querier;
+        struct bridge_mcast_query       ip6_query;
+#endif /* IS_ENABLED(CONFIG_IPV6) */
 #endif
 
         struct timer_list               hello_timer;
@@ -503,11 +521,27 @@ static inline bool br_multicast_is_router(struct net_bridge *br)
                 timer_pending(&br->multicast_router_timer));
 }
 
-static inline bool br_multicast_querier_exists(struct net_bridge *br)
+static inline bool
+__br_multicast_querier_exists(struct net_bridge *br,
+                              struct bridge_mcast_querier *querier)
+{
+        return time_is_before_jiffies(querier->delay_time) &&
+               (br->multicast_querier || timer_pending(&querier->timer));
+}
+
+static inline bool br_multicast_querier_exists(struct net_bridge *br,
+                                               struct ethhdr *eth)
 {
-        return time_is_before_jiffies(br->multicast_querier_delay_time) &&
-               (br->multicast_querier ||
-                timer_pending(&br->multicast_querier_timer));
+        switch (eth->h_proto) {
+        case (htons(ETH_P_IP)):
+                return __br_multicast_querier_exists(br, &br->ip4_querier);
+#if IS_ENABLED(CONFIG_IPV6)
+        case (htons(ETH_P_IPV6)):
+                return __br_multicast_querier_exists(br, &br->ip6_querier);
+#endif
+        default:
+                return false;
+        }
 }
 #else
 static inline int br_multicast_rcv(struct net_bridge *br,
@@ -565,7 +599,8 @@ static inline bool br_multicast_is_router(struct net_bridge *br)
 {
         return 0;
 }
-static inline bool br_multicast_querier_exists(struct net_bridge *br)
+static inline bool br_multicast_querier_exists(struct net_bridge *br,
+                                               struct ethhdr *eth)
 {
         return false;
 }
diff --git a/net/bridge/br_sysfs_br.c b/net/bridge/br_sysfs_br.c
index 394bb96b6087..3b9637fb7939 100644
--- a/net/bridge/br_sysfs_br.c
+++ b/net/bridge/br_sysfs_br.c
@@ -1,5 +1,5 @@
 /*
- *      Sysfs attributes of bridge ports
+ *      Sysfs attributes of bridge
  *      Linux ethernet bridge
  *
  *      Authors:
diff --git a/net/bridge/br_vlan.c b/net/bridge/br_vlan.c
index bd58b45f5f90..9a9ffe7e4019 100644
--- a/net/bridge/br_vlan.c
+++ b/net/bridge/br_vlan.c
@@ -108,7 +108,7 @@ static int __vlan_del(struct net_port_vlans *v, u16 vid)
 
         clear_bit(vid, v->vlan_bitmap);
         v->num_vlans--;
-        if (bitmap_empty(v->vlan_bitmap, BR_VLAN_BITMAP_LEN)) {
+        if (bitmap_empty(v->vlan_bitmap, VLAN_N_VID)) {
                 if (v->port_idx)
                         rcu_assign_pointer(v->parent.port->vlan_info, NULL);
                 else
@@ -122,7 +122,7 @@ static void __vlan_flush(struct net_port_vlans *v)
 {
         smp_wmb();
         v->pvid = 0;
-        bitmap_zero(v->vlan_bitmap, BR_VLAN_BITMAP_LEN);
+        bitmap_zero(v->vlan_bitmap, VLAN_N_VID);
         if (v->port_idx)
                 rcu_assign_pointer(v->parent.port->vlan_info, NULL);
         else
diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
index 00ee068efc1c..d12e3a9a5356 100644
--- a/net/core/flow_dissector.c
+++ b/net/core/flow_dissector.c
@@ -65,6 +65,7 @@ ipv6:
                 nhoff += sizeof(struct ipv6hdr);
                 break;
         }
+        case __constant_htons(ETH_P_8021AD):
         case __constant_htons(ETH_P_8021Q): {
                 const struct vlan_hdr *vlan;
                 struct vlan_hdr _vlan;
@@ -345,14 +346,9 @@ u16 __netdev_pick_tx(struct net_device *dev, struct sk_buff *skb)
                 if (new_index < 0)
                         new_index = skb_tx_hash(dev, skb);
 
-                if (queue_index != new_index && sk) {
-                        struct dst_entry *dst =
-                                    rcu_dereference_check(sk->sk_dst_cache, 1);
-
-                        if (dst && skb_dst(skb) == dst)
-                                sk_tx_queue_set(sk, queue_index);
-
-                }
+                if (queue_index != new_index && sk &&
+                    rcu_access_pointer(sk->sk_dst_cache))
+                        sk_tx_queue_set(sk, queue_index);
 
                 queue_index = new_index;
         }
diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index 9232c68941ab..60533db8b72d 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -1441,16 +1441,18 @@ struct neigh_parms *neigh_parms_alloc(struct net_device *dev,
                 atomic_set(&p->refcnt, 1);
                 p->reachable_time =
                                 neigh_rand_reach_time(p->base_reachable_time);
+                dev_hold(dev);
+                p->dev = dev;
+                write_pnet(&p->net, hold_net(net));
+                p->sysctl_table = NULL;
 
                 if (ops->ndo_neigh_setup && ops->ndo_neigh_setup(dev, p)) {
+                        release_net(net);
+                        dev_put(dev);
                         kfree(p);
                         return NULL;
                 }
 
-                dev_hold(dev);
-                p->dev = dev;
-                write_pnet(&p->net, hold_net(net));
-                p->sysctl_table = NULL;
                 write_lock_bh(&tbl->lock);
                 p->next         = tbl->parms.next;
                 tbl->parms.next = p;
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 3de740834d1f..ca198c1d1d30 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -2156,7 +2156,7 @@ int ndo_dflt_fdb_del(struct ndmsg *ndm,
         /* If aging addresses are supported device will need to
          * implement its own handler for this.
          */
-        if (ndm->ndm_state & NUD_PERMANENT) {
+        if (!(ndm->ndm_state & NUD_PERMANENT)) {
                 pr_info("%s: FDB only supports static addresses\n", dev->name);
                 return -EINVAL;
         }
@@ -2384,7 +2384,7 @@ static int rtnl_bridge_getlink(struct sk_buff *skb, struct netlink_callback *cb)
         struct nlattr *extfilt;
         u32 filter_mask = 0;
 
-        extfilt = nlmsg_find_attr(cb->nlh, sizeof(struct rtgenmsg),
+        extfilt = nlmsg_find_attr(cb->nlh, sizeof(struct ifinfomsg),
                                   IFLA_EXT_MASK);
         if (extfilt)
                 filter_mask = nla_get_u32(extfilt);
diff --git a/net/core/scm.c b/net/core/scm.c
index 03795d0147f2..b4da80b1cc07 100644
--- a/net/core/scm.c
+++ b/net/core/scm.c
@@ -54,7 +54,7 @@ static __inline__ int scm_check_creds(struct ucred *creds)
                 return -EINVAL;
 
         if ((creds->pid == task_tgid_vnr(current) ||
-             ns_capable(current->nsproxy->pid_ns->user_ns, CAP_SYS_ADMIN)) &&
+             ns_capable(task_active_pid_ns(current)->user_ns, CAP_SYS_ADMIN)) &&
             ((uid_eq(uid, cred->uid)   || uid_eq(uid, cred->euid) ||
               uid_eq(uid, cred->suid)) || nsown_capable(CAP_SETUID)) &&
             ((gid_eq(gid, cred->gid)   || gid_eq(gid, cred->egid) ||
diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index ab3d814bc80a..109ee89f123e 100644
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -477,7 +477,7 @@ static u32 esp4_get_mtu(struct xfrm_state *x, int mtu)
         }
 
         return ((mtu - x->props.header_len - crypto_aead_authsize(esp->aead) -
-                 net_adj) & ~(align - 1)) + (net_adj - 2);
+                 net_adj) & ~(align - 1)) + net_adj - 2;
 }
 
 static void esp4_err(struct sk_buff *skb, u32 info)
diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
index 108a1e9c9eac..3df6d3edb2a1 100644
--- a/net/ipv4/fib_trie.c
+++ b/net/ipv4/fib_trie.c
@@ -71,7 +71,6 @@
 #include <linux/init.h>
 #include <linux/list.h>
 #include <linux/slab.h>
-#include <linux/prefetch.h>
 #include <linux/export.h>
 #include <net/net_namespace.h>
 #include <net/ip.h>
@@ -1761,10 +1760,8 @@ static struct leaf *leaf_walk_rcu(struct tnode *p, struct rt_trie_node *c)
                         if (!c)
                                 continue;
 
-                        if (IS_LEAF(c)) {
-                                prefetch(rcu_dereference_rtnl(p->child[idx]));
+                        if (IS_LEAF(c))
                                 return (struct leaf *) c;
-                        }
 
                         /* Rescan start scanning in new node */
                         p = (struct tnode *) c;
diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
index 1f6eab66f7ce..8d6939eeb492 100644
--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
@@ -383,7 +383,7 @@ static int ipgre_header(struct sk_buff *skb, struct net_device *dev,
         if (daddr)
                 memcpy(&iph->daddr, daddr, 4);
         if (iph->daddr)
-                return t->hlen;
+                return t->hlen + sizeof(*iph);
 
         return -(t->hlen + sizeof(*iph));
 }
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index 4bcabf3ab4ca..9ee17e3d11c3 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -211,14 +211,6 @@ static inline int ip_finish_output2(struct sk_buff *skb)
         return -EINVAL;
 }
 
-static inline int ip_skb_dst_mtu(struct sk_buff *skb)
-{
-        struct inet_sock *inet = skb->sk ? inet_sk(skb->sk) : NULL;
-
-        return (inet && inet->pmtudisc == IP_PMTUDISC_PROBE) ?
-               skb_dst(skb)->dev->mtu : dst_mtu(skb_dst(skb));
-}
-
 static int ip_finish_output(struct sk_buff *skb)
 {
 #if defined(CONFIG_NETFILTER) && defined(CONFIG_XFRM)
diff --git a/net/ipv4/ip_tunnel_core.c b/net/ipv4/ip_tunnel_core.c
index 7167b08977df..850525b34899 100644
--- a/net/ipv4/ip_tunnel_core.c
+++ b/net/ipv4/ip_tunnel_core.c
@@ -76,9 +76,7 @@ int iptunnel_xmit(struct net *net, struct rtable *rt,
         iph->daddr      =       dst;
         iph->saddr      =       src;
         iph->ttl        =       ttl;
-        tunnel_ip_select_ident(skb,
-                               (const struct iphdr *)skb_inner_network_header(skb),
-                               &rt->dst);
+        __ip_select_ident(iph, &rt->dst, (skb_shinfo(skb)->gso_segs ?: 1) - 1);
 
         err = ip_local_out(skb);
         if (unlikely(net_xmit_eval(err)))
diff --git a/net/ipv4/ipip.c b/net/ipv4/ipip.c
index 51fc2a1dcdd3..b3ac3c3f6219 100644
--- a/net/ipv4/ipip.c
+++ b/net/ipv4/ipip.c
@@ -190,15 +190,14 @@ static int ipip_rcv(struct sk_buff *skb)
         struct ip_tunnel *tunnel;
         const struct iphdr *iph;
 
