20 files changed, 221 insertions, 68 deletions

diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
index 5391ca43336a..6d6f26531de2 100644
--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -1608,7 +1608,6 @@ void br_multicast_init(struct net_bridge *br)
                     br_multicast_querier_expired, (unsigned long)br);
         setup_timer(&br->multicast_query_timer, br_multicast_query_expired,
                     (unsigned long)br);
-        br_mdb_init();
 }
 
 void br_multicast_open(struct net_bridge *br)
@@ -1633,7 +1632,6 @@ void br_multicast_stop(struct net_bridge *br)
         del_timer_sync(&br->multicast_querier_timer);
         del_timer_sync(&br->multicast_query_timer);
 
-        br_mdb_uninit();
         spin_lock_bh(&br->multicast_lock);
         mdb = mlock_dereference(br->mdb, br);
         if (!mdb)
diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c
index 97ba0189c6f7..5dc66abcc9e2 100644
--- a/net/bridge/br_netlink.c
+++ b/net/bridge/br_netlink.c
@@ -299,10 +299,21 @@ struct rtnl_link_ops br_link_ops __read_mostly = {
 
 int __init br_netlink_init(void)
 {
-        return rtnl_link_register(&br_link_ops);
+        int err;
+
+        br_mdb_init();
+        err = rtnl_link_register(&br_link_ops);
+        if (err)
+                goto out;
+
+        return 0;
+out:
+        br_mdb_uninit();
+        return err;
 }
 
 void __exit br_netlink_fini(void)
 {
+        br_mdb_uninit();
         rtnl_link_unregister(&br_link_ops);
 }
diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
index 8d83be5ffedc..711094aed41a 100644
--- a/net/bridge/br_private.h
+++ b/net/bridge/br_private.h
@@ -526,6 +526,12 @@ static inline bool br_multicast_is_router(struct net_bridge *br)
 {
         return 0;
 }
+static inline void br_mdb_init(void)
+{
+}
+static inline void br_mdb_uninit(void)
+{
+}
 #endif
 
 /* br_netfilter.c */
diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
index cc06a47f1216..a8e4f2665d5e 100644
--- a/net/ipv4/devinet.c
+++ b/net/ipv4/devinet.c
@@ -823,9 +823,9 @@ int devinet_ioctl(struct net *net, unsigned int cmd, void __user *arg)
                 if (!ifa) {
                         ret = -ENOBUFS;
                         ifa = inet_alloc_ifa();
-                        INIT_HLIST_NODE(&ifa->hash);
                         if (!ifa)
                                 break;
+                        INIT_HLIST_NODE(&ifa->hash);
                         if (colon)
                                 memcpy(ifa->ifa_label, ifr.ifr_name, IFNAMSIZ);
                         else
diff --git a/net/ipv4/ipconfig.c b/net/ipv4/ipconfig.c
index d763701cff1b..a2e50ae80b53 100644
--- a/net/ipv4/ipconfig.c
+++ b/net/ipv4/ipconfig.c
@@ -136,6 +136,8 @@ __be32 ic_myaddr = NONE;		/* My IP address */
 static __be32 ic_netmask = NONE;        /* Netmask for local subnet */
 __be32 ic_gateway = NONE;       /* Gateway IP address */
 
+__be32 ic_addrservaddr = NONE;  /* IP Address of the IP addresses'server */
+
 __be32 ic_servaddr = NONE;      /* Boot server IP address */
 
