112 files changed, 1074 insertions, 669 deletions

diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c
index 762896ebfcf5..47c908f1f626 100644
--- a/net/8021q/vlan_dev.c
+++ b/net/8021q/vlan_dev.c
@@ -530,6 +530,23 @@ static const struct header_ops vlan_header_ops = {
         .parse   = eth_header_parse,
 };
 
+static int vlan_passthru_hard_header(struct sk_buff *skb, struct net_device *dev,
+                                     unsigned short type,
+                                     const void *daddr, const void *saddr,
+                                     unsigned int len)
+{
+        struct vlan_dev_priv *vlan = vlan_dev_priv(dev);
+        struct net_device *real_dev = vlan->real_dev;
+
+        return dev_hard_header(skb, real_dev, type, daddr, saddr, len);
+}
+
+static const struct header_ops vlan_passthru_header_ops = {
+        .create  = vlan_passthru_hard_header,
+        .rebuild = dev_rebuild_header,
+        .parse   = eth_header_parse,
+};
+
 static struct device_type vlan_type = {
         .name   = "vlan",
 };
@@ -573,7 +590,7 @@ static int vlan_dev_init(struct net_device *dev)
 
         dev->needed_headroom = real_dev->needed_headroom;
         if (real_dev->features & NETIF_F_HW_VLAN_CTAG_TX) {
-                dev->header_ops      = real_dev->header_ops;
+                dev->header_ops      = &vlan_passthru_header_ops;
                 dev->hard_header_len = real_dev->hard_header_len;
         } else {
                 dev->header_ops      = &vlan_header_ops;
diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c
index a2b480a90872..b9c8a6eedf45 100644
--- a/net/batman-adv/bat_iv_ogm.c
+++ b/net/batman-adv/bat_iv_ogm.c
@@ -307,9 +307,9 @@ static int batadv_iv_ogm_iface_enable(struct batadv_hard_iface *hard_iface)
         hard_iface->bat_iv.ogm_buff = ogm_buff;
 
         batadv_ogm_packet = (struct batadv_ogm_packet *)ogm_buff;
-        batadv_ogm_packet->header.packet_type = BATADV_IV_OGM;
-        batadv_ogm_packet->header.version = BATADV_COMPAT_VERSION;
-        batadv_ogm_packet->header.ttl = 2;
+        batadv_ogm_packet->packet_type = BATADV_IV_OGM;
+        batadv_ogm_packet->version = BATADV_COMPAT_VERSION;
+        batadv_ogm_packet->ttl = 2;
         batadv_ogm_packet->flags = BATADV_NO_FLAGS;
         batadv_ogm_packet->reserved = 0;
         batadv_ogm_packet->tq = BATADV_TQ_MAX_VALUE;
@@ -346,7 +346,7 @@ batadv_iv_ogm_primary_iface_set(struct batadv_hard_iface *hard_iface)
 
         batadv_ogm_packet = (struct batadv_ogm_packet *)ogm_buff;
         batadv_ogm_packet->flags = BATADV_PRIMARIES_FIRST_HOP;
-        batadv_ogm_packet->header.ttl = BATADV_TTL;
+        batadv_ogm_packet->ttl = BATADV_TTL;
 }
 
 /* when do we schedule our own ogm to be sent */
@@ -435,7 +435,7 @@ static void batadv_iv_ogm_send_to_if(struct batadv_forw_packet *forw_packet,
                            fwd_str, (packet_num > 0 ? "aggregated " : ""),
                            batadv_ogm_packet->orig,
                            ntohl(batadv_ogm_packet->seqno),
-                           batadv_ogm_packet->tq, batadv_ogm_packet->header.ttl,
+                           batadv_ogm_packet->tq, batadv_ogm_packet->ttl,
                            (batadv_ogm_packet->flags & BATADV_DIRECTLINK ?
                             "on" : "off"),
                            hard_iface->net_dev->name,
@@ -491,7 +491,7 @@ static void batadv_iv_ogm_emit(struct batadv_forw_packet *forw_packet)
         /* multihomed peer assumed
          * non-primary OGMs are only broadcasted on their interface
          */
-        if ((directlink && (batadv_ogm_packet->header.ttl == 1)) ||
+        if ((directlink && (batadv_ogm_packet->ttl == 1)) ||
             (forw_packet->own && (forw_packet->if_incoming != primary_if))) {
                 /* FIXME: what about aggregated packets ? */
                 batadv_dbg(BATADV_DBG_BATMAN, bat_priv,
@@ -499,7 +499,7 @@ static void batadv_iv_ogm_emit(struct batadv_forw_packet *forw_packet)
                            (forw_packet->own ? "Sending own" : "Forwarding"),
                            batadv_ogm_packet->orig,
                            ntohl(batadv_ogm_packet->seqno),
-                           batadv_ogm_packet->header.ttl,
+                           batadv_ogm_packet->ttl,
                            forw_packet->if_incoming->net_dev->name,
                            forw_packet->if_incoming->net_dev->dev_addr);
 
@@ -572,7 +572,7 @@ batadv_iv_ogm_can_aggregate(const struct batadv_ogm_packet *new_bat_ogm_packet,
                  */
                 if ((!directlink) &&
                     (!(batadv_ogm_packet->flags & BATADV_DIRECTLINK)) &&
-                    (batadv_ogm_packet->header.ttl != 1) &&
+                    (batadv_ogm_packet->ttl != 1) &&
 
                     /* own packets originating non-primary
                      * interfaces leave only that interface
@@ -587,7 +587,7 @@ batadv_iv_ogm_can_aggregate(const struct batadv_ogm_packet *new_bat_ogm_packet,
                  * interface only - we still can aggregate
                  */
                 if ((directlink) &&
-                    (new_bat_ogm_packet->header.ttl == 1) &&
+                    (new_bat_ogm_packet->ttl == 1) &&
                     (forw_packet->if_incoming == if_incoming) &&
 
                     /* packets from direct neighbors or
@@ -778,7 +778,7 @@ static void batadv_iv_ogm_forward(struct batadv_orig_node *orig_node,
         struct batadv_priv *bat_priv = netdev_priv(if_incoming->soft_iface);
         uint16_t tvlv_len;
 
-        if (batadv_ogm_packet->header.ttl <= 1) {
+        if (batadv_ogm_packet->ttl <= 1) {
                 batadv_dbg(BATADV_DBG_BATMAN, bat_priv, "ttl exceeded\n");
                 return;
         }
@@ -798,7 +798,7 @@ static void batadv_iv_ogm_forward(struct batadv_orig_node *orig_node,
 
         tvlv_len = ntohs(batadv_ogm_packet->tvlv_len);
 
-        batadv_ogm_packet->header.ttl--;
+        batadv_ogm_packet->ttl--;
         memcpy(batadv_ogm_packet->prev_sender, ethhdr->h_source, ETH_ALEN);
 
         /* apply hop penalty */
@@ -807,7 +807,7 @@ static void batadv_iv_ogm_forward(struct batadv_orig_node *orig_node,
 
         batadv_dbg(BATADV_DBG_BATMAN, bat_priv,
                    "Forwarding packet: tq: %i, ttl: %i\n",
-                   batadv_ogm_packet->tq, batadv_ogm_packet->header.ttl);
+                   batadv_ogm_packet->tq, batadv_ogm_packet->ttl);
 
         /* switch of primaries first hop flag when forwarding */
         batadv_ogm_packet->flags &= ~BATADV_PRIMARIES_FIRST_HOP;
@@ -972,8 +972,8 @@ batadv_iv_ogm_orig_update(struct batadv_priv *bat_priv,
         spin_unlock_bh(&neigh_node->bat_iv.lq_update_lock);
 
         if (dup_status == BATADV_NO_DUP) {
-                orig_node->last_ttl = batadv_ogm_packet->header.ttl;
-                neigh_node->last_ttl = batadv_ogm_packet->header.ttl;
+                orig_node->last_ttl = batadv_ogm_packet->ttl;
+                neigh_node->last_ttl = batadv_ogm_packet->ttl;
         }
 
         batadv_bonding_candidate_add(bat_priv, orig_node, neigh_node);
@@ -1247,7 +1247,7 @@ static void batadv_iv_ogm_process(const struct ethhdr *ethhdr,
          * packet in an aggregation.  Here we expect that the padding
          * is always zero (or not 0x01)
          */
-        if (batadv_ogm_packet->header.packet_type != BATADV_IV_OGM)
+        if (batadv_ogm_packet->packet_type != BATADV_IV_OGM)
                 return;
 
         /* could be changed by schedule_own_packet() */
@@ -1267,8 +1267,8 @@ static void batadv_iv_ogm_process(const struct ethhdr *ethhdr,
                    if_incoming->net_dev->dev_addr, batadv_ogm_packet->orig,
                    batadv_ogm_packet->prev_sender,
                    ntohl(batadv_ogm_packet->seqno), batadv_ogm_packet->tq,
-                   batadv_ogm_packet->header.ttl,
-                   batadv_ogm_packet->header.version, has_directlink_flag);
+                   batadv_ogm_packet->ttl,
+                   batadv_ogm_packet->version, has_directlink_flag);
 
         rcu_read_lock();
         list_for_each_entry_rcu(hard_iface, &batadv_hardif_list, list) {
@@ -1433,7 +1433,7 @@ static void batadv_iv_ogm_process(const struct ethhdr *ethhdr,
          * seqno and similar ttl as the non-duplicate
          */
         sameseq = orig_node->last_real_seqno == ntohl(batadv_ogm_packet->seqno);
-        similar_ttl = orig_node->last_ttl - 3 <= batadv_ogm_packet->header.ttl;
+        similar_ttl = orig_node->last_ttl - 3 <= batadv_ogm_packet->ttl;
         if (is_bidirect && ((dup_status == BATADV_NO_DUP) ||
                             (sameseq && similar_ttl)))
                 batadv_iv_ogm_orig_update(bat_priv, orig_node, ethhdr,
diff --git a/net/batman-adv/distributed-arp-table.c b/net/batman-adv/distributed-arp-table.c
index 6c8c3934bd7b..b316a4cb6f14 100644
--- a/net/batman-adv/distributed-arp-table.c
+++ b/net/batman-adv/distributed-arp-table.c
@@ -349,7 +349,7 @@ static void batadv_dbg_arp(struct batadv_priv *bat_priv, struct sk_buff *skb,
 
         unicast_4addr_packet = (struct batadv_unicast_4addr_packet *)skb->data;
 
-        switch (unicast_4addr_packet->u.header.packet_type) {
+        switch (unicast_4addr_packet->u.packet_type) {
         case BATADV_UNICAST:
                 batadv_dbg(BATADV_DBG_DAT, bat_priv,
                            "* encapsulated within a UNICAST packet\n");
@@ -374,7 +374,7 @@ static void batadv_dbg_arp(struct batadv_priv *bat_priv, struct sk_buff *skb,
                         break;
                 default:
                         batadv_dbg(BATADV_DBG_DAT, bat_priv, "* type: Unknown (%u)!\n",
-                                   unicast_4addr_packet->u.header.packet_type);
+                                   unicast_4addr_packet->u.packet_type);
                 }
                 break;
         case BATADV_BCAST:
@@ -387,7 +387,7 @@ static void batadv_dbg_arp(struct batadv_priv *bat_priv, struct sk_buff *skb,
         default:
                 batadv_dbg(BATADV_DBG_DAT, bat_priv,
                            "* encapsulated within an unknown packet type (0x%x)\n",
-                           unicast_4addr_packet->u.header.packet_type);
+                           unicast_4addr_packet->u.packet_type);
         }
 }
 
diff --git a/net/batman-adv/fragmentation.c b/net/batman-adv/fragmentation.c
index 271d321b3a04..6ddb6145ffb5 100644
--- a/net/batman-adv/fragmentation.c
+++ b/net/batman-adv/fragmentation.c
@@ -355,7 +355,7 @@ bool batadv_frag_skb_fwd(struct sk_buff *skb,
                 batadv_add_counter(bat_priv, BATADV_CNT_FRAG_FWD_BYTES,
                                    skb->len + ETH_HLEN);
 