-        if (iptunnel_pull_header(skb, 0, tpi.proto))
-                goto drop;
-
         iph = ip_hdr(skb);
         tunnel = ip_tunnel_lookup(itn, skb->dev->ifindex, TUNNEL_NO_KEY,
                         iph->saddr, iph->daddr, 0);
         if (tunnel) {
                 if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb))
                         goto drop;
+                if (iptunnel_pull_header(skb, 0, tpi.proto))
+                        goto drop;
                 return ip_tunnel_rcv(tunnel, skb, &tpi, log_ecn_error);
         }
 
diff --git a/net/ipv4/proc.c b/net/ipv4/proc.c
index 6577a1149a47..463bd1273346 100644
--- a/net/ipv4/proc.c
+++ b/net/ipv4/proc.c
@@ -273,7 +273,7 @@ static const struct snmp_mib snmp4_net_list[] = {
         SNMP_MIB_ITEM("TCPFastOpenListenOverflow", LINUX_MIB_TCPFASTOPENLISTENOVERFLOW),
         SNMP_MIB_ITEM("TCPFastOpenCookieReqd", LINUX_MIB_TCPFASTOPENCOOKIEREQD),
         SNMP_MIB_ITEM("TCPSpuriousRtxHostQueues", LINUX_MIB_TCPSPURIOUS_RTX_HOSTQUEUES),
-        SNMP_MIB_ITEM("LowLatencyRxPackets", LINUX_MIB_LOWLATENCYRXPACKETS),
+        SNMP_MIB_ITEM("BusyPollRxPackets", LINUX_MIB_BUSYPOLLRXPACKETS),
         SNMP_MIB_SENTINEL
 };
 
diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
index dd44e0ab600c..61e60d67adca 100644
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -571,7 +571,8 @@ static int raw_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
         flowi4_init_output(&fl4, ipc.oif, sk->sk_mark, tos,
                            RT_SCOPE_UNIVERSE,
                            inet->hdrincl ? IPPROTO_RAW : sk->sk_protocol,
-                           inet_sk_flowi_flags(sk) | FLOWI_FLAG_CAN_SLEEP,
+                           inet_sk_flowi_flags(sk) | FLOWI_FLAG_CAN_SLEEP |
+                            (inet->hdrincl ? FLOWI_FLAG_KNOWN_NH : 0),
                            daddr, saddr, 0, 0);
 
         if (!inet->hdrincl) {
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 5423223e93c2..b2f6c74861af 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -1121,6 +1121,13 @@ new_segment:
                                         goto wait_for_memory;
 
                                 /*
+                                 * All packets are restored as if they have
+                                 * already been sent.
+                                 */
+                                if (tp->repair)
+                                        TCP_SKB_CB(skb)->when = tcp_time_stamp;
+
+                                /*
                                  * Check whether we can use HW checksum.
                                  */
                                 if (sk->sk_route_caps & NETIF_F_ALL_CSUM)
diff --git a/net/ipv4/tcp_cubic.c b/net/ipv4/tcp_cubic.c
index a9077f441cb2..b6ae92a51f58 100644
--- a/net/ipv4/tcp_cubic.c
+++ b/net/ipv4/tcp_cubic.c
@@ -206,8 +206,8 @@ static u32 cubic_root(u64 a)
  */
 static inline void bictcp_update(struct bictcp *ca, u32 cwnd)
 {
-        u64 offs;
-        u32 delta, t, bic_target, max_cnt;
+        u32 delta, bic_target, max_cnt;
+        u64 offs, t;
 
         ca->ack_cnt++;  /* count the number of ACKs */
 
@@ -250,9 +250,11 @@ static inline void bictcp_update(struct bictcp *ca, u32 cwnd)
          * if the cwnd < 1 million packets !!!
          */
 
+        t = (s32)(tcp_time_stamp - ca->epoch_start);
+        t += msecs_to_jiffies(ca->delay_min >> 3);
         /* change the unit from HZ to bictcp_HZ */
-        t = ((tcp_time_stamp + msecs_to_jiffies(ca->delay_min>>3)
-              - ca->epoch_start) << BICTCP_HZ) / HZ;
+        t <<= BICTCP_HZ;
+        do_div(t, HZ);
 
         if (t < ca->bic_K)              /* t - K */
                 offs = ca->bic_K - t;
@@ -414,7 +416,7 @@ static void bictcp_acked(struct sock *sk, u32 cnt, s32 rtt_us)
                 return;
 
         /* Discard delay samples right after fast recovery */
-        if ((s32)(tcp_time_stamp - ca->epoch_start) < HZ)
+        if (ca->epoch_start && (s32)(tcp_time_stamp - ca->epoch_start) < HZ)
                 return;
 
         delay = (rtt_us << 3) / USEC_PER_MSEC;
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 28af45abe062..3ca2139a130b 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -3535,7 +3535,10 @@ static bool tcp_parse_aligned_timestamp(struct tcp_sock *tp, const struct tcphdr
                 ++ptr;
                 tp->rx_opt.rcv_tsval = ntohl(*ptr);
                 ++ptr;
-                tp->rx_opt.rcv_tsecr = ntohl(*ptr) - tp->tsoffset;
+                if (*ptr)
+                        tp->rx_opt.rcv_tsecr = ntohl(*ptr) - tp->tsoffset;
+                else
+                        tp->rx_opt.rcv_tsecr = 0;
                 return true;
         }
         return false;
@@ -3560,7 +3563,7 @@ static bool tcp_fast_parse_options(const struct sk_buff *skb,
         }
 
         tcp_parse_options(skb, &tp->rx_opt, 1, NULL);
-        if (tp->rx_opt.saw_tstamp)
+        if (tp->rx_opt.saw_tstamp && tp->rx_opt.rcv_tsecr)
                 tp->rx_opt.rcv_tsecr -= tp->tsoffset;
 
         return true;
@@ -5316,7 +5319,7 @@ static int tcp_rcv_synsent_state_process(struct sock *sk, struct sk_buff *skb,
         int saved_clamp = tp->rx_opt.mss_clamp;
 
         tcp_parse_options(skb, &tp->rx_opt, 0, &foc);
-        if (tp->rx_opt.saw_tstamp)
+        if (tp->rx_opt.saw_tstamp && tp->rx_opt.rcv_tsecr)
                 tp->rx_opt.rcv_tsecr -= tp->tsoffset;
 
         if (th->ack) {
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 92fde8d1aa82..170737a9d56d 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -2670,7 +2670,7 @@ struct sk_buff *tcp_make_synack(struct sock *sk, struct dst_entry *dst,
         int tcp_header_size;
         int mss;
 
-        skb = alloc_skb(MAX_TCP_HEADER + 15, sk_gfp_atomic(sk, GFP_ATOMIC));
+        skb = sock_wmalloc(sk, MAX_TCP_HEADER + 15, 1, GFP_ATOMIC);
         if (unlikely(!skb)) {
                 dst_release(dst);
                 return NULL;
@@ -2814,6 +2814,8 @@ void tcp_connect_init(struct sock *sk)
 
         if (likely(!tp->repair))
                 tp->rcv_nxt = 0;
+        else
+                tp->rcv_tstamp = tcp_time_stamp;
         tp->rcv_wup = tp->rcv_nxt;
         tp->copied_seq = tp->rcv_nxt;
 
diff --git a/net/ipv4/xfrm4_output.c b/net/ipv4/xfrm4_output.c
index 327a617d594c..baa0f63731fd 100644
--- a/net/ipv4/xfrm4_output.c
+++ b/net/ipv4/xfrm4_output.c
@@ -21,7 +21,6 @@
 static int xfrm4_tunnel_check_size(struct sk_buff *skb)
 {
         int mtu, ret = 0;
-        struct dst_entry *dst;
 
         if (IPCB(skb)->flags & IPSKB_XFRM_TUNNEL_SIZE)
                 goto out;
@@ -29,12 +28,10 @@ static int xfrm4_tunnel_check_size(struct sk_buff *skb)
         if (!(ip_hdr(skb)->frag_off & htons(IP_DF)) || skb->local_df)
                 goto out;
 
-        dst = skb_dst(skb);
-        mtu = dst_mtu(dst);
+        mtu = dst_mtu(skb_dst(skb));
         if (skb->len > mtu) {
                 if (skb->sk)
-                        ip_local_error(skb->sk, EMSGSIZE, ip_hdr(skb)->daddr,
-                                       inet_sk(skb->sk)->inet_dport, mtu);
+                        xfrm_local_error(skb, mtu);
                 else
                         icmp_send(skb, ICMP_DEST_UNREACH,
                                   ICMP_FRAG_NEEDED, htonl(mtu));
@@ -99,3 +96,12 @@ int xfrm4_output(struct sk_buff *skb)
                             x->outer_mode->afinfo->output_finish,
                             !(IPCB(skb)->flags & IPSKB_REROUTED));
 }
+
+void xfrm4_local_error(struct sk_buff *skb, u32 mtu)
+{
+        struct iphdr *hdr;
+
+        hdr = skb->encapsulation ? inner_ip_hdr(skb) : ip_hdr(skb);
+        ip_local_error(skb->sk, EMSGSIZE, hdr->daddr,
+                       inet_sk(skb->sk)->inet_dport, mtu);
+}
diff --git a/net/ipv4/xfrm4_state.c b/net/ipv4/xfrm4_state.c
index 9258e751baba..0b2a0641526a 100644
--- a/net/ipv4/xfrm4_state.c
+++ b/net/ipv4/xfrm4_state.c
@@ -83,6 +83,7 @@ static struct xfrm_state_afinfo xfrm4_state_afinfo = {
         .extract_input          = xfrm4_extract_input,
         .extract_output         = xfrm4_extract_output,
         .transport_finish       = xfrm4_transport_finish,
+        .local_error            = xfrm4_local_error,
 };
 
 void __init xfrm4_state_init(void)
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index da4241c8c7da..498ea99194af 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -1126,12 +1126,10 @@ retry:
         if (ifp->flags & IFA_F_OPTIMISTIC)
                 addr_flags |= IFA_F_OPTIMISTIC;
 