 __be32 root_server_addr = NONE; /* Address of NFS server */
@@ -558,6 +560,7 @@ ic_rarp_recv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt
         if (ic_myaddr == NONE)
                 ic_myaddr = tip;
         ic_servaddr = sip;
+        ic_addrservaddr = sip;
         ic_got_reply = IC_RARP;
 
 drop_unlock:
@@ -1068,7 +1071,7 @@ static int __init ic_bootp_recv(struct sk_buff *skb, struct net_device *dev, str
                                 ic_servaddr = server_id;
 #ifdef IPCONFIG_DEBUG
                                 printk("DHCP: Offered address %pI4 by server %pI4\n",
-                                       &ic_myaddr, &ic_servaddr);
+                                       &ic_myaddr, &b->iph.saddr);
 #endif
                                 /* The DHCP indicated server address takes
                                  * precedence over the bootp header one if
@@ -1113,6 +1116,7 @@ static int __init ic_bootp_recv(struct sk_buff *skb, struct net_device *dev, str
         ic_dev = dev;
         ic_myaddr = b->your_ip;
         ic_servaddr = b->server_ip;
+        ic_addrservaddr = b->iph.saddr;
         if (ic_gateway == NONE && b->relay_ip)
                 ic_gateway = b->relay_ip;
         if (ic_nameservers[0] == NONE)
@@ -1268,7 +1272,7 @@ static int __init ic_dynamic(void)
         printk("IP-Config: Got %s answer from %pI4, ",
                 ((ic_got_reply & IC_RARP) ? "RARP"
                  : (ic_proto_enabled & IC_USE_DHCP) ? "DHCP" : "BOOTP"),
-               &ic_servaddr);
+               &ic_addrservaddr);
         pr_cont("my address is %pI4\n", &ic_myaddr);
 
         return 0;
diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c
index 51f13f8ec724..04b18c1ac345 100644
--- a/net/ipv4/netfilter/ipt_REJECT.c
+++ b/net/ipv4/netfilter/ipt_REJECT.c
@@ -81,6 +81,7 @@ static void send_reset(struct sk_buff *oldskb, int hook)
         niph->saddr     = oiph->daddr;
         niph->daddr     = oiph->saddr;
 
+        skb_reset_transport_header(nskb);
         tcph = (struct tcphdr *)skb_put(nskb, sizeof(struct tcphdr));
         memset(tcph, 0, sizeof(*tcph));
         tcph->source    = oth->dest;
diff --git a/net/ipv4/netfilter/iptable_nat.c b/net/ipv4/netfilter/iptable_nat.c
index da2c8a368f68..eeaff7e4acb5 100644
--- a/net/ipv4/netfilter/iptable_nat.c
+++ b/net/ipv4/netfilter/iptable_nat.c
@@ -124,23 +124,28 @@ nf_nat_ipv4_fn(unsigned int hooknum,
                         ret = nf_nat_rule_find(skb, hooknum, in, out, ct);
                         if (ret != NF_ACCEPT)
                                 return ret;
-                } else
+                } else {
                         pr_debug("Already setup manip %s for ct %p\n",
                                  maniptype == NF_NAT_MANIP_SRC ? "SRC" : "DST",
                                  ct);
+                        if (nf_nat_oif_changed(hooknum, ctinfo, nat, out))
+                                goto oif_changed;
+                }
                 break;
 
         default:
                 /* ESTABLISHED */
                 NF_CT_ASSERT(ctinfo == IP_CT_ESTABLISHED ||
                              ctinfo == IP_CT_ESTABLISHED_REPLY);
-                if (nf_nat_oif_changed(hooknum, ctinfo, nat, out)) {
-                        nf_ct_kill_acct(ct, ctinfo, skb);
-                        return NF_DROP;
-                }
+                if (nf_nat_oif_changed(hooknum, ctinfo, nat, out))
+                        goto oif_changed;
         }
 
         return nf_nat_packet(ct, ctinfo, hooknum, skb);
+
+oif_changed:
+        nf_ct_kill_acct(ct, ctinfo, skb);
+        return NF_DROP;
 }
 
 static unsigned int
diff --git a/net/ipv6/netfilter/ip6t_NPT.c b/net/ipv6/netfilter/ip6t_NPT.c
index e9486915eff6..7302b0b7b642 100644
--- a/net/ipv6/netfilter/ip6t_NPT.c
+++ b/net/ipv6/netfilter/ip6t_NPT.c
@@ -14,42 +14,23 @@
 #include <linux/netfilter_ipv6/ip6t_NPT.h>
 #include <linux/netfilter/x_tables.h>
 