-                packet->header.ttl--;
+                packet->ttl--;
                 batadv_send_skb_packet(skb, neigh_node->if_incoming,
                                        neigh_node->addr);
                 ret = true;
@@ -444,9 +444,9 @@ bool batadv_frag_send_packet(struct sk_buff *skb,
                 goto out_err;
 
         /* Create one header to be copied to all fragments */
-        frag_header.header.packet_type = BATADV_UNICAST_FRAG;
-        frag_header.header.version = BATADV_COMPAT_VERSION;
-        frag_header.header.ttl = BATADV_TTL;
+        frag_header.packet_type = BATADV_UNICAST_FRAG;
+        frag_header.version = BATADV_COMPAT_VERSION;
+        frag_header.ttl = BATADV_TTL;
         frag_header.seqno = htons(atomic_inc_return(&bat_priv->frag_seqno));
         frag_header.reserved = 0;
         frag_header.no = 0;
diff --git a/net/batman-adv/icmp_socket.c b/net/batman-adv/icmp_socket.c
index 29ae4efe3543..130cc3217e2b 100644
--- a/net/batman-adv/icmp_socket.c
+++ b/net/batman-adv/icmp_socket.c
@@ -194,7 +194,7 @@ static ssize_t batadv_socket_write(struct file *file, const char __user *buff,
                 goto free_skb;
         }
 
-        if (icmp_header->header.packet_type != BATADV_ICMP) {
+        if (icmp_header->packet_type != BATADV_ICMP) {
                 batadv_dbg(BATADV_DBG_BATMAN, bat_priv,
                            "Error - can't send packet from char device: got bogus packet type (expected: BAT_ICMP)\n");
                 len = -EINVAL;
@@ -243,9 +243,9 @@ static ssize_t batadv_socket_write(struct file *file, const char __user *buff,
 
         icmp_header->uid = socket_client->index;
 
-        if (icmp_header->header.version != BATADV_COMPAT_VERSION) {
+        if (icmp_header->version != BATADV_COMPAT_VERSION) {
                 icmp_header->msg_type = BATADV_PARAMETER_PROBLEM;
-                icmp_header->header.version = BATADV_COMPAT_VERSION;
+                icmp_header->version = BATADV_COMPAT_VERSION;
                 batadv_socket_add_packet(socket_client, icmp_header,
                                          packet_len);
                 goto free_skb;
diff --git a/net/batman-adv/main.c b/net/batman-adv/main.c
index c51a5e568f0a..1511f64a6cea 100644
--- a/net/batman-adv/main.c
+++ b/net/batman-adv/main.c
@@ -383,17 +383,17 @@ int batadv_batman_skb_recv(struct sk_buff *skb, struct net_device *dev,
 
         batadv_ogm_packet = (struct batadv_ogm_packet *)skb->data;
 
-        if (batadv_ogm_packet->header.version != BATADV_COMPAT_VERSION) {
+        if (batadv_ogm_packet->version != BATADV_COMPAT_VERSION) {
                 batadv_dbg(BATADV_DBG_BATMAN, bat_priv,
                            "Drop packet: incompatible batman version (%i)\n",
-                           batadv_ogm_packet->header.version);
+                           batadv_ogm_packet->version);
                 goto err_free;
         }
 
         /* all receive handlers return whether they received or reused
          * the supplied skb. if not, we have to free the skb.
          */
-        idx = batadv_ogm_packet->header.packet_type;
+        idx = batadv_ogm_packet->packet_type;
         ret = (*batadv_rx_handler[idx])(skb, hard_iface);
 
         if (ret == NET_RX_DROP)
@@ -426,8 +426,8 @@ static void batadv_recv_handler_init(void)
         BUILD_BUG_ON(offsetof(struct batadv_unicast_packet, dest) != 4);
         BUILD_BUG_ON(offsetof(struct batadv_unicast_tvlv_packet, dst) != 4);
         BUILD_BUG_ON(offsetof(struct batadv_frag_packet, dest) != 4);
-        BUILD_BUG_ON(offsetof(struct batadv_icmp_packet, icmph.dst) != 4);
-        BUILD_BUG_ON(offsetof(struct batadv_icmp_packet_rr, icmph.dst) != 4);
+        BUILD_BUG_ON(offsetof(struct batadv_icmp_packet, dst) != 4);
+        BUILD_BUG_ON(offsetof(struct batadv_icmp_packet_rr, dst) != 4);
 
         /* broadcast packet */
         batadv_rx_handler[BATADV_BCAST] = batadv_recv_bcast_packet;
@@ -1119,9 +1119,9 @@ void batadv_tvlv_unicast_send(struct batadv_priv *bat_priv, uint8_t *src,
         skb_reserve(skb, ETH_HLEN);
         tvlv_buff = skb_put(skb, sizeof(*unicast_tvlv_packet) + tvlv_len);
         unicast_tvlv_packet = (struct batadv_unicast_tvlv_packet *)tvlv_buff;
-        unicast_tvlv_packet->header.packet_type = BATADV_UNICAST_TVLV;
-        unicast_tvlv_packet->header.version = BATADV_COMPAT_VERSION;
-        unicast_tvlv_packet->header.ttl = BATADV_TTL;
+        unicast_tvlv_packet->packet_type = BATADV_UNICAST_TVLV;
+        unicast_tvlv_packet->version = BATADV_COMPAT_VERSION;
+        unicast_tvlv_packet->ttl = BATADV_TTL;
         unicast_tvlv_packet->reserved = 0;
         unicast_tvlv_packet->tvlv_len = htons(tvlv_len);
         unicast_tvlv_packet->align = 0;
diff --git a/net/batman-adv/network-coding.c b/net/batman-adv/network-coding.c
index 351e199bc0af..511d7e1eea38 100644
--- a/net/batman-adv/network-coding.c
+++ b/net/batman-adv/network-coding.c
@@ -722,7 +722,7 @@ static bool batadv_can_nc_with_orig(struct batadv_priv *bat_priv,
 {
         if (orig_node->last_real_seqno != ntohl(ogm_packet->seqno))
                 return false;
-        if (orig_node->last_ttl != ogm_packet->header.ttl + 1)
+        if (orig_node->last_ttl != ogm_packet->ttl + 1)
                 return false;
         if (!batadv_compare_eth(ogm_packet->orig, ogm_packet->prev_sender))
                 return false;
@@ -1082,9 +1082,9 @@ static bool batadv_nc_code_packets(struct batadv_priv *bat_priv,
         coded_packet = (struct batadv_coded_packet *)skb_dest->data;
         skb_reset_mac_header(skb_dest);
 
-        coded_packet->header.packet_type = BATADV_CODED;
-        coded_packet->header.version = BATADV_COMPAT_VERSION;
-        coded_packet->header.ttl = packet1->header.ttl;
+        coded_packet->packet_type = BATADV_CODED;
+        coded_packet->version = BATADV_COMPAT_VERSION;
+        coded_packet->ttl = packet1->ttl;
 
         /* Info about first unicast packet */
         memcpy(coded_packet->first_source, first_source, ETH_ALEN);
@@ -1097,7 +1097,7 @@ static bool batadv_nc_code_packets(struct batadv_priv *bat_priv,
         memcpy(coded_packet->second_source, second_source, ETH_ALEN);
         memcpy(coded_packet->second_orig_dest, packet2->dest, ETH_ALEN);
         coded_packet->second_crc = packet_id2;
-        coded_packet->second_ttl = packet2->header.ttl;
+        coded_packet->second_ttl = packet2->ttl;
         coded_packet->second_ttvn = packet2->ttvn;
         coded_packet->coded_len = htons(coding_len);
 
@@ -1452,7 +1452,7 @@ bool batadv_nc_skb_forward(struct sk_buff *skb,
         /* We only handle unicast packets */
         payload = skb_network_header(skb);
         packet = (struct batadv_unicast_packet *)payload;
-        if (packet->header.packet_type != BATADV_UNICAST)
+        if (packet->packet_type != BATADV_UNICAST)
                 goto out;
 
         /* Try to find a coding opportunity and send the skb if one is found */
@@ -1505,7 +1505,7 @@ void batadv_nc_skb_store_for_decoding(struct batadv_priv *bat_priv,
         /* Check for supported packet type */
         payload = skb_network_header(skb);
         packet = (struct batadv_unicast_packet *)payload;
-        if (packet->header.packet_type != BATADV_UNICAST)
+        if (packet->packet_type != BATADV_UNICAST)
                 goto out;
 
         /* Find existing nc_path or create a new */
@@ -1623,7 +1623,7 @@ batadv_nc_skb_decode_packet(struct batadv_priv *bat_priv, struct sk_buff *skb,
                 ttvn = coded_packet_tmp.second_ttvn;
         } else {
                 orig_dest = coded_packet_tmp.first_orig_dest;
-                ttl = coded_packet_tmp.header.ttl;
+                ttl = coded_packet_tmp.ttl;
                 ttvn = coded_packet_tmp.first_ttvn;
         }
 
@@ -1648,9 +1648,9 @@ batadv_nc_skb_decode_packet(struct batadv_priv *bat_priv, struct sk_buff *skb,
 
         /* Create decoded unicast packet */
         unicast_packet = (struct batadv_unicast_packet *)skb->data;
-        unicast_packet->header.packet_type = BATADV_UNICAST;
-        unicast_packet->header.version = BATADV_COMPAT_VERSION;
-        unicast_packet->header.ttl = ttl;
+        unicast_packet->packet_type = BATADV_UNICAST;
+        unicast_packet->version = BATADV_COMPAT_VERSION;
+        unicast_packet->ttl = ttl;
         memcpy(unicast_packet->dest, orig_dest, ETH_ALEN);
         unicast_packet->ttvn = ttvn;
 
diff --git a/net/batman-adv/packet.h b/net/batman-adv/packet.h
index 207459b62966..2dd8f2422550 100644
--- a/net/batman-adv/packet.h
+++ b/net/batman-adv/packet.h
@@ -155,6 +155,7 @@ enum batadv_tvlv_type {
         BATADV_TVLV_ROAM        = 0x05,
 };
 
+#pragma pack(2)
 /* the destination hardware field in the ARP frame is used to
  * transport the claim type and the group id
  */
@@ -163,24 +164,20 @@ struct batadv_bla_claim_dst {
         uint8_t type;           /* bla_claimframe */
         __be16 group;           /* group id */
 };
-
-struct batadv_header {
-        uint8_t  packet_type;
-        uint8_t  version;  /* batman version field */
-        uint8_t  ttl;
-        /* the parent struct has to add a byte after the header to make
-         * everything 4 bytes aligned again
-         */
-};
+#pragma pack()
 
 /**
  * struct batadv_ogm_packet - ogm (routing protocol) packet
- * @header: common batman packet header
+ * @packet_type: batman-adv packet type, part of the general header
+ * @version: batman-adv protocol version, part of the genereal header
+ * @ttl: time to live for this packet, part of the genereal header
  * @flags: contains routing relevant flags - see enum batadv_iv_flags
  * @tvlv_len: length of tvlv data following the ogm header
  */
 struct batadv_ogm_packet {
-        struct batadv_header header;
+        uint8_t  packet_type;
+        uint8_t  version;
+        uint8_t  ttl;
         uint8_t  flags;
         __be32   seqno;
         uint8_t  orig[ETH_ALEN];
@@ -196,29 +193,51 @@ struct batadv_ogm_packet {
 #define BATADV_OGM_HLEN sizeof(struct batadv_ogm_packet)
 