-        ift = !max_addresses ||
-              ipv6_count_addresses(idev) < max_addresses ?
-                ipv6_add_addr(idev, &addr, NULL, tmp_plen,
-                              ipv6_addr_scope(&addr), addr_flags,
-                              tmp_valid_lft, tmp_prefered_lft) : NULL;
-        if (IS_ERR_OR_NULL(ift)) {
+        ift = ipv6_add_addr(idev, &addr, NULL, tmp_plen,
+                            ipv6_addr_scope(&addr), addr_flags,
+                            tmp_valid_lft, tmp_prefered_lft);
+        if (IS_ERR(ift)) {
                 in6_ifa_put(ifp);
                 in6_dev_put(idev);
                 pr_info("%s: retry temporary address regeneration\n", __func__);
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index 40ffd72243a4..aeac0dc3635d 100644
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -425,7 +425,7 @@ static u32 esp6_get_mtu(struct xfrm_state *x, int mtu)
                 net_adj = 0;
 
         return ((mtu - x->props.header_len - crypto_aead_authsize(esp->aead) -
-                 net_adj) & ~(align - 1)) + (net_adj - 2);
+                 net_adj) & ~(align - 1)) + net_adj - 2;
 }
 
 static void esp6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
index bff3d821c7eb..c4ff5bbb45c4 100644
--- a/net/ipv6/ip6_fib.c
+++ b/net/ipv6/ip6_fib.c
@@ -993,14 +993,22 @@ static struct fib6_node * fib6_lookup_1(struct fib6_node *root,
 
                         if (ipv6_prefix_equal(&key->addr, args->addr, key->plen)) {
 #ifdef CONFIG_IPV6_SUBTREES
-                                if (fn->subtree)
-                                        fn = fib6_lookup_1(fn->subtree, args + 1);
+                                if (fn->subtree) {
+                                        struct fib6_node *sfn;
+                                        sfn = fib6_lookup_1(fn->subtree,
+                                                            args + 1);
+                                        if (!sfn)
+                                                goto backtrack;
+                                        fn = sfn;
+                                }
 #endif
-                                if (!fn || fn->fn_flags & RTN_RTINFO)
+                                if (fn->fn_flags & RTN_RTINFO)
                                         return fn;
                         }
                 }
-
+#ifdef CONFIG_IPV6_SUBTREES
+backtrack:
+#endif
                 if (fn->fn_flags & RTN_ROOT)
                         break;
 
diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
index ecd60733e5e2..90747f1973fe 100644
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -724,6 +724,11 @@ static netdev_tx_t ip6gre_xmit2(struct sk_buff *skb,
                 ipv6_push_nfrag_opts(skb, &opt.ops, &proto, NULL);
         }
 
+        if (likely(!skb->encapsulation)) {
+                skb_reset_inner_headers(skb);
+                skb->encapsulation = 1;
+        }
+
         skb_push(skb, gre_hlen);
         skb_reset_network_header(skb);
         skb_set_transport_header(skb, sizeof(*ipv6h));
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 6e3ddf806ec2..e7ceb6c871d1 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -238,6 +238,7 @@ int ip6_xmit(struct sock *sk, struct sk_buff *skb, struct flowi6 *fl6,
         hdr->saddr = fl6->saddr;
         hdr->daddr = *first_hop;
 
+        skb->protocol = htons(ETH_P_IPV6);
         skb->priority = sk->sk_priority;
         skb->mark = sk->sk_mark;
 
@@ -1057,6 +1058,7 @@ static inline int ip6_ufo_append_data(struct sock *sk,
                 /* initialize protocol header pointer */
                 skb->transport_header = skb->network_header + fragheaderlen;
 
+                skb->protocol = htons(ETH_P_IPV6);
                 skb->ip_summed = CHECKSUM_PARTIAL;
                 skb->csum = 0;
         }
@@ -1359,6 +1361,7 @@ alloc_new_skb:
                         /*
                          *      Fill in the control structures
                          */
+                        skb->protocol = htons(ETH_P_IPV6);
                         skb->ip_summed = CHECKSUM_NONE;
                         skb->csum = 0;
                         /* reserve for fragmentation and ipsec header */
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index 1e55866cead7..46ba243605a3 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -1027,6 +1027,12 @@ static int ip6_tnl_xmit2(struct sk_buff *skb,
                 init_tel_txopt(&opt, encap_limit);
                 ipv6_push_nfrag_opts(skb, &opt.ops, &proto, NULL);
         }
+
+        if (likely(!skb->encapsulation)) {
+                skb_reset_inner_headers(skb);
+                skb->encapsulation = 1;
+        }
+
         skb_push(skb, sizeof(struct ipv6hdr));
         skb_reset_network_header(skb);
         ipv6h = ipv6_hdr(skb);
diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
index 79aa9652ed86..04d31c2fbef1 100644
--- a/net/ipv6/ndisc.c
+++ b/net/ipv6/ndisc.c
@@ -1369,8 +1369,10 @@ static void ndisc_redirect_rcv(struct sk_buff *skb)
         if (!ndisc_parse_options(msg->opt, ndoptlen, &ndopts))
                 return;
 
-        if (!ndopts.nd_opts_rh)
+        if (!ndopts.nd_opts_rh) {
+                ip6_redirect_no_header(skb, dev_net(skb->dev), 0, 0);
                 return;
+        }
 
         hdr = (u8 *)ndopts.nd_opts_rh;
         hdr += 8;
diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
index c45f7a5c36e9..cdaed47ba932 100644
--- a/net/ipv6/raw.c
+++ b/net/ipv6/raw.c
@@ -628,6 +628,7 @@ static int rawv6_send_hdrinc(struct sock *sk, void *from, int length,
                 goto error;
         skb_reserve(skb, hlen);
 
+        skb->protocol = htons(ETH_P_IPV6);
         skb->priority = sk->sk_priority;
         skb->mark = sk->sk_mark;
         skb_dst_set(skb, &rt->dst);
diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c
index 790d9f4b8b0b..1aeb473b2cc6 100644
--- a/net/ipv6/reassembly.c
+++ b/net/ipv6/reassembly.c
@@ -490,6 +490,7 @@ static int ip6_frag_reasm(struct frag_queue *fq, struct sk_buff *prev,
         ipv6_hdr(head)->payload_len = htons(payload_len);
         ipv6_change_dsfield(ipv6_hdr(head), 0xff, ecn);
         IP6CB(head)->nhoff = nhoff;
+        IP6CB(head)->flags |= IP6SKB_FRAGMENTED;
 
         /* Yes, and fold redundant checksum back. 8) */
         if (head->ip_summed == CHECKSUM_COMPLETE)
@@ -524,6 +525,9 @@ static int ipv6_frag_rcv(struct sk_buff *skb)
         struct net *net = dev_net(skb_dst(skb)->dev);
         int evicted;
 
+        if (IP6CB(skb)->flags & IP6SKB_FRAGMENTED)
+                goto fail_hdr;
+
         IP6_INC_STATS_BH(net, ip6_dst_idev(skb_dst(skb)), IPSTATS_MIB_REASMREQDS);
 
         /* Jumbo payload inhibits frag. header */
@@ -544,6 +548,7 @@ static int ipv6_frag_rcv(struct sk_buff *skb)
                                  ip6_dst_idev(skb_dst(skb)), IPSTATS_MIB_REASMOKS);
 
                 IP6CB(skb)->nhoff = (u8 *)fhdr - skb_network_header(skb);
+                IP6CB(skb)->flags |= IP6SKB_FRAGMENTED;
                 return 1;
         }
 
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index b70f8979003b..8d9a93ed9c59 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -1178,6 +1178,27 @@ void ip6_redirect(struct sk_buff *skb, struct net *net, int oif, u32 mark)
 }
 EXPORT_SYMBOL_GPL(ip6_redirect);
 
+void ip6_redirect_no_header(struct sk_buff *skb, struct net *net, int oif,
+                            u32 mark)
+{
+        const struct ipv6hdr *iph = ipv6_hdr(skb);
+        const struct rd_msg *msg = (struct rd_msg *)icmp6_hdr(skb);
+        struct dst_entry *dst;
+        struct flowi6 fl6;
+
+        memset(&fl6, 0, sizeof(fl6));
+        fl6.flowi6_oif = oif;
+        fl6.flowi6_mark = mark;
+        fl6.flowi6_flags = 0;
+        fl6.daddr = msg->dest;
+        fl6.saddr = iph->daddr;
+
+        dst = ip6_route_output(net, NULL, &fl6);
+        if (!dst->error)
+                rt6_do_redirect(dst, NULL, skb);
+        dst_release(dst);
+}
+
 void ip6_sk_redirect(struct sk_buff *skb, struct sock *sk)
 {
         ip6_redirect(skb, sock_net(sk), sk->sk_bound_dev_if, sk->sk_mark);
diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
index a3437a4cd07e..21b25dd8466b 100644
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -645,11 +645,7 @@ static int ipip_rcv(struct sk_buff *skb)
         const struct iphdr *iph;
         struct ip_tunnel *tunnel;
 
-        if (iptunnel_pull_header(skb, 0, tpi.proto))
-                goto drop;
-
         iph = ip_hdr(skb);
-
         tunnel = ipip6_tunnel_lookup(dev_net(skb->dev), skb->dev,
                                      iph->saddr, iph->daddr);
         if (tunnel != NULL) {
@@ -659,6 +655,8 @@ static int ipip_rcv(struct sk_buff *skb)
 
                 if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb))
                         goto drop;
+                if (iptunnel_pull_header(skb, 0, tpi.proto))
+                        goto drop;
                 return ip_tunnel_rcv(tunnel, skb, &tpi, log_ecn_error);
         }
 
@@ -888,6 +886,11 @@ static netdev_tx_t ipip6_tunnel_xmit(struct sk_buff *skb,
                 ttl = iph6->hop_limit;
         tos = INET_ECN_encapsulate(tos, ipv6_get_dsfield(iph6));
 