-static __sum16 csum16_complement(__sum16 a)
-{
-        return (__force __sum16)(0xffff - (__force u16)a);
-}
-
-static __sum16 csum16_add(__sum16 a, __sum16 b)
-{
-        u16 sum;
-
-        sum = (__force u16)a + (__force u16)b;
-        sum += (__force u16)a < (__force u16)b;
-        return (__force __sum16)sum;
-}
-
-static __sum16 csum16_sub(__sum16 a, __sum16 b)
-{
-        return csum16_add(a, csum16_complement(b));
-}
-
 static int ip6t_npt_checkentry(const struct xt_tgchk_param *par)
 {
         struct ip6t_npt_tginfo *npt = par->targinfo;
-        __sum16 src_sum = 0, dst_sum = 0;
+        __wsum src_sum = 0, dst_sum = 0;
         unsigned int i;
 
         if (npt->src_pfx_len > 64 || npt->dst_pfx_len > 64)
                 return -EINVAL;
 
         for (i = 0; i < ARRAY_SIZE(npt->src_pfx.in6.s6_addr16); i++) {
-                src_sum = csum16_add(src_sum,
-                                (__force __sum16)npt->src_pfx.in6.s6_addr16[i]);
-                dst_sum = csum16_add(dst_sum,
-                                (__force __sum16)npt->dst_pfx.in6.s6_addr16[i]);
+                src_sum = csum_add(src_sum,
+                                (__force __wsum)npt->src_pfx.in6.s6_addr16[i]);
+                dst_sum = csum_add(dst_sum,
+                                (__force __wsum)npt->dst_pfx.in6.s6_addr16[i]);
         }
 
-        npt->adjustment = csum16_sub(src_sum, dst_sum);
+        npt->adjustment = (__force __sum16) csum_sub(src_sum, dst_sum);
         return 0;
 }
 
@@ -85,7 +66,7 @@ static bool ip6t_npt_map_pfx(const struct ip6t_npt_tginfo *npt,
                         return false;
         }
 
-        sum = csum16_add((__force __sum16)addr->s6_addr16[idx],
+        sum = (__force __sum16) csum_add((__force __wsum)addr->s6_addr16[idx],
                          npt->adjustment);
         if (sum == CSUM_MANGLED_0)
                 sum = 0;
diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c
index fd4fb34c51c7..029623dbd411 100644
--- a/net/ipv6/netfilter/ip6t_REJECT.c
+++ b/net/ipv6/netfilter/ip6t_REJECT.c
@@ -132,6 +132,7 @@ static void send_reset(struct net *net, struct sk_buff *oldskb)
         ip6h->saddr = oip6h->daddr;
         ip6h->daddr = oip6h->saddr;
 
+        skb_reset_transport_header(nskb);
         tcph = (struct tcphdr *)skb_put(nskb, sizeof(struct tcphdr));
         /* Truncate to length (no data) */
         tcph->doff = sizeof(struct tcphdr)/4;
diff --git a/net/ipv6/netfilter/ip6table_nat.c b/net/ipv6/netfilter/ip6table_nat.c
index 6c8ae24b85eb..e0e788d25b14 100644
--- a/net/ipv6/netfilter/ip6table_nat.c
+++ b/net/ipv6/netfilter/ip6table_nat.c
@@ -127,23 +127,28 @@ nf_nat_ipv6_fn(unsigned int hooknum,
                         ret = nf_nat_rule_find(skb, hooknum, in, out, ct);
                         if (ret != NF_ACCEPT)
                                 return ret;
-                } else
+                } else {
                         pr_debug("Already setup manip %s for ct %p\n",
                                  maniptype == NF_NAT_MANIP_SRC ? "SRC" : "DST",
                                  ct);
+                        if (nf_nat_oif_changed(hooknum, ctinfo, nat, out))
+                                goto oif_changed;
+                }
                 break;
 