 /**
- * batadv_icmp_header - common ICMP header
- * @header: common batman header
+ * batadv_icmp_header - common members among all the ICMP packets
+ * @packet_type: batman-adv packet type, part of the general header
+ * @version: batman-adv protocol version, part of the genereal header
+ * @ttl: time to live for this packet, part of the genereal header
  * @msg_type: ICMP packet type
  * @dst: address of the destination node
  * @orig: address of the source node
  * @uid: local ICMP socket identifier
+ * @align: not used - useful for alignment purposes only
+ *
+ * This structure is used for ICMP packets parsing only and it is never sent
+ * over the wire. The alignment field at the end is there to ensure that
+ * members are padded the same way as they are in real packets.
  */
 struct batadv_icmp_header {
-        struct batadv_header header;
+        uint8_t  packet_type;
+        uint8_t  version;
+        uint8_t  ttl;
         uint8_t  msg_type; /* see ICMP message types above */
         uint8_t  dst[ETH_ALEN];
         uint8_t  orig[ETH_ALEN];
         uint8_t  uid;
+        uint8_t  align[3];
 };
 
 /**
  * batadv_icmp_packet - ICMP packet
- * @icmph: common ICMP header
+ * @packet_type: batman-adv packet type, part of the general header
+ * @version: batman-adv protocol version, part of the genereal header
+ * @ttl: time to live for this packet, part of the genereal header
+ * @msg_type: ICMP packet type
+ * @dst: address of the destination node
+ * @orig: address of the source node
+ * @uid: local ICMP socket identifier
  * @reserved: not used - useful for alignment
  * @seqno: ICMP sequence number
  */
 struct batadv_icmp_packet {
-        struct batadv_icmp_header icmph;
+        uint8_t  packet_type;
+        uint8_t  version;
+        uint8_t  ttl;
+        uint8_t  msg_type; /* see ICMP message types above */
+        uint8_t  dst[ETH_ALEN];
+        uint8_t  orig[ETH_ALEN];
+        uint8_t  uid;
         uint8_t  reserved;
         __be16   seqno;
 };
@@ -227,13 +246,25 @@ struct batadv_icmp_packet {
 
 /**
  * batadv_icmp_packet_rr - ICMP RouteRecord packet
- * @icmph: common ICMP header
+ * @packet_type: batman-adv packet type, part of the general header
+ * @version: batman-adv protocol version, part of the genereal header
+ * @ttl: time to live for this packet, part of the genereal header
+ * @msg_type: ICMP packet type
+ * @dst: address of the destination node
+ * @orig: address of the source node
+ * @uid: local ICMP socket identifier
  * @rr_cur: number of entries the rr array
  * @seqno: ICMP sequence number
  * @rr: route record array
  */
 struct batadv_icmp_packet_rr {
-        struct batadv_icmp_header icmph;
+        uint8_t  packet_type;
+        uint8_t  version;
+        uint8_t  ttl;
+        uint8_t  msg_type; /* see ICMP message types above */
+        uint8_t  dst[ETH_ALEN];
+        uint8_t  orig[ETH_ALEN];
+        uint8_t  uid;
         uint8_t  rr_cur;
         __be16   seqno;
         uint8_t  rr[BATADV_RR_LEN][ETH_ALEN];
@@ -253,8 +284,18 @@ struct batadv_icmp_packet_rr {
  */
 #pragma pack(2)
 
+/**
+ * struct batadv_unicast_packet - unicast packet for network payload
+ * @packet_type: batman-adv packet type, part of the general header
+ * @version: batman-adv protocol version, part of the genereal header
+ * @ttl: time to live for this packet, part of the genereal header
+ * @ttvn: translation table version number
+ * @dest: originator destination of the unicast packet
+ */
 struct batadv_unicast_packet {
-        struct batadv_header header;
+        uint8_t  packet_type;
+        uint8_t  version;
+        uint8_t  ttl;
         uint8_t  ttvn; /* destination translation table version number */
         uint8_t  dest[ETH_ALEN];
         /* "4 bytes boundary + 2 bytes" long to make the payload after the
@@ -280,7 +321,9 @@ struct batadv_unicast_4addr_packet {
 
 /**
  * struct batadv_frag_packet - fragmented packet
- * @header: common batman packet header with type, compatversion, and ttl
+ * @packet_type: batman-adv packet type, part of the general header
+ * @version: batman-adv protocol version, part of the genereal header
+ * @ttl: time to live for this packet, part of the genereal header
  * @dest: final destination used when routing fragments
  * @orig: originator of the fragment used when merging the packet
  * @no: fragment number within this sequence
@@ -289,7 +332,9 @@ struct batadv_unicast_4addr_packet {
  * @total_size: size of the merged packet
  */
 struct batadv_frag_packet {
-        struct  batadv_header header;
+        uint8_t packet_type;
+        uint8_t version;  /* batman version field */
+        uint8_t ttl;
 #if defined(__BIG_ENDIAN_BITFIELD)
         uint8_t no:4;
         uint8_t reserved:4;
@@ -305,8 +350,19 @@ struct batadv_frag_packet {
         __be16  total_size;
 };
 
+/**
+ * struct batadv_bcast_packet - broadcast packet for network payload
+ * @packet_type: batman-adv packet type, part of the general header
+ * @version: batman-adv protocol version, part of the genereal header
+ * @ttl: time to live for this packet, part of the genereal header
+ * @reserved: reserved byte for alignment
+ * @seqno: sequence identification
+ * @orig: originator of the broadcast packet
+ */
 struct batadv_bcast_packet {
-        struct batadv_header header;
+        uint8_t  packet_type;
+        uint8_t  version;  /* batman version field */
+        uint8_t  ttl;
         uint8_t  reserved;
         __be32   seqno;
         uint8_t  orig[ETH_ALEN];
@@ -315,11 +371,11 @@ struct batadv_bcast_packet {
          */
 };
 
-#pragma pack()
-
 /**
  * struct batadv_coded_packet - network coded packet
- * @header: common batman packet header and ttl of first included packet
+ * @packet_type: batman-adv packet type, part of the general header
+ * @version: batman-adv protocol version, part of the genereal header
+ * @ttl: time to live for this packet, part of the genereal header
  * @reserved: Align following fields to 2-byte boundaries
  * @first_source: original source of first included packet
  * @first_orig_dest: original destinal of first included packet
@@ -334,7 +390,9 @@ struct batadv_bcast_packet {
  * @coded_len: length of network coded part of the payload
  */
 struct batadv_coded_packet {
-        struct batadv_header header;
+        uint8_t  packet_type;
+        uint8_t  version;  /* batman version field */
+        uint8_t  ttl;
         uint8_t  first_ttvn;
         /* uint8_t  first_dest[ETH_ALEN]; - saved in mac header destination */
         uint8_t  first_source[ETH_ALEN];
@@ -349,9 +407,13 @@ struct batadv_coded_packet {
         __be16   coded_len;
 };
 
+#pragma pack()
+
 /**
  * struct batadv_unicast_tvlv - generic unicast packet with tvlv payload
- * @header: common batman packet header
+ * @packet_type: batman-adv packet type, part of the general header
+ * @version: batman-adv protocol version, part of the genereal header
+ * @ttl: time to live for this packet, part of the genereal header
  * @reserved: reserved field (for packet alignment)
  * @src: address of the source
  * @dst: address of the destination
@@ -359,7 +421,9 @@ struct batadv_coded_packet {
  * @align: 2 bytes to align the header to a 4 byte boundry
  */
 struct batadv_unicast_tvlv_packet {
-        struct batadv_header header;
+        uint8_t  packet_type;
+        uint8_t  version;  /* batman version field */
+        uint8_t  ttl;
         uint8_t  reserved;
         uint8_t  dst[ETH_ALEN];
         uint8_t  src[ETH_ALEN];
@@ -420,13 +484,13 @@ struct batadv_tvlv_tt_vlan_data {
  * struct batadv_tvlv_tt_change - translation table diff data
  * @flags: status indicators concerning the non-mesh client (see
  *  batadv_tt_client_flags)
- * @reserved: reserved field
+ * @reserved: reserved field - useful for alignment purposes only
  * @addr: mac address of non-mesh client that triggered this tt change
  * @vid: VLAN identifier
  */
 struct batadv_tvlv_tt_change {
         uint8_t flags;
-        uint8_t reserved;
+        uint8_t reserved[3];
         uint8_t addr[ETH_ALEN];
         __be16 vid;
 };
diff --git a/net/batman-adv/routing.c b/net/batman-adv/routing.c
index d4114d775ad6..46278bfb8fdb 100644
--- a/net/batman-adv/routing.c
+++ b/net/batman-adv/routing.c
@@ -308,7 +308,7 @@ static int batadv_recv_my_icmp_packet(struct batadv_priv *bat_priv,
                 memcpy(icmph->dst, icmph->orig, ETH_ALEN);
                 memcpy(icmph->orig, primary_if->net_dev->dev_addr, ETH_ALEN);
                 icmph->msg_type = BATADV_ECHO_REPLY;
-                icmph->header.ttl = BATADV_TTL;
+                icmph->ttl = BATADV_TTL;
 
                 res = batadv_send_skb_to_orig(skb, orig_node, NULL);
                 if (res != NET_XMIT_DROP)
@@ -338,9 +338,9 @@ static int batadv_recv_icmp_ttl_exceeded(struct batadv_priv *bat_priv,
         icmp_packet = (struct batadv_icmp_packet *)skb->data;
 
         /* send TTL exceeded if packet is an echo request (traceroute) */
-        if (icmp_packet->icmph.msg_type != BATADV_ECHO_REQUEST) {
+        if (icmp_packet->msg_type != BATADV_ECHO_REQUEST) {
                 pr_debug("Warning - can't forward icmp packet from %pM to %pM: ttl exceeded\n",
-                         icmp_packet->icmph.orig, icmp_packet->icmph.dst);
+                         icmp_packet->orig, icmp_packet->dst);
                 goto out;
         }
 
@@ -349,7 +349,7 @@ static int batadv_recv_icmp_ttl_exceeded(struct batadv_priv *bat_priv,
                 goto out;
 
         /* get routing information */
-        orig_node = batadv_orig_hash_find(bat_priv, icmp_packet->icmph.orig);
+        orig_node = batadv_orig_hash_find(bat_priv, icmp_packet->orig);
         if (!orig_node)
                 goto out;
 
@@ -359,11 +359,11 @@ static int batadv_recv_icmp_ttl_exceeded(struct batadv_priv *bat_priv,
 
         icmp_packet = (struct batadv_icmp_packet *)skb->data;
 
-        memcpy(icmp_packet->icmph.dst, icmp_packet->icmph.orig, ETH_ALEN);
-        memcpy(icmp_packet->icmph.orig, primary_if->net_dev->dev_addr,
+        memcpy(icmp_packet->dst, icmp_packet->orig, ETH_ALEN);
+        memcpy(icmp_packet->orig, primary_if->net_dev->dev_addr,
                ETH_ALEN);
-        icmp_packet->icmph.msg_type = BATADV_TTL_EXCEEDED;
-        icmp_packet->icmph.header.ttl = BATADV_TTL;
+        icmp_packet->msg_type = BATADV_TTL_EXCEEDED;
+        icmp_packet->ttl = BATADV_TTL;
 
         if (batadv_send_skb_to_orig(skb, orig_node, NULL) != NET_XMIT_DROP)
                 ret = NET_RX_SUCCESS;
@@ -434,7 +434,7 @@ int batadv_recv_icmp_packet(struct sk_buff *skb,
                 return batadv_recv_my_icmp_packet(bat_priv, skb);
 