+        if (likely(!skb->encapsulation)) {
+                skb_reset_inner_headers(skb);
+                skb->encapsulation = 1;
+        }
+
         err = iptunnel_xmit(dev_net(dev), rt, skb, fl4.saddr, fl4.daddr,
                             IPPROTO_IPV6, tos, ttl, df);
         iptunnel_xmit_stats(err, &dev->stats, dev->tstats);
diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c
index 8755a3079d0f..6cd625e37706 100644
--- a/net/ipv6/xfrm6_output.c
+++ b/net/ipv6/xfrm6_output.c
@@ -34,8 +34,10 @@ static int xfrm6_local_dontfrag(struct sk_buff *skb)
         struct sock *sk = skb->sk;
 
         if (sk) {
-                proto = sk->sk_protocol;
+                if (sk->sk_family != AF_INET6)
+                        return 0;
 
+                proto = sk->sk_protocol;
                 if (proto == IPPROTO_UDP || proto == IPPROTO_RAW)
                         return inet6_sk(sk)->dontfrag;
         }
@@ -54,13 +56,15 @@ static void xfrm6_local_rxpmtu(struct sk_buff *skb, u32 mtu)
         ipv6_local_rxpmtu(sk, &fl6, mtu);
 }
 
-static void xfrm6_local_error(struct sk_buff *skb, u32 mtu)
+void xfrm6_local_error(struct sk_buff *skb, u32 mtu)
 {
         struct flowi6 fl6;
+        const struct ipv6hdr *hdr;
         struct sock *sk = skb->sk;
 
+        hdr = skb->encapsulation ? inner_ipv6_hdr(skb) : ipv6_hdr(skb);
         fl6.fl6_dport = inet_sk(sk)->inet_dport;
-        fl6.daddr = ipv6_hdr(skb)->daddr;
+        fl6.daddr = hdr->daddr;
 
         ipv6_local_error(sk, EMSGSIZE, &fl6, mtu);
 }
@@ -80,7 +84,7 @@ static int xfrm6_tunnel_check_size(struct sk_buff *skb)
                 if (xfrm6_local_dontfrag(skb))
                         xfrm6_local_rxpmtu(skb, mtu);
                 else if (skb->sk)
-                        xfrm6_local_error(skb, mtu);
+                        xfrm_local_error(skb, mtu);
                 else
                         icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
                 ret = -EMSGSIZE;
@@ -136,13 +140,18 @@ static int __xfrm6_output(struct sk_buff *skb)
 {
         struct dst_entry *dst = skb_dst(skb);
         struct xfrm_state *x = dst->xfrm;
-        int mtu = ip6_skb_dst_mtu(skb);
+        int mtu;
+
+        if (skb->protocol == htons(ETH_P_IPV6))
+                mtu = ip6_skb_dst_mtu(skb);
+        else
+                mtu = dst_mtu(skb_dst(skb));
 
         if (skb->len > mtu && xfrm6_local_dontfrag(skb)) {
                 xfrm6_local_rxpmtu(skb, mtu);
                 return -EMSGSIZE;
         } else if (!skb->local_df && skb->len > mtu && skb->sk) {
-                xfrm6_local_error(skb, mtu);
+                xfrm_local_error(skb, mtu);
                 return -EMSGSIZE;
         }
 
diff --git a/net/ipv6/xfrm6_state.c b/net/ipv6/xfrm6_state.c
index d8c70b8efc24..3fc970135fc6 100644
--- a/net/ipv6/xfrm6_state.c
+++ b/net/ipv6/xfrm6_state.c
@@ -183,6 +183,7 @@ static struct xfrm_state_afinfo xfrm6_state_afinfo = {
         .extract_input          = xfrm6_extract_input,
         .extract_output         = xfrm6_extract_output,
         .transport_finish       = xfrm6_transport_finish,
+        .local_error            = xfrm6_local_error,
 };
 
 int __init xfrm6_state_init(void)
diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c
index ea7b9c2c7e66..2d45643c964e 100644
--- a/net/mac80211/ibss.c
+++ b/net/mac80211/ibss.c
@@ -36,7 +36,7 @@
 
 static void __ieee80211_sta_join_ibss(struct ieee80211_sub_if_data *sdata,
                                       const u8 *bssid, const int beacon_int,
-                                      struct ieee80211_channel *chan,
+                                      struct cfg80211_chan_def *req_chandef,
                                       const u32 basic_rates,
                                       const u16 capability, u64 tsf,
                                       bool creator)
@@ -51,6 +51,7 @@ static void __ieee80211_sta_join_ibss(struct ieee80211_sub_if_data *sdata,
         u32 bss_change;
         u8 supp_rates[IEEE80211_MAX_SUPP_RATES];
         struct cfg80211_chan_def chandef;
+        struct ieee80211_channel *chan;
         struct beacon_data *presp;
         int frame_len;
 
@@ -81,7 +82,9 @@ static void __ieee80211_sta_join_ibss(struct ieee80211_sub_if_data *sdata,
 
         sdata->drop_unencrypted = capability & WLAN_CAPABILITY_PRIVACY ? 1 : 0;
 
-        chandef = ifibss->chandef;
+        /* make a copy of the chandef, it could be modified below. */
+        chandef = *req_chandef;
+        chan = chandef.chan;
         if (!cfg80211_reg_can_beacon(local->hw.wiphy, &chandef)) {
                 chandef.width = NL80211_CHAN_WIDTH_20;
                 chandef.center_freq1 = chan->center_freq;
@@ -259,10 +262,12 @@ static void ieee80211_sta_join_ibss(struct ieee80211_sub_if_data *sdata,
         struct cfg80211_bss *cbss =
                 container_of((void *)bss, struct cfg80211_bss, priv);
         struct ieee80211_supported_band *sband;
+        struct cfg80211_chan_def chandef;
         u32 basic_rates;
         int i, j;
         u16 beacon_int = cbss->beacon_interval;
         const struct cfg80211_bss_ies *ies;
+        enum nl80211_channel_type chan_type;
         u64 tsf;
 
         sdata_assert_lock(sdata);
@@ -270,6 +275,26 @@ static void ieee80211_sta_join_ibss(struct ieee80211_sub_if_data *sdata,
         if (beacon_int < 10)
                 beacon_int = 10;
 
+        switch (sdata->u.ibss.chandef.width) {
+        case NL80211_CHAN_WIDTH_20_NOHT:
+        case NL80211_CHAN_WIDTH_20:
+        case NL80211_CHAN_WIDTH_40:
+                chan_type = cfg80211_get_chandef_type(&sdata->u.ibss.chandef);
+                cfg80211_chandef_create(&chandef, cbss->channel, chan_type);
+                break;
+        case NL80211_CHAN_WIDTH_5:
+        case NL80211_CHAN_WIDTH_10:
+                cfg80211_chandef_create(&chandef, cbss->channel,
+                                        NL80211_CHAN_WIDTH_20_NOHT);
+                chandef.width = sdata->u.ibss.chandef.width;
+                break;
+        default:
+                /* fall back to 20 MHz for unsupported modes */
+                cfg80211_chandef_create(&chandef, cbss->channel,
+                                        NL80211_CHAN_WIDTH_20_NOHT);
+                break;
+        }
+
         sband = sdata->local->hw.wiphy->bands[cbss->channel->band];
 
         basic_rates = 0;
@@ -294,7 +319,7 @@ static void ieee80211_sta_join_ibss(struct ieee80211_sub_if_data *sdata,
 
         __ieee80211_sta_join_ibss(sdata, cbss->bssid,
                                   beacon_int,
-                                  cbss->channel,
+                                  &chandef,
                                   basic_rates,
                                   cbss->capability,
                                   tsf, false);
@@ -736,7 +761,7 @@ static void ieee80211_sta_create_ibss(struct ieee80211_sub_if_data *sdata)
                 sdata->drop_unencrypted = 0;
 
         __ieee80211_sta_join_ibss(sdata, bssid, sdata->vif.bss_conf.beacon_int,
-                                  ifibss->chandef.chan, ifibss->basic_rates,
+                                  &ifibss->chandef, ifibss->basic_rates,
                                   capability, 0, true);
 }
 
@@ -1138,6 +1163,7 @@ int ieee80211_ibss_leave(struct ieee80211_sub_if_data *sdata)
         clear_bit(SDATA_STATE_OFFCHANNEL_BEACON_STOPPED, &sdata->state);
         ieee80211_bss_info_change_notify(sdata, BSS_CHANGED_BEACON_ENABLED |
                                                 BSS_CHANGED_IBSS);
+        ieee80211_vif_release_channel(sdata);
         synchronize_rcu();
         kfree(presp);
 
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index ae31968d42d3..cc9e02d79b55 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -31,10 +31,12 @@
 #include "led.h"
 
 #define IEEE80211_AUTH_TIMEOUT          (HZ / 5)
+#define IEEE80211_AUTH_TIMEOUT_LONG     (HZ / 2)
 #define IEEE80211_AUTH_TIMEOUT_SHORT    (HZ / 10)
 #define IEEE80211_AUTH_MAX_TRIES        3
 #define IEEE80211_AUTH_WAIT_ASSOC       (HZ * 5)
 #define IEEE80211_ASSOC_TIMEOUT         (HZ / 5)
+#define IEEE80211_ASSOC_TIMEOUT_LONG    (HZ / 2)
 #define IEEE80211_ASSOC_TIMEOUT_SHORT   (HZ / 10)
 #define IEEE80211_ASSOC_MAX_TRIES       3
 
@@ -209,8 +211,9 @@ ieee80211_determine_chantype(struct ieee80211_sub_if_data *sdata,
                              struct ieee80211_channel *channel,
                              const struct ieee80211_ht_operation *ht_oper,
                              const struct ieee80211_vht_operation *vht_oper,
-                             struct cfg80211_chan_def *chandef, bool verbose)
+                             struct cfg80211_chan_def *chandef, bool tracking)
 {
+        struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
         struct cfg80211_chan_def vht_chandef;
         u32 ht_cfreq, ret;
 