         default:
                 /* ESTABLISHED */
                 NF_CT_ASSERT(ctinfo == IP_CT_ESTABLISHED ||
                              ctinfo == IP_CT_ESTABLISHED_REPLY);
-                if (nf_nat_oif_changed(hooknum, ctinfo, nat, out)) {
-                        nf_ct_kill_acct(ct, ctinfo, skb);
-                        return NF_DROP;
-                }
+                if (nf_nat_oif_changed(hooknum, ctinfo, nat, out))
+                        goto oif_changed;
         }
 
         return nf_nat_packet(ct, ctinfo, hooknum, skb);
+
+oif_changed:
+        nf_ct_kill_acct(ct, ctinfo, skb);
+        return NF_DROP;
 }
 
 static unsigned int
diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
index 00ee17c3e893..137e245860ab 100644
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -81,8 +81,8 @@ static int ipv6_get_l4proto(const struct sk_buff *skb, unsigned int nhoff,
         }
         protoff = ipv6_skip_exthdr(skb, extoff, &nexthdr, &frag_off);
         /*
-         * (protoff == skb->len) mean that the packet doesn't have no data
-         * except of IPv6 & ext headers. but it's tracked anyway. - YK
+         * (protoff == skb->len) means the packet has not data, just
+         * IPv6 and possibly extensions headers, but it is tracked anyway
          */
         if (protoff < 0 || (frag_off & htons(~0x7)) != 0) {
                 pr_debug("ip6_conntrack_core: can't find proto in pkt\n");
diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
index 22c8ea951185..3dacecc99065 100644
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -311,7 +311,10 @@ found:
         else
                 fq->q.fragments = skb;
 
-        skb->dev = NULL;
+        if (skb->dev) {
+                fq->iif = skb->dev->ifindex;
+                skb->dev = NULL;
+        }
         fq->q.stamp = skb->tstamp;
         fq->q.meat += skb->len;
         if (payload_len > fq->q.max_size)
diff --git a/net/mac802154/wpan.c b/net/mac802154/wpan.c
index 1191039c2b1b..199b92261e94 100644
--- a/net/mac802154/wpan.c
+++ b/net/mac802154/wpan.c
@@ -389,7 +389,7 @@ void mac802154_wpan_setup(struct net_device *dev)
 
 static int mac802154_process_data(struct net_device *dev, struct sk_buff *skb)
 {
-        return netif_rx(skb);
+        return netif_rx_ni(skb);
 }
 
 static int
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index fefa514b9917..49e96df5fbc4 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -680,6 +680,13 @@ config NETFILTER_XT_TARGET_NFQUEUE
 
           To compile it as a module, choose M here.  If unsure, say N.
 
+config NETFILTER_XT_TARGET_NOTRACK
+        tristate  '"NOTRACK" target support (DEPRECATED)'
+        depends on NF_CONNTRACK
+        depends on IP_NF_RAW || IP6_NF_RAW
+        depends on NETFILTER_ADVANCED
+        select NETFILTER_XT_TARGET_CT
+
 config NETFILTER_XT_TARGET_RATEEST
         tristate '"RATEEST" target support'
         depends on NETFILTER_ADVANCED
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 08cdc71d8e87..016d95ead930 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1526,6 +1526,7 @@ err_extend:
  */
 #define UNCONFIRMED_NULLS_VAL   ((1<<30)+0)
 #define DYING_NULLS_VAL         ((1<<30)+1)
+#define TEMPLATE_NULLS_VAL      ((1<<30)+2)
 