         /* TTL exceeded */
-        if (icmph->header.ttl < 2)
+        if (icmph->ttl < 2)
                 return batadv_recv_icmp_ttl_exceeded(bat_priv, skb);
 
         /* get routing information */
@@ -449,7 +449,7 @@ int batadv_recv_icmp_packet(struct sk_buff *skb,
         icmph = (struct batadv_icmp_header *)skb->data;
 
         /* decrement ttl */
-        icmph->header.ttl--;
+        icmph->ttl--;
 
         /* route it */
         if (batadv_send_skb_to_orig(skb, orig_node, recv_if) != NET_XMIT_DROP)
@@ -709,7 +709,7 @@ static int batadv_route_unicast_packet(struct sk_buff *skb,
         unicast_packet = (struct batadv_unicast_packet *)skb->data;
 
         /* TTL exceeded */
-        if (unicast_packet->header.ttl < 2) {
+        if (unicast_packet->ttl < 2) {
                 pr_debug("Warning - can't forward unicast packet from %pM to %pM: ttl exceeded\n",
                          ethhdr->h_source, unicast_packet->dest);
                 goto out;
@@ -727,9 +727,9 @@ static int batadv_route_unicast_packet(struct sk_buff *skb,
 
         /* decrement ttl */
         unicast_packet = (struct batadv_unicast_packet *)skb->data;
-        unicast_packet->header.ttl--;
+        unicast_packet->ttl--;
 
-        switch (unicast_packet->header.packet_type) {
+        switch (unicast_packet->packet_type) {
         case BATADV_UNICAST_4ADDR:
                 hdr_len = sizeof(struct batadv_unicast_4addr_packet);
                 break;
@@ -970,7 +970,7 @@ int batadv_recv_unicast_packet(struct sk_buff *skb,
         unicast_packet = (struct batadv_unicast_packet *)skb->data;
         unicast_4addr_packet = (struct batadv_unicast_4addr_packet *)skb->data;
 
-        is4addr = unicast_packet->header.packet_type == BATADV_UNICAST_4ADDR;
+        is4addr = unicast_packet->packet_type == BATADV_UNICAST_4ADDR;
         /* the caller function should have already pulled 2 bytes */
         if (is4addr)
                 hdr_size = sizeof(*unicast_4addr_packet);
@@ -1160,7 +1160,7 @@ int batadv_recv_bcast_packet(struct sk_buff *skb,
         if (batadv_is_my_mac(bat_priv, bcast_packet->orig))
                 goto out;
 
-        if (bcast_packet->header.ttl < 2)
+        if (bcast_packet->ttl < 2)
                 goto out;
 
         orig_node = batadv_orig_hash_find(bat_priv, bcast_packet->orig);
diff --git a/net/batman-adv/send.c b/net/batman-adv/send.c
index c83be5ebaa28..fba4dcfcfac2 100644
--- a/net/batman-adv/send.c
+++ b/net/batman-adv/send.c
@@ -161,11 +161,11 @@ batadv_send_skb_push_fill_unicast(struct sk_buff *skb, int hdr_size,
                 return false;
 
         unicast_packet = (struct batadv_unicast_packet *)skb->data;
-        unicast_packet->header.version = BATADV_COMPAT_VERSION;
+        unicast_packet->version = BATADV_COMPAT_VERSION;
         /* batman packet type: unicast */
-        unicast_packet->header.packet_type = BATADV_UNICAST;
+        unicast_packet->packet_type = BATADV_UNICAST;
         /* set unicast ttl */
-        unicast_packet->header.ttl = BATADV_TTL;
+        unicast_packet->ttl = BATADV_TTL;
         /* copy the destination for faster routing */
         memcpy(unicast_packet->dest, orig_node->orig, ETH_ALEN);
         /* set the destination tt version number */
@@ -221,7 +221,7 @@ bool batadv_send_skb_prepare_unicast_4addr(struct batadv_priv *bat_priv,
                 goto out;
 
         uc_4addr_packet = (struct batadv_unicast_4addr_packet *)skb->data;
-        uc_4addr_packet->u.header.packet_type = BATADV_UNICAST_4ADDR;
+        uc_4addr_packet->u.packet_type = BATADV_UNICAST_4ADDR;
         memcpy(uc_4addr_packet->src, primary_if->net_dev->dev_addr, ETH_ALEN);
         uc_4addr_packet->subtype = packet_subtype;
         uc_4addr_packet->reserved = 0;
@@ -436,7 +436,7 @@ int batadv_add_bcast_packet_to_list(struct batadv_priv *bat_priv,
 
         /* as we have a copy now, it is safe to decrease the TTL */
         bcast_packet = (struct batadv_bcast_packet *)newskb->data;
-        bcast_packet->header.ttl--;
+        bcast_packet->ttl--;
 
         skb_reset_mac_header(newskb);
 
diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c
index 36f050876f82..a8f99d1486c0 100644
--- a/net/batman-adv/soft-interface.c
+++ b/net/batman-adv/soft-interface.c
@@ -264,11 +264,11 @@ static int batadv_interface_tx(struct sk_buff *skb,
                         goto dropped;
 
                 bcast_packet = (struct batadv_bcast_packet *)skb->data;
-                bcast_packet->header.version = BATADV_COMPAT_VERSION;
-                bcast_packet->header.ttl = BATADV_TTL;
+                bcast_packet->version = BATADV_COMPAT_VERSION;
+                bcast_packet->ttl = BATADV_TTL;
 
                 /* batman packet type: broadcast */
-                bcast_packet->header.packet_type = BATADV_BCAST;
+                bcast_packet->packet_type = BATADV_BCAST;
                 bcast_packet->reserved = 0;
 
                 /* hw address of first interface is the orig mac because only
@@ -328,7 +328,7 @@ void batadv_interface_rx(struct net_device *soft_iface,
                          struct sk_buff *skb, struct batadv_hard_iface *recv_if,
                          int hdr_size, struct batadv_orig_node *orig_node)
 {
-        struct batadv_header *batadv_header = (struct batadv_header *)skb->data;
+        struct batadv_bcast_packet *batadv_bcast_packet;
         struct batadv_priv *bat_priv = netdev_priv(soft_iface);
         __be16 ethertype = htons(ETH_P_BATMAN);
         struct vlan_ethhdr *vhdr;
@@ -336,7 +336,8 @@ void batadv_interface_rx(struct net_device *soft_iface,
         unsigned short vid;
         bool is_bcast;
 
-        is_bcast = (batadv_header->packet_type == BATADV_BCAST);
+        batadv_bcast_packet = (struct batadv_bcast_packet *)skb->data;
+        is_bcast = (batadv_bcast_packet->packet_type == BATADV_BCAST);
 
         /* check if enough space is available for pulling, and pull */
         if (!pskb_may_pull(skb, hdr_size))
@@ -345,7 +346,12 @@ void batadv_interface_rx(struct net_device *soft_iface,
         skb_pull_rcsum(skb, hdr_size);
         skb_reset_mac_header(skb);
 
-        vid = batadv_get_vid(skb, hdr_size);
+        /* clean the netfilter state now that the batman-adv header has been
+         * removed
+         */
+        nf_reset(skb);
+
+        vid = batadv_get_vid(skb, 0);
         ethhdr = eth_hdr(skb);
 
         switch (ntohs(ethhdr->h_proto)) {
diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
index 4add57d4857f..ff625fedbc5e 100644
--- a/net/batman-adv/translation-table.c
+++ b/net/batman-adv/translation-table.c
@@ -333,7 +333,8 @@ static void batadv_tt_local_event(struct batadv_priv *bat_priv,
                 return;
 
         tt_change_node->change.flags = flags;
-        tt_change_node->change.reserved = 0;
+        memset(tt_change_node->change.reserved, 0,
+               sizeof(tt_change_node->change.reserved));
         memcpy(tt_change_node->change.addr, common->addr, ETH_ALEN);
         tt_change_node->change.vid = htons(common->vid);
 
@@ -2221,7 +2222,8 @@ static void batadv_tt_tvlv_generate(struct batadv_priv *bat_priv,
                                ETH_ALEN);
                         tt_change->flags = tt_common_entry->flags;
                         tt_change->vid = htons(tt_common_entry->vid);
-                        tt_change->reserved = 0;
+                        memset(tt_change->reserved, 0,
+                               sizeof(tt_change->reserved));
 
                         tt_num_entries++;
                         tt_change++;
diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
index 6a6c8bb4fd72..7552f9e3089c 100644
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -940,8 +940,22 @@ static int hci_sock_sendmsg(struct kiocb *iocb, struct socket *sock,
         bt_cb(skb)->pkt_type = *((unsigned char *) skb->data);
         skb_pull(skb, 1);
 
-        if (hci_pi(sk)->channel == HCI_CHANNEL_RAW &&
-            bt_cb(skb)->pkt_type == HCI_COMMAND_PKT) {
+        if (hci_pi(sk)->channel == HCI_CHANNEL_USER) {
+                /* No permission check is needed for user channel
+                 * since that gets enforced when binding the socket.
+                 *
+                 * However check that the packet type is valid.
+                 */
+                if (bt_cb(skb)->pkt_type != HCI_COMMAND_PKT &&
+                    bt_cb(skb)->pkt_type != HCI_ACLDATA_PKT &&
+                    bt_cb(skb)->pkt_type != HCI_SCODATA_PKT) {
+                        err = -EINVAL;
+                        goto drop;
+                }
+
+                skb_queue_tail(&hdev->raw_q, skb);
+                queue_work(hdev->workqueue, &hdev->tx_work);
+        } else if (bt_cb(skb)->pkt_type == HCI_COMMAND_PKT) {
                 u16 opcode = get_unaligned_le16(skb->data);
                 u16 ogf = hci_opcode_ogf(opcode);
                 u16 ocf = hci_opcode_ocf(opcode);
@@ -972,14 +986,6 @@ static int hci_sock_sendmsg(struct kiocb *iocb, struct socket *sock,
                         goto drop;
                 }
 
-                if (hci_pi(sk)->channel == HCI_CHANNEL_USER &&
-                    bt_cb(skb)->pkt_type != HCI_COMMAND_PKT &&
-                    bt_cb(skb)->pkt_type != HCI_ACLDATA_PKT &&
-                    bt_cb(skb)->pkt_type != HCI_SCODATA_PKT) {
-                        err = -EINVAL;
-                        goto drop;
-                }
-
                 skb_queue_tail(&hdev->raw_q, skb);
                 queue_work(hdev->workqueue, &hdev->tx_work);
         }
diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
index 4c214b2b88ef..ef66365b7354 100644
--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -1998,7 +1998,7 @@ int br_multicast_set_hash_max(struct net_bridge *br, unsigned long val)
         u32 old;
         struct net_bridge_mdb_htable *mdb;
 
-        spin_lock(&br->multicast_lock);
+        spin_lock_bh(&br->multicast_lock);
         if (!netif_running(br->dev))
                 goto unlock;
 
@@ -2030,7 +2030,7 @@ rollback:
         }
 
 unlock:
-        spin_unlock(&br->multicast_lock);
+        spin_unlock_bh(&br->multicast_lock);
 
         return err;
 }
diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
index 229d820bdf0b..045d56eaeca2 100644
--- a/net/bridge/br_private.h
+++ b/net/bridge/br_private.h
@@ -426,6 +426,16 @@ netdev_features_t br_features_recompute(struct net_bridge *br,
 int br_handle_frame_finish(struct sk_buff *skb);
 rx_handler_result_t br_handle_frame(struct sk_buff **pskb);
 