@@ -229,7 +232,7 @@ ieee80211_determine_chantype(struct ieee80211_sub_if_data *sdata,
         ht_cfreq = ieee80211_channel_to_frequency(ht_oper->primary_chan,
                                                   channel->band);
         /* check that channel matches the right operating channel */
-        if (channel->center_freq != ht_cfreq) {
+        if (!tracking && channel->center_freq != ht_cfreq) {
                 /*
                  * It's possible that some APs are confused here;
                  * Netgear WNDR3700 sometimes reports 4 higher than
@@ -237,11 +240,10 @@ ieee80211_determine_chantype(struct ieee80211_sub_if_data *sdata,
                  * since we look at probe response/beacon data here
                  * it should be OK.
                  */
-                if (verbose)
-                        sdata_info(sdata,
-                                   "Wrong control channel: center-freq: %d ht-cfreq: %d ht->primary_chan: %d band: %d - Disabling HT\n",
-                                   channel->center_freq, ht_cfreq,
-                                   ht_oper->primary_chan, channel->band);
+                sdata_info(sdata,
+                           "Wrong control channel: center-freq: %d ht-cfreq: %d ht->primary_chan: %d band: %d - Disabling HT\n",
+                           channel->center_freq, ht_cfreq,
+                           ht_oper->primary_chan, channel->band);
                 ret = IEEE80211_STA_DISABLE_HT | IEEE80211_STA_DISABLE_VHT;
                 goto out;
         }
@@ -295,7 +297,7 @@ ieee80211_determine_chantype(struct ieee80211_sub_if_data *sdata,
                                 channel->band);
                 break;
         default:
-                if (verbose)
+                if (!(ifmgd->flags & IEEE80211_STA_DISABLE_VHT))
                         sdata_info(sdata,
                                    "AP VHT operation IE has invalid channel width (%d), disable VHT\n",
                                    vht_oper->chan_width);
@@ -304,7 +306,7 @@ ieee80211_determine_chantype(struct ieee80211_sub_if_data *sdata,
         }
 
         if (!cfg80211_chandef_valid(&vht_chandef)) {
-                if (verbose)
+                if (!(ifmgd->flags & IEEE80211_STA_DISABLE_VHT))
                         sdata_info(sdata,
                                    "AP VHT information is invalid, disable VHT\n");
                 ret = IEEE80211_STA_DISABLE_VHT;
@@ -317,7 +319,7 @@ ieee80211_determine_chantype(struct ieee80211_sub_if_data *sdata,
         }
 
         if (!cfg80211_chandef_compatible(chandef, &vht_chandef)) {
-                if (verbose)
+                if (!(ifmgd->flags & IEEE80211_STA_DISABLE_VHT))
                         sdata_info(sdata,
                                    "AP VHT information doesn't match HT, disable VHT\n");
                 ret = IEEE80211_STA_DISABLE_VHT;
@@ -333,18 +335,27 @@ out:
         if (ret & IEEE80211_STA_DISABLE_VHT)
                 vht_chandef = *chandef;
 
+        /*
+         * Ignore the DISABLED flag when we're already connected and only
+         * tracking the APs beacon for bandwidth changes - otherwise we
+         * might get disconnected here if we connect to an AP, update our
+         * regulatory information based on the AP's country IE and the
+         * information we have is wrong/outdated and disables the channel
+         * that we're actually using for the connection to the AP.
+         */
         while (!cfg80211_chandef_usable(sdata->local->hw.wiphy, chandef,
-                                        IEEE80211_CHAN_DISABLED)) {
+                                        tracking ? 0 :
+                                                   IEEE80211_CHAN_DISABLED)) {
                 if (WARN_ON(chandef->width == NL80211_CHAN_WIDTH_20_NOHT)) {
                         ret = IEEE80211_STA_DISABLE_HT |
                               IEEE80211_STA_DISABLE_VHT;
-                        goto out;
+                        break;
                 }
 
                 ret |= chandef_downgrade(chandef);
         }
 
-        if (chandef->width != vht_chandef.width && verbose)
+        if (chandef->width != vht_chandef.width && !tracking)
                 sdata_info(sdata,
                            "capabilities/regulatory prevented using AP HT/VHT configuration, downgraded\n");
 
@@ -384,7 +395,7 @@ static int ieee80211_config_bw(struct ieee80211_sub_if_data *sdata,
 
         /* calculate new channel (type) based on HT/VHT operation IEs */
         flags = ieee80211_determine_chantype(sdata, sband, chan, ht_oper,
-                                             vht_oper, &chandef, false);
+                                             vht_oper, &chandef, true);
 
         /*
          * Downgrade the new channel if we associated with restricted
@@ -3394,10 +3405,13 @@ static int ieee80211_probe_auth(struct ieee80211_sub_if_data *sdata)
 
         if (tx_flags == 0) {
                 auth_data->timeout = jiffies + IEEE80211_AUTH_TIMEOUT;
-                ifmgd->auth_data->timeout_started = true;
+                auth_data->timeout_started = true;
                 run_again(sdata, auth_data->timeout);
         } else {
-                auth_data->timeout_started = false;
+                auth_data->timeout =
+                        round_jiffies_up(jiffies + IEEE80211_AUTH_TIMEOUT_LONG);
+                auth_data->timeout_started = true;
+                run_again(sdata, auth_data->timeout);
         }
 
         return 0;
@@ -3434,7 +3448,11 @@ static int ieee80211_do_assoc(struct ieee80211_sub_if_data *sdata)
                 assoc_data->timeout_started = true;
                 run_again(sdata, assoc_data->timeout);
         } else {
-                assoc_data->timeout_started = false;
+                assoc_data->timeout =
+                        round_jiffies_up(jiffies +
+                                         IEEE80211_ASSOC_TIMEOUT_LONG);
+                assoc_data->timeout_started = true;
+                run_again(sdata, assoc_data->timeout);
         }
 
         return 0;
@@ -3829,7 +3847,7 @@ static int ieee80211_prep_channel(struct ieee80211_sub_if_data *sdata,
         ifmgd->flags |= ieee80211_determine_chantype(sdata, sband,
                                                      cbss->channel,
                                                      ht_oper, vht_oper,
-                                                     &chandef, true);
+                                                     &chandef, false);
 
         sdata->needed_rx_chains = min(ieee80211_ht_vht_rx_chains(sdata, cbss),
                                       local->rx_chains);
diff --git a/net/mac80211/rc80211_minstrel_ht.c b/net/mac80211/rc80211_minstrel_ht.c
index f5aed963b22e..f3bbea1eb9e7 100644
--- a/net/mac80211/rc80211_minstrel_ht.c
+++ b/net/mac80211/rc80211_minstrel_ht.c
@@ -828,6 +828,9 @@ minstrel_ht_update_cck(struct minstrel_priv *mp, struct minstrel_ht_sta *mi,
         if (sband->band != IEEE80211_BAND_2GHZ)
                 return;
 
+        if (!(mp->hw->flags & IEEE80211_HW_SUPPORTS_HT_CCK_RATES))
+                return;
+
         mi->cck_supported = 0;
         mi->cck_supported_short = 0;
         for (i = 0; i < 4; i++) {
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index 7dcc376eea5f..2f8010707d01 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -526,7 +526,7 @@ static bool tcp_in_window(const struct nf_conn *ct,
         const struct nf_conntrack_tuple *tuple = &ct->tuplehash[dir].tuple;
         __u32 seq, ack, sack, end, win, swin;
         s16 receiver_offset;
-        bool res;
+        bool res, in_recv_win;
 
         /*
          * Get the required data from the packet.
@@ -649,14 +649,18 @@ static bool tcp_in_window(const struct nf_conn *ct,
                  receiver->td_end, receiver->td_maxend, receiver->td_maxwin,
                  receiver->td_scale);
 
+        /* Is the ending sequence in the receive window (if available)? */
+        in_recv_win = !receiver->td_maxwin ||
+                      after(end, sender->td_end - receiver->td_maxwin - 1);
+
         pr_debug("tcp_in_window: I=%i II=%i III=%i IV=%i\n",
                  before(seq, sender->td_maxend + 1),
-                 after(end, sender->td_end - receiver->td_maxwin - 1),
+                 (in_recv_win ? 1 : 0),
                  before(sack, receiver->td_end + 1),
                  after(sack, receiver->td_end - MAXACKWINDOW(sender) - 1));
 
         if (before(seq, sender->td_maxend + 1) &&
-            after(end, sender->td_end - receiver->td_maxwin - 1) &&
+            in_recv_win &&
             before(sack, receiver->td_end + 1) &&
             after(sack, receiver->td_end - MAXACKWINDOW(sender) - 1)) {
                 /*
@@ -725,7 +729,7 @@ static bool tcp_in_window(const struct nf_conn *ct,
                         nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
                         "nf_ct_tcp: %s ",
                         before(seq, sender->td_maxend + 1) ?
-                        after(end, sender->td_end - receiver->td_maxwin - 1) ?
+                        in_recv_win ?
                         before(sack, receiver->td_end + 1) ?
                         after(sack, receiver->td_end - MAXACKWINDOW(sender) - 1) ? "BUG"
                         : "ACK is under the lower bound (possible overly delayed ACK)"
diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
index 962e9792e317..d92cc317bf8b 100644
--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -419,6 +419,7 @@ __build_packet_message(struct nfnl_log_net *log,
         nfmsg->version = NFNETLINK_V0;
         nfmsg->res_id = htons(inst->group_num);
 
+        memset(&pmsg, 0, sizeof(pmsg));
         pmsg.hw_protocol        = skb->protocol;
         pmsg.hook               = hooknum;
 