 static int nf_conntrack_init_net(struct net *net)
 {
@@ -1534,6 +1535,7 @@ static int nf_conntrack_init_net(struct net *net)
         atomic_set(&net->ct.count, 0);
         INIT_HLIST_NULLS_HEAD(&net->ct.unconfirmed, UNCONFIRMED_NULLS_VAL);
         INIT_HLIST_NULLS_HEAD(&net->ct.dying, DYING_NULLS_VAL);
+        INIT_HLIST_NULLS_HEAD(&net->ct.tmpl, TEMPLATE_NULLS_VAL);
         net->ct.stat = alloc_percpu(struct ip_conntrack_stat);
         if (!net->ct.stat) {
                 ret = -ENOMEM;
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 4e078cd84d83..627b0e50b238 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -2624,7 +2624,7 @@ ctnetlink_create_expect(struct net *net, u16 zone,
         if (!help) {
                 if (!cda[CTA_EXPECT_TIMEOUT]) {
                         err = -EINVAL;
-                        goto out;
+                        goto err_out;
                 }
                 exp->timeout.expires =
                   jiffies + ntohl(nla_get_be32(cda[CTA_EXPECT_TIMEOUT])) * HZ;
diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
index 9f199f2e31fa..92fd8eca0d31 100644
--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -13,6 +13,7 @@
  */
 #include <linux/module.h>
 #include <linux/skbuff.h>
+#include <linux/if_arp.h>
 #include <linux/init.h>
 #include <linux/ip.h>
 #include <linux/ipv6.h>
@@ -384,6 +385,7 @@ __build_packet_message(struct nfulnl_instance *inst,
         struct nfgenmsg *nfmsg;
         sk_buff_data_t old_tail = inst->skb->tail;
         struct sock *sk;
+        const unsigned char *hwhdrp;
 
         nlh = nlmsg_put(inst->skb, 0, 0,
                         NFNL_SUBSYS_ULOG << 8 | NFULNL_MSG_PACKET,
@@ -485,9 +487,17 @@ __build_packet_message(struct nfulnl_instance *inst,
         if (indev && skb_mac_header_was_set(skb)) {
                 if (nla_put_be16(inst->skb, NFULA_HWTYPE, htons(skb->dev->type)) ||
                     nla_put_be16(inst->skb, NFULA_HWLEN,
-                                 htons(skb->dev->hard_header_len)) ||
-                    nla_put(inst->skb, NFULA_HWHEADER, skb->dev->hard_header_len,
-                            skb_mac_header(skb)))
+                                 htons(skb->dev->hard_header_len)))
+                        goto nla_put_failure;
+
+                hwhdrp = skb_mac_header(skb);
+
+                if (skb->dev->type == ARPHRD_SIT)
+                        hwhdrp -= ETH_HLEN;
+
+                if (hwhdrp >= skb->head &&
+                    nla_put(inst->skb, NFULA_HWHEADER,
+                            skb->dev->hard_header_len, hwhdrp))
                         goto nla_put_failure;
         }
 
diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c
index ae7f5daeee43..2a0843081840 100644
--- a/net/netfilter/xt_CT.c
+++ b/net/netfilter/xt_CT.c
@@ -149,6 +149,10 @@ static int xt_ct_tg_check_v0(const struct xt_tgchk_param *par)
 
         __set_bit(IPS_TEMPLATE_BIT, &ct->status);
         __set_bit(IPS_CONFIRMED_BIT, &ct->status);
+
+        /* Overload tuple linked list to put us in template list. */
+        hlist_nulls_add_head_rcu(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnnode,
+                                 &par->net->ct.tmpl);
 out:
         info->ct = ct;
         return 0;
@@ -289,6 +293,10 @@ static int xt_ct_tg_check_v1(const struct xt_tgchk_param *par)
 