+static inline bool br_rx_handler_check_rcu(const struct net_device *dev)
+{
+        return rcu_dereference(dev->rx_handler) == br_handle_frame;
+}
+
+static inline struct net_bridge_port *br_port_get_check_rcu(const struct net_device *dev)
+{
+        return br_rx_handler_check_rcu(dev) ? br_port_get_rcu(dev) : NULL;
+}
+
 /* br_ioctl.c */
 int br_dev_ioctl(struct net_device *dev, struct ifreq *rq, int cmd);
 int br_ioctl_deviceless_stub(struct net *net, unsigned int cmd,
diff --git a/net/bridge/br_stp_bpdu.c b/net/bridge/br_stp_bpdu.c
index 8660ea3be705..bdb459d21ad8 100644
--- a/net/bridge/br_stp_bpdu.c
+++ b/net/bridge/br_stp_bpdu.c
@@ -153,7 +153,7 @@ void br_stp_rcv(const struct stp_proto *proto, struct sk_buff *skb,
         if (buf[0] != 0 || buf[1] != 0 || buf[2] != 0)
                 goto err;
 
-        p = br_port_get_rcu(dev);
+        p = br_port_get_check_rcu(dev);
         if (!p)
                 goto err;
 
diff --git a/net/core/dev.c b/net/core/dev.c
index ba3b7ea5ebb3..0ce469e5ec80 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -2539,7 +2539,7 @@ static inline int skb_needs_linearize(struct sk_buff *skb,
 }
 
 int dev_hard_start_xmit(struct sk_buff *skb, struct net_device *dev,
-                        struct netdev_queue *txq, void *accel_priv)
+                        struct netdev_queue *txq)
 {
         const struct net_device_ops *ops = dev->netdev_ops;
         int rc = NETDEV_TX_OK;
@@ -2605,13 +2605,10 @@ int dev_hard_start_xmit(struct sk_buff *skb, struct net_device *dev,
                         dev_queue_xmit_nit(skb, dev);
 
                 skb_len = skb->len;
-                if (accel_priv)
-                        rc = ops->ndo_dfwd_start_xmit(skb, dev, accel_priv);
-                else
                         rc = ops->ndo_start_xmit(skb, dev);
 
                 trace_net_dev_xmit(skb, rc, dev, skb_len);
-                if (rc == NETDEV_TX_OK && txq)
+                if (rc == NETDEV_TX_OK)
                         txq_trans_update(txq);
                 return rc;
         }
@@ -2627,10 +2624,7 @@ gso:
                         dev_queue_xmit_nit(nskb, dev);
 
                 skb_len = nskb->len;
-                if (accel_priv)
-                        rc = ops->ndo_dfwd_start_xmit(nskb, dev, accel_priv);
-                else
-                        rc = ops->ndo_start_xmit(nskb, dev);
+                rc = ops->ndo_start_xmit(nskb, dev);
                 trace_net_dev_xmit(nskb, rc, dev, skb_len);
                 if (unlikely(rc != NETDEV_TX_OK)) {
                         if (rc & ~NETDEV_TX_MASK)
@@ -2811,7 +2805,7 @@ EXPORT_SYMBOL(dev_loopback_xmit);
  *      the BH enable code must have IRQs enabled so that it will not deadlock.
  *          --BLG
  */
-int dev_queue_xmit(struct sk_buff *skb)
+int __dev_queue_xmit(struct sk_buff *skb, void *accel_priv)
 {
         struct net_device *dev = skb->dev;
         struct netdev_queue *txq;
@@ -2827,7 +2821,7 @@ int dev_queue_xmit(struct sk_buff *skb)
 
         skb_update_prio(skb);
 
-        txq = netdev_pick_tx(dev, skb);
+        txq = netdev_pick_tx(dev, skb, accel_priv);
         q = rcu_dereference_bh(txq->qdisc);
 
 #ifdef CONFIG_NET_CLS_ACT
@@ -2863,7 +2857,7 @@ int dev_queue_xmit(struct sk_buff *skb)
 
                         if (!netif_xmit_stopped(txq)) {
                                 __this_cpu_inc(xmit_recursion);
-                                rc = dev_hard_start_xmit(skb, dev, txq, NULL);
+                                rc = dev_hard_start_xmit(skb, dev, txq);
                                 __this_cpu_dec(xmit_recursion);
                                 if (dev_xmit_complete(rc)) {
                                         HARD_TX_UNLOCK(dev, txq);
@@ -2892,8 +2886,19 @@ out:
         rcu_read_unlock_bh();
         return rc;
 }
+
+int dev_queue_xmit(struct sk_buff *skb)
+{
+        return __dev_queue_xmit(skb, NULL);
+}
 EXPORT_SYMBOL(dev_queue_xmit);
 
+int dev_queue_xmit_accel(struct sk_buff *skb, void *accel_priv)
+{
+        return __dev_queue_xmit(skb, accel_priv);
+}
+EXPORT_SYMBOL(dev_queue_xmit_accel);
+
 
 /*=======================================================================
                         Receiver routines
@@ -4500,7 +4505,7 @@ struct net_device *netdev_all_upper_get_next_dev_rcu(struct net_device *dev,
 {
         struct netdev_adjacent *upper;
 
-        WARN_ON_ONCE(!rcu_read_lock_held());
+        WARN_ON_ONCE(!rcu_read_lock_held() && !lockdep_rtnl_is_held());
 
         upper = list_entry_rcu((*iter)->next, struct netdev_adjacent, list);
 
diff --git a/net/core/drop_monitor.c b/net/core/drop_monitor.c
index 95897183226e..e70301eb7a4a 100644
--- a/net/core/drop_monitor.c
+++ b/net/core/drop_monitor.c
@@ -64,7 +64,6 @@ static struct genl_family net_drop_monitor_family = {
         .hdrsize        = 0,
         .name           = "NET_DM",
         .version        = 2,
-        .maxattr        = NET_DM_CMD_MAX,
 };
 
 static DEFINE_PER_CPU(struct per_cpu_dm_data, dm_cpu_data);
diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
index d6ef17322500..2fc5beaf5783 100644
--- a/net/core/flow_dissector.c
+++ b/net/core/flow_dissector.c
@@ -395,17 +395,21 @@ u16 __netdev_pick_tx(struct net_device *dev, struct sk_buff *skb)
 EXPORT_SYMBOL(__netdev_pick_tx);
 
 struct netdev_queue *netdev_pick_tx(struct net_device *dev,
-                                    struct sk_buff *skb)
+                                    struct sk_buff *skb,
+                                    void *accel_priv)
 {
         int queue_index = 0;
 
         if (dev->real_num_tx_queues != 1) {
                 const struct net_device_ops *ops = dev->netdev_ops;
                 if (ops->ndo_select_queue)
-                        queue_index = ops->ndo_select_queue(dev, skb);
+                        queue_index = ops->ndo_select_queue(dev, skb,
+                                                            accel_priv);
                 else
                         queue_index = __netdev_pick_tx(dev, skb);
-                queue_index = dev_cap_txqueue(dev, queue_index);
+
+                if (!accel_priv)
+                        queue_index = dev_cap_txqueue(dev, queue_index);
         }
 
         skb_set_queue_mapping(skb, queue_index);
diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index ca15f32821fb..932c6d7cf666 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -1161,6 +1161,7 @@ int neigh_update(struct neighbour *neigh, const u8 *lladdr, u8 new,
                                                  neigh->parms->reachable_time :
                                                  0)));
                 neigh->nud_state = new;
+                notify = 1;
         }
 
         if (lladdr != neigh->ha) {
@@ -1274,7 +1275,7 @@ int neigh_compat_output(struct neighbour *neigh, struct sk_buff *skb)
 
         if (dev_hard_header(skb, dev, ntohs(skb->protocol), NULL, NULL,
                             skb->len) < 0 &&
-            dev->header_ops->rebuild(skb))
+            dev_rebuild_header(skb))
                 return 0;
 
         return dev_queue_xmit(skb);
diff --git a/net/core/netpoll.c b/net/core/netpoll.c
index 8f971990677c..19fe9c717ced 100644
--- a/net/core/netpoll.c
+++ b/net/core/netpoll.c
@@ -375,7 +375,7 @@ void netpoll_send_skb_on_dev(struct netpoll *np, struct sk_buff *skb,
         if (skb_queue_len(&npinfo->txq) == 0 && !netpoll_owner_active(dev)) {
                 struct netdev_queue *txq;
 
-                txq = netdev_pick_tx(dev, skb);
+                txq = netdev_pick_tx(dev, skb, NULL);
 
                 /* try until next clock tick */
                 for (tries = jiffies_to_usecs(1)/USEC_PER_POLL;
@@ -386,8 +386,14 @@ void netpoll_send_skb_on_dev(struct netpoll *np, struct sk_buff *skb,
                                             !vlan_hw_offload_capable(netif_skb_features(skb),
                                                                      skb->vlan_proto)) {
                                                 skb = __vlan_put_tag(skb, skb->vlan_proto, vlan_tx_tag_get(skb));
-                                                if (unlikely(!skb))
-                                                        break;
+                                                if (unlikely(!skb)) {
+                                                        /* This is actually a packet drop, but we
+                                                         * don't want the code at the end of this
+                                                         * function to try and re-queue a NULL skb.
+                                                         */
+                                                        status = NETDEV_TX_OK;
+                                                        goto unlock_txq;
+                                                }
                                                 skb->vlan_tci = 0;
                                         }
 
@@ -395,6 +401,7 @@ void netpoll_send_skb_on_dev(struct netpoll *np, struct sk_buff *skb,
                                         if (status == NETDEV_TX_OK)
                                                 txq_trans_update(txq);
                                 }
+                        unlock_txq:
                                 __netif_tx_unlock(txq);
 
                                 if (status == NETDEV_TX_OK)
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 2718fed53d8c..06e72d3cdf60 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -3584,6 +3584,7 @@ void skb_scrub_packet(struct sk_buff *skb, bool xnet)
         skb->tstamp.tv64 = 0;
         skb->pkt_type = PACKET_HOST;
         skb->skb_iif = 0;
+        skb->local_df = 0;
         skb_dst_drop(skb);
         skb->mark = 0;
         secpath_reset(skb);
diff --git a/net/core/sock.c b/net/core/sock.c
index ab20ed9b0f31..5393b4b719d7 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -882,7 +882,7 @@ set_rcvbuf:
 
         case SO_PEEK_OFF:
                 if (sock->ops->set_peek_off)
-                        sock->ops->set_peek_off(sk, val);
+                        ret = sock->ops->set_peek_off(sk, val);
                 else
                         ret = -EOPNOTSUPP;
                 break;
diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
index 4ac71ff7c2e4..2b90a786e475 100644
--- a/net/dccp/ipv6.c
+++ b/net/dccp/ipv6.c
@@ -851,7 +851,6 @@ static int dccp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
                         flowlabel = fl6_sock_lookup(sk, fl6.flowlabel);
                         if (flowlabel == NULL)
                                 return -EINVAL;
-                        usin->sin6_addr = flowlabel->dst;
                         fl6_sock_release(flowlabel);
                 }
         }
diff --git a/net/dccp/probe.c b/net/dccp/probe.c
index 4c6bdf97a657..595ddf0459db 100644
--- a/net/dccp/probe.c
+++ b/net/dccp/probe.c
@@ -152,17 +152,6 @@ static const struct file_operations dccpprobe_fops = {
         .llseek  = noop_llseek,
 };
 
-static __init int setup_jprobe(void)
-{
-        int ret = register_jprobe(&dccp_send_probe);
-
-        if (ret) {
-                request_module("dccp");
-                ret = register_jprobe(&dccp_send_probe);
-        }
-        return ret;
-}
-
 static __init int dccpprobe_init(void)
 {
         int ret = -ENOMEM;
@@ -174,7 +163,13 @@ static __init int dccpprobe_init(void)
         if (!proc_create(procname, S_IRUSR, init_net.proc_net, &dccpprobe_fops))
                 goto err0;
 