@@ -498,7 +499,10 @@ __build_packet_message(struct nfnl_log_net *log,
         if (indev && skb->dev &&
             skb->mac_header != skb->network_header) {
                 struct nfulnl_msg_packet_hw phw;
-                int len = dev_parse_header(skb, phw.hw_addr);
+                int len;
+
+                memset(&phw, 0, sizeof(phw));
+                len = dev_parse_header(skb, phw.hw_addr);
                 if (len > 0) {
                         phw.hw_addrlen = htons(len);
                         if (nla_put(inst->skb, NFULA_HWADDR, sizeof(phw), &phw))
diff --git a/net/netfilter/nfnetlink_queue_core.c b/net/netfilter/nfnetlink_queue_core.c
index 971ea145ab3e..8a703c3dd318 100644
--- a/net/netfilter/nfnetlink_queue_core.c
+++ b/net/netfilter/nfnetlink_queue_core.c
@@ -463,7 +463,10 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue,
         if (indev && entskb->dev &&
             entskb->mac_header != entskb->network_header) {
                 struct nfqnl_msg_packet_hw phw;
-                int len = dev_parse_header(entskb, phw.hw_addr);
+                int len;
+
+                memset(&phw, 0, sizeof(phw));
+                len = dev_parse_header(entskb, phw.hw_addr);
                 if (len) {
                         phw.hw_addrlen = htons(len);
                         if (nla_put(skb, NFQA_HWADDR, sizeof(phw), &phw))
diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
index 7011c71646f0..6113cc7efffc 100644
--- a/net/netfilter/xt_TCPMSS.c
+++ b/net/netfilter/xt_TCPMSS.c
@@ -52,7 +52,8 @@ tcpmss_mangle_packet(struct sk_buff *skb,
 {
         const struct xt_tcpmss_info *info = par->targinfo;
         struct tcphdr *tcph;
-        unsigned int tcplen, i;
+        int len, tcp_hdrlen;
+        unsigned int i;
         __be16 oldval;
         u16 newmss;
         u8 *opt;
@@ -64,11 +65,14 @@ tcpmss_mangle_packet(struct sk_buff *skb,
         if (!skb_make_writable(skb, skb->len))
                 return -1;
 
-        tcplen = skb->len - tcphoff;
+        len = skb->len - tcphoff;
+        if (len < (int)sizeof(struct tcphdr))
+                return -1;
+
         tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff);
+        tcp_hdrlen = tcph->doff * 4;
 
-        /* Header cannot be larger than the packet */
-        if (tcplen < tcph->doff*4)
+        if (len < tcp_hdrlen)
                 return -1;
 
         if (info->mss == XT_TCPMSS_CLAMP_PMTU) {
@@ -87,9 +91,8 @@ tcpmss_mangle_packet(struct sk_buff *skb,
                 newmss = info->mss;
 
         opt = (u_int8_t *)tcph;
-        for (i = sizeof(struct tcphdr); i < tcph->doff*4; i += optlen(opt, i)) {
-                if (opt[i] == TCPOPT_MSS && tcph->doff*4 - i >= TCPOLEN_MSS &&
-                    opt[i+1] == TCPOLEN_MSS) {
+        for (i = sizeof(struct tcphdr); i <= tcp_hdrlen - TCPOLEN_MSS; i += optlen(opt, i)) {
+                if (opt[i] == TCPOPT_MSS && opt[i+1] == TCPOLEN_MSS) {
                         u_int16_t oldmss;
 
                         oldmss = (opt[i+2] << 8) | opt[i+3];
@@ -112,9 +115,10 @@ tcpmss_mangle_packet(struct sk_buff *skb,
         }
 
         /* There is data after the header so the option can't be added
-           without moving it, and doing so may make the SYN packet
-           itself too large. Accept the packet unmodified instead. */
-        if (tcplen > tcph->doff*4)
+         * without moving it, and doing so may make the SYN packet
+         * itself too large. Accept the packet unmodified instead.
+         */
+        if (len > tcp_hdrlen)
                 return 0;
 
         /*
@@ -143,10 +147,10 @@ tcpmss_mangle_packet(struct sk_buff *skb,
                 newmss = min(newmss, (u16)1220);
 
         opt = (u_int8_t *)tcph + sizeof(struct tcphdr);
-        memmove(opt + TCPOLEN_MSS, opt, tcplen - sizeof(struct tcphdr));
+        memmove(opt + TCPOLEN_MSS, opt, len - sizeof(struct tcphdr));
 
         inet_proto_csum_replace2(&tcph->check, skb,
-                                 htons(tcplen), htons(tcplen + TCPOLEN_MSS), 1);
+                                 htons(len), htons(len + TCPOLEN_MSS), 1);
         opt[0] = TCPOPT_MSS;
         opt[1] = TCPOLEN_MSS;
         opt[2] = (newmss & 0xff00) >> 8;
diff --git a/net/netfilter/xt_TCPOPTSTRIP.c b/net/netfilter/xt_TCPOPTSTRIP.c
index b68fa191710f..625fa1d636a0 100644
--- a/net/netfilter/xt_TCPOPTSTRIP.c
+++ b/net/netfilter/xt_TCPOPTSTRIP.c
@@ -38,7 +38,7 @@ tcpoptstrip_mangle_packet(struct sk_buff *skb,
         struct tcphdr *tcph;
         u_int16_t n, o;
         u_int8_t *opt;
-        int len;
+        int len, tcp_hdrlen;
 
         /* This is a fragment, no TCP header is available */
         if (par->fragoff != 0)
@@ -52,7 +52,9 @@ tcpoptstrip_mangle_packet(struct sk_buff *skb,
                 return NF_DROP;
 
         tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff);
-        if (tcph->doff * 4 > len)
+        tcp_hdrlen = tcph->doff * 4;
+
+        if (len < tcp_hdrlen)
                 return NF_DROP;
 
         opt  = (u_int8_t *)tcph;
@@ -61,10 +63,10 @@ tcpoptstrip_mangle_packet(struct sk_buff *skb,
          * Walk through all TCP options - if we find some option to remove,
          * set all octets to %TCPOPT_NOP and adjust checksum.
          */
-        for (i = sizeof(struct tcphdr); i < tcp_hdrlen(skb); i += optl) {
+        for (i = sizeof(struct tcphdr); i < tcp_hdrlen - 1; i += optl) {
                 optl = optlen(opt, i);
 
-                if (i + optl > tcp_hdrlen(skb))
+                if (i + optl > tcp_hdrlen)
                         break;
 
                 if (!tcpoptstrip_test_bit(info->strip_bmap, opt[i]))
diff --git a/net/netlink/genetlink.c b/net/netlink/genetlink.c
index 512718adb0d5..0c741cec4d0d 100644
--- a/net/netlink/genetlink.c
+++ b/net/netlink/genetlink.c
@@ -364,7 +364,7 @@ int genl_unregister_ops(struct genl_family *family, struct genl_ops *ops)
 EXPORT_SYMBOL(genl_unregister_ops);
 
 /**
- * genl_register_family - register a generic netlink family
+ * __genl_register_family - register a generic netlink family
  * @family: generic netlink family
  *
  * Registers the specified family after validating it first. Only one
@@ -374,7 +374,7 @@ EXPORT_SYMBOL(genl_unregister_ops);
  *
  * Return 0 on success or a negative error code.
  */
-int genl_register_family(struct genl_family *family)
+int __genl_register_family(struct genl_family *family)
 {
         int err = -EINVAL;
 
@@ -430,10 +430,10 @@ errout_locked:
 errout:
         return err;
 }
-EXPORT_SYMBOL(genl_register_family);
+EXPORT_SYMBOL(__genl_register_family);
 
 /**
- * genl_register_family_with_ops - register a generic netlink family
+ * __genl_register_family_with_ops - register a generic netlink family
  * @family: generic netlink family
  * @ops: operations to be registered
  * @n_ops: number of elements to register
@@ -457,12 +457,12 @@ EXPORT_SYMBOL(genl_register_family);
  *
  * Return 0 on success or a negative error code.
  */
-int genl_register_family_with_ops(struct genl_family *family,
+int __genl_register_family_with_ops(struct genl_family *family,
         struct genl_ops *ops, size_t n_ops)
 {
         int err, i;
 
-        err = genl_register_family(family);
+        err = __genl_register_family(family);
         if (err)
                 return err;
 
@@ -476,7 +476,7 @@ err_out:
         genl_unregister_family(family);
         return err;
 }
-EXPORT_SYMBOL(genl_register_family_with_ops);
+EXPORT_SYMBOL(__genl_register_family_with_ops);
 
 /**
  * genl_unregister_family - unregister generic netlink family
@@ -544,6 +544,30 @@ void *genlmsg_put(struct sk_buff *skb, u32 portid, u32 seq,
 }
 EXPORT_SYMBOL(genlmsg_put);
 
+static int genl_lock_dumpit(struct sk_buff *skb, struct netlink_callback *cb)
+{
+        struct genl_ops *ops = cb->data;
+        int rc;
+
+        genl_lock();
+        rc = ops->dumpit(skb, cb);
+        genl_unlock();
+        return rc;
+}
+
+static int genl_lock_done(struct netlink_callback *cb)
+{
+        struct genl_ops *ops = cb->data;
+        int rc = 0;
+
+        if (ops->done) {
+                genl_lock();
+                rc = ops->done(cb);
+                genl_unlock();
+        }
+        return rc;
+}
+
 static int genl_family_rcv_msg(struct genl_family *family,
                                struct sk_buff *skb,
                                struct nlmsghdr *nlh)
@@ -572,15 +596,34 @@ static int genl_family_rcv_msg(struct genl_family *family,
                 return -EPERM;
 
         if ((nlh->nlmsg_flags & NLM_F_DUMP) == NLM_F_DUMP) {
-                struct netlink_dump_control c = {
-                        .dump = ops->dumpit,
-                        .done = ops->done,
-                };
+                int rc;
 
                 if (ops->dumpit == NULL)
                         return -EOPNOTSUPP;
 
-                return netlink_dump_start(net->genl_sock, skb, nlh, &c);
+                if (!family->parallel_ops) {
+                        struct netlink_dump_control c = {
+                                .module = family->module,
+                                .data = ops,
+                                .dump = genl_lock_dumpit,
+                                .done = genl_lock_done,
+                        };
+
+                        genl_unlock();
+                        rc = __netlink_dump_start(net->genl_sock, skb, nlh, &c);
+                        genl_lock();
+
+                } else {
+                        struct netlink_dump_control c = {
+                                .module = family->module,
+                                .dump = ops->dumpit,
+                                .done = ops->done,
+                        };
+
+                        rc = __netlink_dump_start(net->genl_sock, skb, nlh, &c);
+                }
+
+                return rc;
         }
 
         if (ops->doit == NULL)
diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c
index 22c5f399f1cf..ab101f715447 100644
--- a/net/openvswitch/actions.c
+++ b/net/openvswitch/actions.c
@@ -535,6 +535,7 @@ int ovs_execute_actions(struct datapath *dp, struct sk_buff *skb)
 {
         struct sw_flow_actions *acts = rcu_dereference(OVS_CB(skb)->flow->sf_acts);
 