         __set_bit(IPS_TEMPLATE_BIT, &ct->status);
         __set_bit(IPS_CONFIRMED_BIT, &ct->status);
+
+        /* Overload tuple linked list to put us in template list. */
+        hlist_nulls_add_head_rcu(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnnode,
+                                 &par->net->ct.tmpl);
 out:
         info->ct = ct;
         return 0;
@@ -377,14 +385,60 @@ static struct xt_target xt_ct_tg_reg[] __read_mostly = {
         },
 };
 
+static unsigned int
+notrack_tg(struct sk_buff *skb, const struct xt_action_param *par)
+{
+        /* Previously seen (loopback)? Ignore. */
+        if (skb->nfct != NULL)
+                return XT_CONTINUE;
+
+        skb->nfct = &nf_ct_untracked_get()->ct_general;
+        skb->nfctinfo = IP_CT_NEW;
+        nf_conntrack_get(skb->nfct);
+
+        return XT_CONTINUE;
+}
+
+static int notrack_chk(const struct xt_tgchk_param *par)
+{
+        if (!par->net->xt.notrack_deprecated_warning) {
+                pr_info("netfilter: NOTRACK target is deprecated, "
+                        "use CT instead or upgrade iptables\n");
+                par->net->xt.notrack_deprecated_warning = true;
+        }
+        return 0;
+}
+
+static struct xt_target notrack_tg_reg __read_mostly = {
+        .name           = "NOTRACK",
+        .revision       = 0,
+        .family         = NFPROTO_UNSPEC,
+        .checkentry     = notrack_chk,
+        .target         = notrack_tg,
+        .table          = "raw",
+        .me             = THIS_MODULE,
+};
+
 static int __init xt_ct_tg_init(void)
 {
-        return xt_register_targets(xt_ct_tg_reg, ARRAY_SIZE(xt_ct_tg_reg));
+        int ret;
+
+        ret = xt_register_target(&notrack_tg_reg);
+        if (ret < 0)
+                return ret;
+
+        ret = xt_register_targets(xt_ct_tg_reg, ARRAY_SIZE(xt_ct_tg_reg));
+        if (ret < 0) {
+                xt_unregister_target(&notrack_tg_reg);
+                return ret;
+        }
+        return 0;
 }
 
 static void __exit xt_ct_tg_exit(void)
 {
         xt_unregister_targets(xt_ct_tg_reg, ARRAY_SIZE(xt_ct_tg_reg));
+        xt_unregister_target(&notrack_tg_reg);
 }
 
 module_init(xt_ct_tg_init);
@@ -394,3 +448,5 @@ MODULE_LICENSE("GPL");
 MODULE_DESCRIPTION("Xtables: connection tracking target");
 MODULE_ALIAS("ipt_CT");
 MODULE_ALIAS("ip6t_CT");
+MODULE_ALIAS("ipt_NOTRACK");
+MODULE_ALIAS("ip6t_NOTRACK");
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index 26a668a84aa2..a9d7af953ceb 100644
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -157,11 +157,22 @@ dsthash_find(const struct xt_hashlimit_htable *ht,
 /* allocate dsthash_ent, initialize dst, put in htable and lock it */
 static struct dsthash_ent *
 dsthash_alloc_init(struct xt_hashlimit_htable *ht,
-                   const struct dsthash_dst *dst)
+                   const struct dsthash_dst *dst, bool *race)
 {
         struct dsthash_ent *ent;
 