-        ret = setup_jprobe();
+        ret = register_jprobe(&dccp_send_probe);
+        if (ret) {
+                ret = request_module("dccp");
+                if (!ret)
+                        ret = register_jprobe(&dccp_send_probe);
+        }
+
         if (ret)
                 goto err1;
 
diff --git a/net/ieee802154/6lowpan.c b/net/ieee802154/6lowpan.c
index 459e200c08a4..a2d2456a557a 100644
--- a/net/ieee802154/6lowpan.c
+++ b/net/ieee802154/6lowpan.c
@@ -547,7 +547,7 @@ static int lowpan_header_create(struct sk_buff *skb,
                         hc06_ptr += 3;
                 } else {
                         /* compress nothing */
-                        memcpy(hc06_ptr, &hdr, 4);
+                        memcpy(hc06_ptr, hdr, 4);
                         /* replace the top byte with new ECN | DSCP format */
                         *hc06_ptr = tmp;
                         hc06_ptr += 4;
diff --git a/net/ipv4/fib_rules.c b/net/ipv4/fib_rules.c
index 523be38e37de..f2e15738534d 100644
--- a/net/ipv4/fib_rules.c
+++ b/net/ipv4/fib_rules.c
@@ -104,7 +104,10 @@ errout:
 static bool fib4_rule_suppress(struct fib_rule *rule, struct fib_lookup_arg *arg)
 {
         struct fib_result *result = (struct fib_result *) arg->result;
-        struct net_device *dev = result->fi->fib_dev;
+        struct net_device *dev = NULL;
+
+        if (result->fi)
+                dev = result->fi->fib_dev;
 
         /* do not accept result if the route does
          * not meet the required prefix length
diff --git a/net/ipv4/gre_offload.c b/net/ipv4/gre_offload.c
index e5d436188464..2cd02f32f99f 100644
--- a/net/ipv4/gre_offload.c
+++ b/net/ipv4/gre_offload.c
@@ -28,6 +28,7 @@ static struct sk_buff *gre_gso_segment(struct sk_buff *skb,
         netdev_features_t enc_features;
         int ghl = GRE_HEADER_SECTION;
         struct gre_base_hdr *greh;
+        u16 mac_offset = skb->mac_header;
         int mac_len = skb->mac_len;
         __be16 protocol = skb->protocol;
         int tnl_hlen;
@@ -58,13 +59,13 @@ static struct sk_buff *gre_gso_segment(struct sk_buff *skb,
         } else
                 csum = false;
 
+        if (unlikely(!pskb_may_pull(skb, ghl)))
+                goto out;
+
         /* setup inner skb. */
         skb->protocol = greh->protocol;
         skb->encapsulation = 0;
 
-        if (unlikely(!pskb_may_pull(skb, ghl)))
-                goto out;
-
         __skb_pull(skb, ghl);
         skb_reset_mac_header(skb);
         skb_set_network_header(skb, skb_inner_network_offset(skb));
@@ -73,8 +74,10 @@ static struct sk_buff *gre_gso_segment(struct sk_buff *skb,
         /* segment inner packet. */
         enc_features = skb->dev->hw_enc_features & netif_skb_features(skb);
         segs = skb_mac_gso_segment(skb, enc_features);
-        if (!segs || IS_ERR(segs))
+        if (!segs || IS_ERR(segs)) {
+                skb_gso_error_unwind(skb, protocol, ghl, mac_offset, mac_len);
                 goto out;
+        }
 
         skb = segs;
         tnl_hlen = skb_tnl_header_len(skb);
diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c
index 56a964a553d2..a0f52dac8940 100644
--- a/net/ipv4/inet_diag.c
+++ b/net/ipv4/inet_diag.c
@@ -106,6 +106,10 @@ int inet_sk_diag_fill(struct sock *sk, struct inet_connection_sock *icsk,
 
         r->id.idiag_sport = inet->inet_sport;
         r->id.idiag_dport = inet->inet_dport;
+
+        memset(&r->id.idiag_src, 0, sizeof(r->id.idiag_src));
+        memset(&r->id.idiag_dst, 0, sizeof(r->id.idiag_dst));
+
         r->id.idiag_src[0] = inet->inet_rcv_saddr;
         r->id.idiag_dst[0] = inet->inet_daddr;
 
@@ -240,12 +244,19 @@ static int inet_twsk_diag_fill(struct inet_timewait_sock *tw,
 
         r->idiag_family       = tw->tw_family;
         r->idiag_retrans      = 0;
+
         r->id.idiag_if        = tw->tw_bound_dev_if;
         sock_diag_save_cookie(tw, r->id.idiag_cookie);
+
         r->id.idiag_sport     = tw->tw_sport;
         r->id.idiag_dport     = tw->tw_dport;
+
+        memset(&r->id.idiag_src, 0, sizeof(r->id.idiag_src));
+        memset(&r->id.idiag_dst, 0, sizeof(r->id.idiag_dst));
+
         r->id.idiag_src[0]    = tw->tw_rcv_saddr;
         r->id.idiag_dst[0]    = tw->tw_daddr;
+
         r->idiag_state        = tw->tw_substate;
         r->idiag_timer        = 3;
         r->idiag_expires      = jiffies_to_msecs(tmo);
@@ -726,8 +737,13 @@ static int inet_diag_fill_req(struct sk_buff *skb, struct sock *sk,
 
         r->id.idiag_sport = inet->inet_sport;
         r->id.idiag_dport = ireq->ir_rmt_port;
+
+        memset(&r->id.idiag_src, 0, sizeof(r->id.idiag_src));
+        memset(&r->id.idiag_dst, 0, sizeof(r->id.idiag_dst));
+
         r->id.idiag_src[0] = ireq->ir_loc_addr;
         r->id.idiag_dst[0] = ireq->ir_rmt_addr;
+
         r->idiag_expires = jiffies_to_msecs(tmo);
         r->idiag_rqueue = 0;
         r->idiag_wqueue = 0;
diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
index d7aea4c5b940..e560ef34cf4b 100644
--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
@@ -217,6 +217,7 @@ static int ipgre_rcv(struct sk_buff *skb, const struct tnl_ptk_info *tpi)
                                   iph->saddr, iph->daddr, tpi->key);
 
         if (tunnel) {
+                skb_pop_mac_header(skb);
                 ip_tunnel_rcv(tunnel, skb, tpi, log_ecn_error);
                 return PACKET_RCVD;
         }
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index 912402752f2f..df184616493f 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -828,7 +828,7 @@ static int __ip_append_data(struct sock *sk,
 
         if (cork->length + length > maxnonfragsize - fragheaderlen) {
                 ip_local_error(sk, EMSGSIZE, fl4->daddr, inet->inet_dport,
-                               mtu-exthdrlen);
+                               mtu - (opt ? opt->optlen : 0));
                 return -EMSGSIZE;
         }
 
@@ -1151,7 +1151,8 @@ ssize_t	ip_append_page(struct sock *sk, struct flowi4 *fl4, struct page *page,
                          mtu : 0xFFFF;
 
         if (cork->length + size > maxnonfragsize - fragheaderlen) {
-                ip_local_error(sk, EMSGSIZE, fl4->daddr, inet->inet_dport, mtu);
+                ip_local_error(sk, EMSGSIZE, fl4->daddr, inet->inet_dport,
+                               mtu - (opt ? opt->optlen : 0));
                 return -EMSGSIZE;
         }
 
diff --git a/net/ipv4/netfilter/ipt_SYNPROXY.c b/net/ipv4/netfilter/ipt_SYNPROXY.c
index f13bd91d9a56..a313c3fbeb46 100644
--- a/net/ipv4/netfilter/ipt_SYNPROXY.c
+++ b/net/ipv4/netfilter/ipt_SYNPROXY.c
@@ -423,6 +423,7 @@ static void synproxy_tg4_destroy(const struct xt_tgdtor_param *par)
 static struct xt_target synproxy_tg4_reg __read_mostly = {
         .name           = "SYNPROXY",
         .family         = NFPROTO_IPV4,
+        .hooks          = (1 << NF_INET_LOCAL_IN) | (1 << NF_INET_FORWARD),
         .target         = synproxy_tg4,
         .targetsize     = sizeof(struct xt_synproxy_info),
         .checkentry     = synproxy_tg4_check,
diff --git a/net/ipv4/netfilter/nft_reject_ipv4.c b/net/ipv4/netfilter/nft_reject_ipv4.c
index fff5ba1a33b7..4a5e94ac314a 100644
--- a/net/ipv4/netfilter/nft_reject_ipv4.c
+++ b/net/ipv4/netfilter/nft_reject_ipv4.c
@@ -72,7 +72,7 @@ static int nft_reject_dump(struct sk_buff *skb, const struct nft_expr *expr)
 {
         const struct nft_reject *priv = nft_expr_priv(expr);
 
-        if (nla_put_be32(skb, NFTA_REJECT_TYPE, priv->type))
+        if (nla_put_be32(skb, NFTA_REJECT_TYPE, htonl(priv->type)))
                 goto nla_put_failure;
 
         switch (priv->type) {
diff --git a/net/ipv4/tcp_memcontrol.c b/net/ipv4/tcp_memcontrol.c
index 269a89ecd2f4..f7e522c558ba 100644
--- a/net/ipv4/tcp_memcontrol.c
+++ b/net/ipv4/tcp_memcontrol.c
@@ -6,13 +6,6 @@
 #include <linux/memcontrol.h>
 #include <linux/module.h>
 
-static void memcg_tcp_enter_memory_pressure(struct sock *sk)
-{
-        if (sk->sk_cgrp->memory_pressure)
-                sk->sk_cgrp->memory_pressure = 1;
-}
-EXPORT_SYMBOL(memcg_tcp_enter_memory_pressure);
-
 int tcp_init_cgroup(struct mem_cgroup *memcg, struct cgroup_subsys *ss)
 {
         /*
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 44f6a20fa29d..a7e4729e974b 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -560,15 +560,11 @@ static inline struct sock *__udp4_lib_lookup_skb(struct sk_buff *skb,
                                                  __be16 sport, __be16 dport,
                                                  struct udp_table *udptable)
 {
-        struct sock *sk;
         const struct iphdr *iph = ip_hdr(skb);
 
-        if (unlikely(sk = skb_steal_sock(skb)))
-                return sk;
-        else
-                return __udp4_lib_lookup(dev_net(skb_dst(skb)->dev), iph->saddr, sport,
-                                         iph->daddr, dport, inet_iif(skb),
-                                         udptable);
+        return __udp4_lib_lookup(dev_net(skb_dst(skb)->dev), iph->saddr, sport,
+                                 iph->daddr, dport, inet_iif(skb),
+                                 udptable);
 }
 
 struct sock *udp4_lib_lookup(struct net *net, __be32 saddr, __be16 sport,
@@ -1603,12 +1599,16 @@ static void flush_stack(struct sock **stack, unsigned int count,
                 kfree_skb(skb1);
 }
 
-static void udp_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb)
+/* For TCP sockets, sk_rx_dst is protected by socket lock
+ * For UDP, we use xchg() to guard against concurrent changes.
+ */
+static void udp_sk_rx_dst_set(struct sock *sk, struct dst_entry *dst)
 {
-        struct dst_entry *dst = skb_dst(skb);
+        struct dst_entry *old;
 
         dst_hold(dst);
-        sk->sk_rx_dst = dst;
+        old = xchg(&sk->sk_rx_dst, dst);
+        dst_release(old);
 }
 
 /*
@@ -1739,15 +1739,16 @@ int __udp4_lib_rcv(struct sk_buff *skb, struct udp_table *udptable,
         if (udp4_csum_init(skb, uh, proto))
                 goto csum_error;
 