+        OVS_CB(skb)->tun_key = NULL;
         return do_execute_actions(dp, skb, acts->actions,
                                          acts->actions_len, false);
 }
diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c
index f7e3a0d84c40..f2ed7600084e 100644
--- a/net/openvswitch/datapath.c
+++ b/net/openvswitch/datapath.c
@@ -2076,9 +2076,6 @@ static int ovs_vport_cmd_set(struct sk_buff *skb, struct genl_info *info)
         ovs_notify(reply, info, &ovs_dp_vport_multicast_group);
         return 0;
 
-        rtnl_unlock();
-        return 0;
-
 exit_free:
         kfree_skb(reply);
 exit_unlock:
diff --git a/net/openvswitch/flow.c b/net/openvswitch/flow.c
index 5c519b121e1b..1aa84dc58777 100644
--- a/net/openvswitch/flow.c
+++ b/net/openvswitch/flow.c
@@ -240,7 +240,7 @@ static struct flex_array *alloc_buckets(unsigned int n_buckets)
         struct flex_array *buckets;
         int i, err;
 
-        buckets = flex_array_alloc(sizeof(struct hlist_head *),
+        buckets = flex_array_alloc(sizeof(struct hlist_head),
                                    n_buckets, GFP_KERNEL);
         if (!buckets)
                 return NULL;
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 4b66c752eae5..75c8bbf598c8 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -3259,9 +3259,11 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
 
                 if (po->tp_version == TPACKET_V3) {
                         lv = sizeof(struct tpacket_stats_v3);
+                        st.stats3.tp_packets += st.stats3.tp_drops;
                         data = &st.stats3;
                 } else {
                         lv = sizeof(struct tpacket_stats);
+                        st.stats1.tp_packets += st.stats1.tp_drops;
                         data = &st.stats1;
                 }
 
diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
index 281c1bded1f6..51b968d3febb 100644
--- a/net/sched/sch_api.c
+++ b/net/sched/sch_api.c
@@ -285,6 +285,45 @@ static struct Qdisc_ops *qdisc_lookup_ops(struct nlattr *kind)
         return q;
 }
 
+/* The linklayer setting were not transferred from iproute2, in older
+ * versions, and the rate tables lookup systems have been dropped in
+ * the kernel. To keep backward compatible with older iproute2 tc
+ * utils, we detect the linklayer setting by detecting if the rate
+ * table were modified.
+ *
+ * For linklayer ATM table entries, the rate table will be aligned to
+ * 48 bytes, thus some table entries will contain the same value.  The
+ * mpu (min packet unit) is also encoded into the old rate table, thus
+ * starting from the mpu, we find low and high table entries for
+ * mapping this cell.  If these entries contain the same value, when
+ * the rate tables have been modified for linklayer ATM.
+ *
+ * This is done by rounding mpu to the nearest 48 bytes cell/entry,
+ * and then roundup to the next cell, calc the table entry one below,
+ * and compare.
+ */
+static __u8 __detect_linklayer(struct tc_ratespec *r, __u32 *rtab)
+{
+        int low       = roundup(r->mpu, 48);
+        int high      = roundup(low+1, 48);
+        int cell_low  = low >> r->cell_log;
+        int cell_high = (high >> r->cell_log) - 1;
+
+        /* rtab is too inaccurate at rates > 100Mbit/s */
+        if ((r->rate > (100000000/8)) || (rtab[0] == 0)) {
+                pr_debug("TC linklayer: Giving up ATM detection\n");
+                return TC_LINKLAYER_ETHERNET;
+        }
+
+        if ((cell_high > cell_low) && (cell_high < 256)
+            && (rtab[cell_low] == rtab[cell_high])) {
+                pr_debug("TC linklayer: Detected ATM, low(%d)=high(%d)=%u\n",
+                         cell_low, cell_high, rtab[cell_high]);
+                return TC_LINKLAYER_ATM;
+        }
+        return TC_LINKLAYER_ETHERNET;
+}
+
 static struct qdisc_rate_table *qdisc_rtab_list;
 
 struct qdisc_rate_table *qdisc_get_rtab(struct tc_ratespec *r, struct nlattr *tab)
@@ -308,6 +347,8 @@ struct qdisc_rate_table *qdisc_get_rtab(struct tc_ratespec *r, struct nlattr *ta
                 rtab->rate = *r;
                 rtab->refcnt = 1;
                 memcpy(rtab->data, nla_data(tab), 1024);
+                if (r->linklayer == TC_LINKLAYER_UNAWARE)
+                        r->linklayer = __detect_linklayer(r, rtab->data);
                 rtab->next = qdisc_rtab_list;
                 qdisc_rtab_list = rtab;
         }
diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c
index 4626cef4b76e..48be3d5c0d92 100644
--- a/net/sched/sch_generic.c
+++ b/net/sched/sch_generic.c
@@ -25,6 +25,7 @@
 #include <linux/rcupdate.h>
 #include <linux/list.h>
 #include <linux/slab.h>
+#include <linux/if_vlan.h>
 #include <net/sch_generic.h>
 #include <net/pkt_sched.h>
 #include <net/dst.h>
@@ -207,15 +208,19 @@ void __qdisc_run(struct Qdisc *q)
 
 unsigned long dev_trans_start(struct net_device *dev)
 {
-        unsigned long val, res = dev->trans_start;
+        unsigned long val, res;
         unsigned int i;
 
+        if (is_vlan_dev(dev))
+                dev = vlan_dev_real_dev(dev);
+        res = dev->trans_start;
         for (i = 0; i < dev->num_tx_queues; i++) {
                 val = netdev_get_tx_queue(dev, i)->trans_start;
                 if (val && time_after(val, res))
                         res = val;
         }
         dev->trans_start = res;
+
         return res;
 }
 EXPORT_SYMBOL(dev_trans_start);
@@ -904,6 +909,7 @@ void psched_ratecfg_precompute(struct psched_ratecfg *r,
         memset(r, 0, sizeof(*r));
         r->overhead = conf->overhead;
         r->rate_bytes_ps = conf->rate;
+        r->linklayer = (conf->linklayer & TC_LINKLAYER_MASK);
         r->mult = 1;
         /*
          * The deal here is to replace a divide by a reciprocal one
diff --git a/net/sched/sch_htb.c b/net/sched/sch_htb.c
index 45e751527dfc..c2178b15ca6e 100644
--- a/net/sched/sch_htb.c
+++ b/net/sched/sch_htb.c
@@ -1329,6 +1329,7 @@ static int htb_change_class(struct Qdisc *sch, u32 classid,
         struct htb_sched *q = qdisc_priv(sch);
         struct htb_class *cl = (struct htb_class *)*arg, *parent;
         struct nlattr *opt = tca[TCA_OPTIONS];
+        struct qdisc_rate_table *rtab = NULL, *ctab = NULL;
         struct nlattr *tb[TCA_HTB_MAX + 1];
         struct tc_htb_opt *hopt;
 
@@ -1350,6 +1351,18 @@ static int htb_change_class(struct Qdisc *sch, u32 classid,
         if (!hopt->rate.rate || !hopt->ceil.rate)
                 goto failure;
 
+        /* Keeping backward compatible with rate_table based iproute2 tc */
+        if (hopt->rate.linklayer == TC_LINKLAYER_UNAWARE) {
+                rtab = qdisc_get_rtab(&hopt->rate, tb[TCA_HTB_RTAB]);
+                if (rtab)
+                        qdisc_put_rtab(rtab);
+        }
+        if (hopt->ceil.linklayer == TC_LINKLAYER_UNAWARE) {
+                ctab = qdisc_get_rtab(&hopt->ceil, tb[TCA_HTB_CTAB]);
+                if (ctab)
+                        qdisc_put_rtab(ctab);
+        }
+
         if (!cl) {              /* new class */
                 struct Qdisc *new_q;
                 int prio;
diff --git a/net/sctp/associola.c b/net/sctp/associola.c
index bce5b79662a6..ab67efc64b24 100644
--- a/net/sctp/associola.c
+++ b/net/sctp/associola.c
@@ -846,12 +846,12 @@ void sctp_assoc_control_transport(struct sctp_association *asoc,
                 else
                         spc_state = SCTP_ADDR_AVAILABLE;
                 /* Don't inform ULP about transition from PF to
-                 * active state and set cwnd to 1, see SCTP
+                 * active state and set cwnd to 1 MTU, see SCTP
                  * Quick failover draft section 5.1, point 5
                  */
                 if (transport->state == SCTP_PF) {
                         ulp_notify = false;
-                        transport->cwnd = 1;
+                        transport->cwnd = asoc->pathmtu;
                 }
                 transport->state = SCTP_ACTIVE;
                 break;
diff --git a/net/sctp/transport.c b/net/sctp/transport.c
index bdbbc3fd7c14..8fdd16046d66 100644
--- a/net/sctp/transport.c
+++ b/net/sctp/transport.c
@@ -181,12 +181,12 @@ static void sctp_transport_destroy(struct sctp_transport *transport)
                 return;
         }
 
-        call_rcu(&transport->rcu, sctp_transport_destroy_rcu);
-
         sctp_packet_free(&transport->packet);
 
         if (transport->asoc)
                 sctp_association_put(transport->asoc);
+
+        call_rcu(&transport->rcu, sctp_transport_destroy_rcu);
 }
 
 /* Start T3_rtx timer if it is not already running and update the heartbeat
diff --git a/net/sunrpc/xdr.c b/net/sunrpc/xdr.c
index 75edcfad6e26..1504bb11e4f3 100644
--- a/net/sunrpc/xdr.c
+++ b/net/sunrpc/xdr.c
@@ -207,10 +207,13 @@ _shift_data_right_pages(struct page **pages, size_t pgto_base,
                 pgfrom_base -= copy;
 
                 vto = kmap_atomic(*pgto);
-                vfrom = kmap_atomic(*pgfrom);
-                memmove(vto + pgto_base, vfrom + pgfrom_base, copy);
+                if (*pgto != *pgfrom) {
+                        vfrom = kmap_atomic(*pgfrom);
+                        memcpy(vto + pgto_base, vfrom + pgfrom_base, copy);
+                        kunmap_atomic(vfrom);
+                } else
+                        memmove(vto + pgto_base, vto + pgfrom_base, copy);
                 flush_dcache_page(*pgto);
-                kunmap_atomic(vfrom);
                 kunmap_atomic(vto);
 