         spin_lock(&ht->lock);
+
+        /* Two or more packets may race to create the same entry in the
+         * hashtable, double check if this packet lost race.
+         */
+        ent = dsthash_find(ht, dst);
+        if (ent != NULL) {
+                spin_unlock(&ht->lock);
+                *race = true;
+                return ent;
+        }
+
         /* initialize hash with random val at the time we allocate
          * the first hashtable entry */
         if (unlikely(!ht->rnd_initialized)) {
@@ -318,7 +329,10 @@ static void htable_destroy(struct xt_hashlimit_htable *hinfo)
                 parent = hashlimit_net->ipt_hashlimit;
         else
                 parent = hashlimit_net->ip6t_hashlimit;
-        remove_proc_entry(hinfo->pde->name, parent);
+
+        if(parent != NULL)
+                remove_proc_entry(hinfo->pde->name, parent);
+
         htable_selective_cleanup(hinfo, select_all);
         vfree(hinfo);
 }
@@ -585,6 +599,7 @@ hashlimit_mt(const struct sk_buff *skb, struct xt_action_param *par)
         unsigned long now = jiffies;
         struct dsthash_ent *dh;
         struct dsthash_dst dst;
+        bool race = false;
         u32 cost;
 
         if (hashlimit_init_dst(hinfo, &dst, skb, par->thoff) < 0)
@@ -593,13 +608,18 @@ hashlimit_mt(const struct sk_buff *skb, struct xt_action_param *par)
         rcu_read_lock_bh();
         dh = dsthash_find(hinfo, &dst);
         if (dh == NULL) {
-                dh = dsthash_alloc_init(hinfo, &dst);
+                dh = dsthash_alloc_init(hinfo, &dst, &race);
                 if (dh == NULL) {
                         rcu_read_unlock_bh();
                         goto hotdrop;
+                } else if (race) {
+                        /* Already got an entry, update expiration timeout */
+                        dh->expires = now + msecs_to_jiffies(hinfo->cfg.expire);
+                        rateinfo_recalc(dh, now, hinfo->cfg.mode);
+                } else {
+                        dh->expires = jiffies + msecs_to_jiffies(hinfo->cfg.expire);
+                        rateinfo_init(dh, hinfo);
                 }
-                dh->expires = jiffies + msecs_to_jiffies(hinfo->cfg.expire);
-                rateinfo_init(dh, hinfo);
         } else {
                 /* update expiration timeout */
                 dh->expires = now + msecs_to_jiffies(hinfo->cfg.expire);
@@ -856,6 +876,27 @@ static int __net_init hashlimit_proc_net_init(struct net *net)
 
 static void __net_exit hashlimit_proc_net_exit(struct net *net)
 {
+        struct xt_hashlimit_htable *hinfo;
+        struct hlist_node *pos;
+        struct proc_dir_entry *pde;
+        struct hashlimit_net *hashlimit_net = hashlimit_pernet(net);
+
+        /* recent_net_exit() is called before recent_mt_destroy(). Make sure
+         * that the parent xt_recent proc entry is is empty before trying to
+         * remove it.
+         */
+        mutex_lock(&hashlimit_mutex);
+        pde = hashlimit_net->ipt_hashlimit;
+        if (pde == NULL)
+                pde = hashlimit_net->ip6t_hashlimit;
+
+        hlist_for_each_entry(hinfo, pos, &hashlimit_net->htables, node)
+                remove_proc_entry(hinfo->pde->name, pde);
+
+        hashlimit_net->ipt_hashlimit = NULL;
+        hashlimit_net->ip6t_hashlimit = NULL;
+        mutex_unlock(&hashlimit_mutex);
+
         proc_net_remove(net, "ipt_hashlimit");
 #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
         proc_net_remove(net, "ip6t_hashlimit");
@@ -872,9 +913,6 @@ static int __net_init hashlimit_net_init(struct net *net)
 
 static void __net_exit hashlimit_net_exit(struct net *net)
 {
-        struct hashlimit_net *hashlimit_net = hashlimit_pernet(net);
-
-        BUG_ON(!hlist_empty(&hashlimit_net->htables));
         hashlimit_proc_net_exit(net);
 }
 
diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c
index 4635c9b00459..978efc9b555a 100644
--- a/net/netfilter/xt_recent.c
+++ b/net/netfilter/xt_recent.c
@@ -29,6 +29,7 @@
 #include <linux/skbuff.h>
 #include <linux/inet.h>
 #include <linux/slab.h>
+#include <linux/vmalloc.h>
 #include <net/net_namespace.h>
 #include <net/netns/generic.h>
 