-        if (skb->sk) {
+        sk = skb_steal_sock(skb);
+        if (sk) {
+                struct dst_entry *dst = skb_dst(skb);
                 int ret;
-                sk = skb->sk;
 
-                if (unlikely(sk->sk_rx_dst == NULL))
-                        udp_sk_rx_dst_set(sk, skb);
+                if (unlikely(sk->sk_rx_dst != dst))
+                        udp_sk_rx_dst_set(sk, dst);
 
                 ret = udp_queue_rcv_skb(sk, skb);
-
+                sock_put(sk);
                 /* a return value > 0 means to resubmit the input, but
                  * it wants the return to be -protocol, or 0
                  */
@@ -1913,17 +1914,20 @@ static struct sock *__udp4_lib_demux_lookup(struct net *net,
 
 void udp_v4_early_demux(struct sk_buff *skb)
 {
-        const struct iphdr *iph = ip_hdr(skb);
-        const struct udphdr *uh = udp_hdr(skb);
+        struct net *net = dev_net(skb->dev);
+        const struct iphdr *iph;
+        const struct udphdr *uh;
         struct sock *sk;
         struct dst_entry *dst;
-        struct net *net = dev_net(skb->dev);
         int dif = skb->dev->ifindex;
 
         /* validate the packet */
         if (!pskb_may_pull(skb, skb_transport_offset(skb) + sizeof(struct udphdr)))
                 return;
 
+        iph = ip_hdr(skb);
+        uh = udp_hdr(skb);
+
         if (skb->pkt_type == PACKET_BROADCAST ||
             skb->pkt_type == PACKET_MULTICAST)
                 sk = __udp4_lib_mcast_demux_lookup(net, uh->dest, iph->daddr,
@@ -2474,6 +2478,7 @@ struct sk_buff *skb_udp_tunnel_segment(struct sk_buff *skb,
                                        netdev_features_t features)
 {
         struct sk_buff *segs = ERR_PTR(-EINVAL);
+        u16 mac_offset = skb->mac_header;
         int mac_len = skb->mac_len;
         int tnl_hlen = skb_inner_mac_header(skb) - skb_transport_header(skb);
         __be16 protocol = skb->protocol;
@@ -2493,8 +2498,11 @@ struct sk_buff *skb_udp_tunnel_segment(struct sk_buff *skb,
         /* segment inner packet. */
         enc_features = skb->dev->hw_enc_features & netif_skb_features(skb);
         segs = skb_mac_gso_segment(skb, enc_features);
-        if (!segs || IS_ERR(segs))
+        if (!segs || IS_ERR(segs)) {
+                skb_gso_error_unwind(skb, protocol, tnl_hlen, mac_offset,
+                                     mac_len);
                 goto out;
+        }
 
         outer_hlen = skb_tnl_header_len(skb);
         skb = segs;
diff --git a/net/ipv4/udp_offload.c b/net/ipv4/udp_offload.c
index 83206de2bc76..79c62bdcd3c5 100644
--- a/net/ipv4/udp_offload.c
+++ b/net/ipv4/udp_offload.c
@@ -41,6 +41,14 @@ static struct sk_buff *udp4_ufo_fragment(struct sk_buff *skb,
 {
         struct sk_buff *segs = ERR_PTR(-EINVAL);
         unsigned int mss;
+        int offset;
+        __wsum csum;
+
+        if (skb->encapsulation &&
+            skb_shinfo(skb)->gso_type & SKB_GSO_UDP_TUNNEL) {
+                segs = skb_udp_tunnel_segment(skb, features);
+                goto out;
+        }
 
         mss = skb_shinfo(skb)->gso_size;
         if (unlikely(skb->len <= mss))
@@ -63,27 +71,20 @@ static struct sk_buff *udp4_ufo_fragment(struct sk_buff *skb,
                 goto out;
         }
 
+        /* Do software UFO. Complete and fill in the UDP checksum as
+         * HW cannot do checksum of UDP packets sent as multiple
+         * IP fragments.
+         */
+        offset = skb_checksum_start_offset(skb);
+        csum = skb_checksum(skb, offset, skb->len - offset, 0);
+        offset += skb->csum_offset;
+        *(__sum16 *)(skb->data + offset) = csum_fold(csum);
+        skb->ip_summed = CHECKSUM_NONE;
+
         /* Fragment the skb. IP headers of the fragments are updated in
          * inet_gso_segment()
          */
-        if (skb->encapsulation && skb_shinfo(skb)->gso_type & SKB_GSO_UDP_TUNNEL)
-                segs = skb_udp_tunnel_segment(skb, features);
-        else {
-                int offset;
-                __wsum csum;
-
-                /* Do software UFO. Complete and fill in the UDP checksum as
-                 * HW cannot do checksum of UDP packets sent as multiple
-                 * IP fragments.
-                 */
-                offset = skb_checksum_start_offset(skb);
-                csum = skb_checksum(skb, offset, skb->len - offset, 0);
-                offset += skb->csum_offset;
-                *(__sum16 *)(skb->data + offset) = csum_fold(csum);
-                skb->ip_summed = CHECKSUM_NONE;
-
-                segs = skb_segment(skb, features);
-        }
+        segs = skb_segment(skb, features);
 out:
         return segs;
 }
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 12c97d8aa6bb..abe46a4228ce 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -1671,7 +1671,7 @@ void addrconf_leave_solict(struct inet6_dev *idev, const struct in6_addr *addr)
 static void addrconf_join_anycast(struct inet6_ifaddr *ifp)
 {
         struct in6_addr addr;
-        if (ifp->prefix_len == 127) /* RFC 6164 */
+        if (ifp->prefix_len >= 127) /* RFC 6164 */
                 return;
         ipv6_addr_prefix(&addr, &ifp->addr, ifp->prefix_len);
         if (ipv6_addr_any(&addr))
@@ -1682,7 +1682,7 @@ static void addrconf_join_anycast(struct inet6_ifaddr *ifp)
 static void addrconf_leave_anycast(struct inet6_ifaddr *ifp)
 {
         struct in6_addr addr;
-        if (ifp->prefix_len == 127) /* RFC 6164 */
+        if (ifp->prefix_len >= 127) /* RFC 6164 */
                 return;
         ipv6_addr_prefix(&addr, &ifp->addr, ifp->prefix_len);
         if (ipv6_addr_any(&addr))
@@ -2509,7 +2509,8 @@ static void add_addr(struct inet6_dev *idev, const struct in6_addr *addr,
         struct inet6_ifaddr *ifp;
 
         ifp = ipv6_add_addr(idev, addr, NULL, plen,
-                            scope, IFA_F_PERMANENT, 0, 0);
+                            scope, IFA_F_PERMANENT,
+                            INFINITY_LIFE_TIME, INFINITY_LIFE_TIME);
         if (!IS_ERR(ifp)) {
                 spin_lock_bh(&ifp->lock);
                 ifp->flags &= ~IFA_F_TENTATIVE;
@@ -2613,7 +2614,7 @@ static void init_loopback(struct net_device *dev)
                         if (sp_ifa->rt)
                                 continue;
 
-                        sp_rt = addrconf_dst_alloc(idev, &sp_ifa->addr, 0);
+                        sp_rt = addrconf_dst_alloc(idev, &sp_ifa->addr, false);
 
                         /* Failure cases are ignored */
                         if (!IS_ERR(sp_rt)) {
@@ -2637,7 +2638,8 @@ static void addrconf_add_linklocal(struct inet6_dev *idev, const struct in6_addr
 #endif
 
 
-        ifp = ipv6_add_addr(idev, addr, NULL, 64, IFA_LINK, addr_flags, 0, 0);
+        ifp = ipv6_add_addr(idev, addr, NULL, 64, IFA_LINK, addr_flags,
+                            INFINITY_LIFE_TIME, INFINITY_LIFE_TIME);
         if (!IS_ERR(ifp)) {
                 addrconf_prefix_route(&ifp->addr, ifp->prefix_len, idev->dev, 0, 0);
                 addrconf_dad_start(ifp);
@@ -3456,7 +3458,12 @@ restart:
                                          &inet6_addr_lst[i], addr_lst) {
                         unsigned long age;
 
-                        if (ifp->flags & IFA_F_PERMANENT)
+                        /* When setting preferred_lft to a value not zero or
+                         * infinity, while valid_lft is infinity
+                         * IFA_F_PERMANENT has a non-infinity life time.
+                         */
+                        if ((ifp->flags & IFA_F_PERMANENT) &&
+                            (ifp->prefered_lft == INFINITY_LIFE_TIME))
                                 continue;
 
                         spin_lock(&ifp->lock);
@@ -3481,7 +3488,8 @@ restart:
                                         ifp->flags |= IFA_F_DEPRECATED;
                                 }
 
-                                if (time_before(ifp->tstamp + ifp->valid_lft * HZ, next))
+                                if ((ifp->valid_lft != INFINITY_LIFE_TIME) &&
+                                    (time_before(ifp->tstamp + ifp->valid_lft * HZ, next)))
                                         next = ifp->tstamp + ifp->valid_lft * HZ;
 
                                 spin_unlock(&ifp->lock);
@@ -3761,7 +3769,8 @@ static int inet6_fill_ifaddr(struct sk_buff *skb, struct inet6_ifaddr *ifa,
         put_ifaddrmsg(nlh, ifa->prefix_len, ifa->flags, rt_scope(ifa->scope),
                       ifa->idev->dev->ifindex);
 
-        if (!(ifa->flags&IFA_F_PERMANENT)) {
+        if (!((ifa->flags&IFA_F_PERMANENT) &&
+              (ifa->prefered_lft == INFINITY_LIFE_TIME))) {
                 preferred = ifa->prefered_lft;
                 valid = ifa->valid_lft;
                 if (preferred != INFINITY_LIFE_TIME) {
diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
index 8dfe1f4d3c1a..93b1aa34c432 100644
--- a/net/ipv6/datagram.c
+++ b/net/ipv6/datagram.c
@@ -73,7 +73,6 @@ int ip6_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
                         flowlabel = fl6_sock_lookup(sk, fl6.flowlabel);
                         if (flowlabel == NULL)
                                 return -EINVAL;
-                        usin->sin6_addr = flowlabel->dst;
                 }
         }
 
diff --git a/net/ipv6/fib6_rules.c b/net/ipv6/fib6_rules.c
index e27591635f92..3fd0a578329e 100644
--- a/net/ipv6/fib6_rules.c
+++ b/net/ipv6/fib6_rules.c
@@ -122,7 +122,11 @@ out:
 static bool fib6_rule_suppress(struct fib_rule *rule, struct fib_lookup_arg *arg)
 {
         struct rt6_info *rt = (struct rt6_info *) arg->result;
-        struct net_device *dev = rt->rt6i_idev->dev;
+        struct net_device *dev = NULL;
+
+        if (rt->rt6i_idev)
+                dev = rt->rt6i_idev->dev;
+
         /* do not accept result if the route does
          * not meet the required prefix length
          */
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 4acdb63495db..e6f931997996 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1193,11 +1193,35 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to,
 
         fragheaderlen = sizeof(struct ipv6hdr) + rt->rt6i_nfheader_len +
                         (opt ? opt->opt_nflen : 0);
-        maxfraglen = ((mtu - fragheaderlen) & ~7) + fragheaderlen - sizeof(struct frag_hdr);
+        maxfraglen = ((mtu - fragheaderlen) & ~7) + fragheaderlen -
+                     sizeof(struct frag_hdr);
 
         if (mtu <= sizeof(struct ipv6hdr) + IPV6_MAXPLEN) {
-                if (cork->length + length > sizeof(struct ipv6hdr) + IPV6_MAXPLEN - fragheaderlen) {
-                        ipv6_local_error(sk, EMSGSIZE, fl6, mtu-exthdrlen);
+                unsigned int maxnonfragsize, headersize;
+
+                headersize = sizeof(struct ipv6hdr) +
+                             (opt ? opt->tot_len : 0) +
+                             (dst_allfrag(&rt->dst) ?
+                              sizeof(struct frag_hdr) : 0) +
+                             rt->rt6i_nfheader_len;
+
+                maxnonfragsize = (np->pmtudisc >= IPV6_PMTUDISC_DO) ?
+                                 mtu : sizeof(struct ipv6hdr) + IPV6_MAXPLEN;
+
+                /* dontfrag active */
+                if ((cork->length + length > mtu - headersize) && dontfrag &&
+                    (sk->sk_protocol == IPPROTO_UDP ||
+                     sk->sk_protocol == IPPROTO_RAW)) {
+                        ipv6_local_rxpmtu(sk, fl6, mtu - headersize +
+                                                   sizeof(struct ipv6hdr));
+                        goto emsgsize;
+                }
+
+                if (cork->length + length > maxnonfragsize - headersize) {
+emsgsize:
+                        ipv6_local_error(sk, EMSGSIZE, fl6,
+                                         mtu - headersize +
+                                         sizeof(struct ipv6hdr));
                         return -EMSGSIZE;
                 }
         }
@@ -1222,12 +1246,6 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to,
          * --yoshfuji
          */
 