         } while ((len -= copy) != 0);
diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c
index cb29ef7ba2f0..609c30c80816 100644
--- a/net/tipc/bearer.c
+++ b/net/tipc/bearer.c
@@ -460,6 +460,7 @@ static void bearer_disable(struct tipc_bearer *b_ptr)
 {
         struct tipc_link *l_ptr;
         struct tipc_link *temp_l_ptr;
+        struct tipc_link_req *temp_req;
 
         pr_info("Disabling bearer <%s>\n", b_ptr->name);
         spin_lock_bh(&b_ptr->lock);
@@ -468,9 +469,13 @@ static void bearer_disable(struct tipc_bearer *b_ptr)
         list_for_each_entry_safe(l_ptr, temp_l_ptr, &b_ptr->links, link_list) {
                 tipc_link_delete(l_ptr);
         }
-        if (b_ptr->link_req)
-                tipc_disc_delete(b_ptr->link_req);
+        temp_req = b_ptr->link_req;
+        b_ptr->link_req = NULL;
         spin_unlock_bh(&b_ptr->lock);
+
+        if (temp_req)
+                tipc_disc_delete(temp_req);
+
         memset(b_ptr, 0, sizeof(struct tipc_bearer));
 }
 
diff --git a/net/tipc/socket.c b/net/tipc/socket.c
index ce8249c76827..6cc7ddd2fb7c 100644
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -1257,7 +1257,7 @@ static u32 filter_connect(struct tipc_sock *tsock, struct sk_buff **buf)
                 /* Accept only ACK or NACK message */
                 if (unlikely(msg_errcode(msg))) {
                         sock->state = SS_DISCONNECTING;
-                        sk->sk_err = -ECONNREFUSED;
+                        sk->sk_err = ECONNREFUSED;
                         retval = TIPC_OK;
                         break;
                 }
@@ -1268,7 +1268,7 @@ static u32 filter_connect(struct tipc_sock *tsock, struct sk_buff **buf)
                 res = auto_connect(sock, msg);
                 if (res) {
                         sock->state = SS_DISCONNECTING;
-                        sk->sk_err = res;
+                        sk->sk_err = -res;
                         retval = TIPC_OK;
                         break;
                 }
diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
index 593071dabd1c..4d9334683f84 100644
--- a/net/vmw_vsock/af_vsock.c
+++ b/net/vmw_vsock/af_vsock.c
@@ -347,7 +347,7 @@ void vsock_for_each_connected_socket(void (*fn)(struct sock *sk))
         for (i = 0; i < ARRAY_SIZE(vsock_connected_table); i++) {
                 struct vsock_sock *vsk;
                 list_for_each_entry(vsk, &vsock_connected_table[i],
-                                    connected_table);
+                                    connected_table)
                         fn(sk_vsock(vsk));
         }
 
diff --git a/net/wireless/core.c b/net/wireless/core.c
index 4f9f216665e9..a8c29fa4f1b3 100644
--- a/net/wireless/core.c
+++ b/net/wireless/core.c
@@ -765,6 +765,7 @@ void cfg80211_leave(struct cfg80211_registered_device *rdev,
                 cfg80211_leave_mesh(rdev, dev);
                 break;
         case NL80211_IFTYPE_AP:
+        case NL80211_IFTYPE_P2P_GO:
                 cfg80211_stop_ap(rdev, dev);
                 break;
         default:
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 25d217d90807..5f6e982cdcf4 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -441,10 +441,12 @@ static int nl80211_prepare_wdev_dump(struct sk_buff *skb,
                         goto out_unlock;
                 }
                 *rdev = wiphy_to_dev((*wdev)->wiphy);
-                cb->args[0] = (*rdev)->wiphy_idx;
+                /* 0 is the first index - add 1 to parse only once */
+                cb->args[0] = (*rdev)->wiphy_idx + 1;
                 cb->args[1] = (*wdev)->identifier;
         } else {
-                struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0]);
+                /* subtract the 1 again here */
+                struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
                 struct wireless_dev *tmp;
 
                 if (!wiphy) {
@@ -2620,8 +2622,8 @@ static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
 
         hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
                              NL80211_CMD_NEW_KEY);
-        if (IS_ERR(hdr))
-                return PTR_ERR(hdr);
+        if (!hdr)
+                return -ENOBUFS;
 
         cookie.msg = msg;
         cookie.idx = key_idx;
@@ -6505,6 +6507,9 @@ static int nl80211_testmode_dump(struct sk_buff *skb,
                                            NL80211_CMD_TESTMODE);
                 struct nlattr *tmdata;
 
+                if (!hdr)
+                        break;
+
                 if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
                         genlmsg_cancel(skb, hdr);
                         break;
@@ -6949,9 +6954,8 @@ static int nl80211_remain_on_channel(struct sk_buff *skb,
 
         hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
                              NL80211_CMD_REMAIN_ON_CHANNEL);
-
-        if (IS_ERR(hdr)) {
-                err = PTR_ERR(hdr);
+        if (!hdr) {
+                err = -ENOBUFS;
                 goto free_msg;
         }
 
@@ -7249,9 +7253,8 @@ static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
 
                 hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
                                      NL80211_CMD_FRAME);
-
-                if (IS_ERR(hdr)) {
-                        err = PTR_ERR(hdr);
+                if (!hdr) {
+                        err = -ENOBUFS;
                         goto free_msg;
                 }
         }
@@ -8130,9 +8133,8 @@ static int nl80211_probe_client(struct sk_buff *skb,
 
         hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
                              NL80211_CMD_PROBE_CLIENT);
-
-        if (IS_ERR(hdr)) {
-                err = PTR_ERR(hdr);
+        if (!hdr) {
+                err = -ENOBUFS;
                 goto free_msg;
         }
 
diff --git a/net/wireless/sme.c b/net/wireless/sme.c
index 81c8a10d743c..20e86a95dc4e 100644
--- a/net/wireless/sme.c
+++ b/net/wireless/sme.c
@@ -976,21 +976,19 @@ int cfg80211_disconnect(struct cfg80211_registered_device *rdev,
                         struct net_device *dev, u16 reason, bool wextev)
 {
         struct wireless_dev *wdev = dev->ieee80211_ptr;
-        int err;
+        int err = 0;
 
         ASSERT_WDEV_LOCK(wdev);
 
         kfree(wdev->connect_keys);
         wdev->connect_keys = NULL;
 
-        if (wdev->conn) {
+        if (wdev->conn)
                 err = cfg80211_sme_disconnect(wdev, reason);
-        } else if (!rdev->ops->disconnect) {
+        else if (!rdev->ops->disconnect)
                 cfg80211_mlme_down(rdev, dev);
-                err = 0;
-        } else {
+        else if (wdev->current_bss)
                 err = rdev_disconnect(rdev, dev, reason);
-        }
 
         return err;
 }
diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c
index eb4a84288648..3bb2cdc13b46 100644
--- a/net/xfrm/xfrm_output.c
+++ b/net/xfrm/xfrm_output.c
@@ -214,5 +214,26 @@ int xfrm_inner_extract_output(struct xfrm_state *x, struct sk_buff *skb)
         return inner_mode->afinfo->extract_output(x, skb);
 }
 
+void xfrm_local_error(struct sk_buff *skb, int mtu)
+{
+        unsigned int proto;
+        struct xfrm_state_afinfo *afinfo;
+
+        if (skb->protocol == htons(ETH_P_IP))
+                proto = AF_INET;
+        else if (skb->protocol == htons(ETH_P_IPV6))
+                proto = AF_INET6;
+        else
+                return;
+
+        afinfo = xfrm_state_get_afinfo(proto);
+        if (!afinfo)
+                return;
+
+        afinfo->local_error(skb, mtu);
+        xfrm_state_put_afinfo(afinfo);
+}
+
 EXPORT_SYMBOL_GPL(xfrm_output);
 EXPORT_SYMBOL_GPL(xfrm_inner_extract_output);
+EXPORT_SYMBOL_GPL(xfrm_local_error);
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index e52cab3591dd..f77c371ea72b 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -320,10 +320,8 @@ static void xfrm_queue_purge(struct sk_buff_head *list)
 {
         struct sk_buff *skb;
 
-        while ((skb = skb_dequeue(list)) != NULL) {
-                dev_put(skb->dev);
+        while ((skb = skb_dequeue(list)) != NULL)
                 kfree_skb(skb);
-        }
 }
 
 /* Rule must be locked. Release descentant resources, announce
@@ -1758,7 +1756,6 @@ static void xfrm_policy_queue_process(unsigned long arg)
         struct sk_buff *skb;
         struct sock *sk;
         struct dst_entry *dst;
-        struct net_device *dev;
         struct xfrm_policy *pol = (struct xfrm_policy *)arg;
         struct xfrm_policy_queue *pq = &pol->polq;
         struct flowi fl;
@@ -1805,7 +1802,6 @@ static void xfrm_policy_queue_process(unsigned long arg)
                 dst = xfrm_lookup(xp_net(pol), skb_dst(skb)->path,
                                   &fl, skb->sk, 0);
                 if (IS_ERR(dst)) {
-                        dev_put(skb->dev);
                         kfree_skb(skb);
                         continue;
                 }
@@ -1814,9 +1810,7 @@ static void xfrm_policy_queue_process(unsigned long arg)
                 skb_dst_drop(skb);
                 skb_dst_set(skb, dst);
 
-                dev = skb->dev;
                 err = dst_output(skb);
-                dev_put(dev);
         }
 
         return;
@@ -1839,7 +1833,6 @@ static int xdst_queue_output(struct sk_buff *skb)
         }
 
         skb_dst_force(skb);
-        dev_hold(skb->dev);
 
         spin_lock_bh(&pq->hold_queue.lock);
 
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 78f66fa92449..54c0acd29468 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -39,9 +39,6 @@ static DEFINE_SPINLOCK(xfrm_state_lock);
 
 static unsigned int xfrm_state_hashmax __read_mostly = 1 * 1024 * 1024;
 
-static struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family);
-static void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo);
-
 static inline unsigned int xfrm_dst_hash(struct net *net,
                                          const xfrm_address_t *daddr,
                                          const xfrm_address_t *saddr,
@@ -1860,7 +1857,7 @@ int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo)
 }
 EXPORT_SYMBOL(xfrm_state_unregister_afinfo);
 
-static struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family)
+struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family)
 {
         struct xfrm_state_afinfo *afinfo;
         if (unlikely(family >= NPROTO))
@@ -1872,7 +1869,7 @@ static struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family)
         return afinfo;
 }
 
-static void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo)
+void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo)
 {
         rcu_read_unlock();
 }