@@ -310,6 +311,14 @@ out:
         return ret;
 }
 
+static void recent_table_free(void *addr)
+{
+        if (is_vmalloc_addr(addr))
+                vfree(addr);
+        else
+                kfree(addr);
+}
+
 static int recent_mt_check(const struct xt_mtchk_param *par,
                            const struct xt_recent_mtinfo_v1 *info)
 {
@@ -322,6 +331,7 @@ static int recent_mt_check(const struct xt_mtchk_param *par,
 #endif
         unsigned int i;
         int ret = -EINVAL;
+        size_t sz;
 
         if (unlikely(!hash_rnd_inited)) {
                 get_random_bytes(&hash_rnd, sizeof(hash_rnd));
@@ -360,8 +370,11 @@ static int recent_mt_check(const struct xt_mtchk_param *par,
                 goto out;
         }
 
-        t = kzalloc(sizeof(*t) + sizeof(t->iphash[0]) * ip_list_hash_size,
-                    GFP_KERNEL);
+        sz = sizeof(*t) + sizeof(t->iphash[0]) * ip_list_hash_size;
+        if (sz <= PAGE_SIZE)
+                t = kzalloc(sz, GFP_KERNEL);
+        else
+                t = vzalloc(sz);
         if (t == NULL) {
                 ret = -ENOMEM;
                 goto out;
@@ -377,14 +390,14 @@ static int recent_mt_check(const struct xt_mtchk_param *par,
         uid = make_kuid(&init_user_ns, ip_list_uid);
         gid = make_kgid(&init_user_ns, ip_list_gid);
         if (!uid_valid(uid) || !gid_valid(gid)) {
-                kfree(t);
+                recent_table_free(t);
                 ret = -EINVAL;
                 goto out;
         }
         pde = proc_create_data(t->name, ip_list_perms, recent_net->xt_recent,
                   &recent_mt_fops, t);
         if (pde == NULL) {
-                kfree(t);
+                recent_table_free(t);
                 ret = -ENOMEM;
                 goto out;
         }
@@ -431,10 +444,11 @@ static void recent_mt_destroy(const struct xt_mtdtor_param *par)
                 list_del(&t->list);
                 spin_unlock_bh(&recent_lock);
 #ifdef CONFIG_PROC_FS
-                remove_proc_entry(t->name, recent_net->xt_recent);
+                if (recent_net->xt_recent != NULL)
+                        remove_proc_entry(t->name, recent_net->xt_recent);
 #endif
                 recent_table_flush(t);
-                kfree(t);
+                recent_table_free(t);
         }
         mutex_unlock(&recent_mutex);
 }
@@ -615,6 +629,20 @@ static int __net_init recent_proc_net_init(struct net *net)
 
 static void __net_exit recent_proc_net_exit(struct net *net)
 {
+        struct recent_net *recent_net = recent_pernet(net);
+        struct recent_table *t;
+
+        /* recent_net_exit() is called before recent_mt_destroy(). Make sure
+         * that the parent xt_recent proc entry is is empty before trying to
+         * remove it.
+         */
+        spin_lock_bh(&recent_lock);
+        list_for_each_entry(t, &recent_net->tables, list)
+                remove_proc_entry(t->name, recent_net->xt_recent);
+
+        recent_net->xt_recent = NULL;
+        spin_unlock_bh(&recent_lock);
+
         proc_net_remove(net, "xt_recent");
 }
 #else
@@ -638,9 +666,6 @@ static int __net_init recent_net_init(struct net *net)
 
 static void __net_exit recent_net_exit(struct net *net)
 {
-        struct recent_net *recent_net = recent_pernet(net);
-
-        BUG_ON(!list_empty(&recent_net->tables));
         recent_proc_net_exit(net);
 }