-        if ((length > mtu) && dontfrag && (sk->sk_protocol == IPPROTO_UDP ||
-                                           sk->sk_protocol == IPPROTO_RAW)) {
-                ipv6_local_rxpmtu(sk, fl6, mtu-exthdrlen);
-                return -EMSGSIZE;
-        }
-
         skb = skb_peek_tail(&sk->sk_write_queue);
         cork->length += length;
         if (((length > mtu) ||
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index d6062325db08..7881965a8248 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -103,16 +103,25 @@ struct ip6_tnl_net {
 
 static struct net_device_stats *ip6_get_stats(struct net_device *dev)
 {
-        struct pcpu_tstats sum = { 0 };
+        struct pcpu_tstats tmp, sum = { 0 };
         int i;
 
         for_each_possible_cpu(i) {
+                unsigned int start;
                 const struct pcpu_tstats *tstats = per_cpu_ptr(dev->tstats, i);
 
-                sum.rx_packets += tstats->rx_packets;
-                sum.rx_bytes   += tstats->rx_bytes;
-                sum.tx_packets += tstats->tx_packets;
-                sum.tx_bytes   += tstats->tx_bytes;
+                do {
+                        start = u64_stats_fetch_begin_bh(&tstats->syncp);
+                        tmp.rx_packets = tstats->rx_packets;
+                        tmp.rx_bytes = tstats->rx_bytes;
+                        tmp.tx_packets = tstats->tx_packets;
+                        tmp.tx_bytes =  tstats->tx_bytes;
+                } while (u64_stats_fetch_retry_bh(&tstats->syncp, start));
+
+                sum.rx_packets += tmp.rx_packets;
+                sum.rx_bytes   += tmp.rx_bytes;
+                sum.tx_packets += tmp.tx_packets;
+                sum.tx_bytes   += tmp.tx_bytes;
         }
         dev->stats.rx_packets = sum.rx_packets;
         dev->stats.rx_bytes   = sum.rx_bytes;
@@ -824,8 +833,10 @@ static int ip6_tnl_rcv(struct sk_buff *skb, __u16 protocol,
                 }
 
                 tstats = this_cpu_ptr(t->dev->tstats);
+                u64_stats_update_begin(&tstats->syncp);
                 tstats->rx_packets++;
                 tstats->rx_bytes += skb->len;
+                u64_stats_update_end(&tstats->syncp);
 
                 netif_rx(skb);
 
diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c
index ed94ba61dda0..7b42d5ef868d 100644
--- a/net/ipv6/ip6_vti.c
+++ b/net/ipv6/ip6_vti.c
@@ -75,26 +75,6 @@ struct vti6_net {
         struct ip6_tnl __rcu **tnls[2];
 };
 
-static struct net_device_stats *vti6_get_stats(struct net_device *dev)
-{
-        struct pcpu_tstats sum = { 0 };
-        int i;
-
-        for_each_possible_cpu(i) {
-                const struct pcpu_tstats *tstats = per_cpu_ptr(dev->tstats, i);
-
-                sum.rx_packets += tstats->rx_packets;
-                sum.rx_bytes   += tstats->rx_bytes;
-                sum.tx_packets += tstats->tx_packets;
-                sum.tx_bytes   += tstats->tx_bytes;
-        }
-        dev->stats.rx_packets = sum.rx_packets;
-        dev->stats.rx_bytes   = sum.rx_bytes;
-        dev->stats.tx_packets = sum.tx_packets;
-        dev->stats.tx_bytes   = sum.tx_bytes;
-        return &dev->stats;
-}
-
 #define for_each_vti6_tunnel_rcu(start) \
         for (t = rcu_dereference(start); t; t = rcu_dereference(t->next))
 
@@ -331,8 +311,10 @@ static int vti6_rcv(struct sk_buff *skb)
                 }
 
                 tstats = this_cpu_ptr(t->dev->tstats);
+                u64_stats_update_begin(&tstats->syncp);
                 tstats->rx_packets++;
                 tstats->rx_bytes += skb->len;
+                u64_stats_update_end(&tstats->syncp);
 
                 skb->mark = 0;
                 secpath_reset(skb);
@@ -716,7 +698,7 @@ static const struct net_device_ops vti6_netdev_ops = {
         .ndo_start_xmit = vti6_tnl_xmit,
         .ndo_do_ioctl   = vti6_ioctl,
         .ndo_change_mtu = vti6_change_mtu,
-        .ndo_get_stats  = vti6_get_stats,
+        .ndo_get_stats64 = ip_tunnel_get_stats64,
 };
 
 /**
@@ -750,12 +732,18 @@ static void vti6_dev_setup(struct net_device *dev)
 static inline int vti6_dev_init_gen(struct net_device *dev)
 {
         struct ip6_tnl *t = netdev_priv(dev);
+        int i;
 
         t->dev = dev;
         t->net = dev_net(dev);
         dev->tstats = alloc_percpu(struct pcpu_tstats);
         if (!dev->tstats)
                 return -ENOMEM;
+        for_each_possible_cpu(i) {
+                struct pcpu_tstats *stats;
+                stats = per_cpu_ptr(dev->tstats, i);
+                u64_stats_init(&stats->syncp);
+        }
         return 0;
 }
 
diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
index 3512177deb4d..300865171394 100644
--- a/net/ipv6/ndisc.c
+++ b/net/ipv6/ndisc.c
@@ -1277,6 +1277,9 @@ skip_linkparms:
                             ri->prefix_len == 0)
                                 continue;
 #endif
+                        if (ri->prefix_len == 0 &&
+                            !in6_dev->cnf.accept_ra_defrtr)
+                                continue;
                         if (ri->prefix_len > in6_dev->cnf.accept_ra_rt_info_max_plen)
                                 continue;
                         rt6_route_rcv(skb->dev, (u8*)p, (p->nd_opt_len) << 3,
diff --git a/net/ipv6/netfilter/ip6t_SYNPROXY.c b/net/ipv6/netfilter/ip6t_SYNPROXY.c
index f78f41aca8e9..a0d17270117c 100644
--- a/net/ipv6/netfilter/ip6t_SYNPROXY.c
+++ b/net/ipv6/netfilter/ip6t_SYNPROXY.c
@@ -446,6 +446,7 @@ static void synproxy_tg6_destroy(const struct xt_tgdtor_param *par)
 static struct xt_target synproxy_tg6_reg __read_mostly = {
         .name           = "SYNPROXY",
         .family         = NFPROTO_IPV6,
+        .hooks          = (1 << NF_INET_LOCAL_IN) | (1 << NF_INET_FORWARD),
         .target         = synproxy_tg6,
         .targetsize     = sizeof(struct xt_synproxy_info),
         .checkentry     = synproxy_tg6_check,
diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
index 7fb4e14c467f..b6bb87e55805 100644
--- a/net/ipv6/raw.c
+++ b/net/ipv6/raw.c
@@ -792,7 +792,6 @@ static int rawv6_sendmsg(struct kiocb *iocb, struct sock *sk,
                                 flowlabel = fl6_sock_lookup(sk, fl6.flowlabel);
                                 if (flowlabel == NULL)
                                         return -EINVAL;
-                                daddr = &flowlabel->dst;
                         }
                 }
 
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 7faa9d5e1503..4b4944c3e4c4 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -84,6 +84,8 @@ static int		 ip6_dst_gc(struct dst_ops *ops);
 
 static int              ip6_pkt_discard(struct sk_buff *skb);
 static int              ip6_pkt_discard_out(struct sk_buff *skb);
+static int              ip6_pkt_prohibit(struct sk_buff *skb);
+static int              ip6_pkt_prohibit_out(struct sk_buff *skb);
 static void             ip6_link_failure(struct sk_buff *skb);
 static void             ip6_rt_update_pmtu(struct dst_entry *dst, struct sock *sk,
                                            struct sk_buff *skb, u32 mtu);
@@ -234,9 +236,6 @@ static const struct rt6_info ip6_null_entry_template = {
 
 #ifdef CONFIG_IPV6_MULTIPLE_TABLES
 
-static int ip6_pkt_prohibit(struct sk_buff *skb);
-static int ip6_pkt_prohibit_out(struct sk_buff *skb);
-
 static const struct rt6_info ip6_prohibit_entry_template = {
         .dst = {
                 .__refcnt       = ATOMIC_INIT(1),
@@ -1565,21 +1564,24 @@ int ip6_route_add(struct fib6_config *cfg)
                                 goto out;
                         }
                 }
-                rt->dst.output = ip6_pkt_discard_out;
-                rt->dst.input = ip6_pkt_discard;
                 rt->rt6i_flags = RTF_REJECT|RTF_NONEXTHOP;
                 switch (cfg->fc_type) {
                 case RTN_BLACKHOLE:
                         rt->dst.error = -EINVAL;
+                        rt->dst.output = dst_discard;
+                        rt->dst.input = dst_discard;
                         break;
                 case RTN_PROHIBIT:
                         rt->dst.error = -EACCES;
+                        rt->dst.output = ip6_pkt_prohibit_out;
+                        rt->dst.input = ip6_pkt_prohibit;
                         break;
                 case RTN_THROW:
-                        rt->dst.error = -EAGAIN;
-                        break;
                 default:
-                        rt->dst.error = -ENETUNREACH;
+                        rt->dst.error = (cfg->fc_type == RTN_THROW) ? -EAGAIN
+                                        : -ENETUNREACH;
+                        rt->dst.output = ip6_pkt_discard_out;
+                        rt->dst.input = ip6_pkt_discard;
                         break;
                 }
                 goto install_route;
@@ -1903,9 +1905,7 @@ static struct rt6_info *ip6_rt_copy(struct rt6_info *ort,
                 else
                         rt->rt6i_gateway = *dest;
                 rt->rt6i_flags = ort->rt6i_flags;
-                if ((ort->rt6i_flags & (RTF_DEFAULT | RTF_ADDRCONF)) ==
-                    (RTF_DEFAULT | RTF_ADDRCONF))
-                        rt6_set_from(rt, ort);
+                rt6_set_from(rt, ort);
                 rt->rt6i_metric = 0;
 
 #ifdef CONFIG_IPV6_SUBTREES
@@ -2144,8 +2144,6 @@ static int ip6_pkt_discard_out(struct sk_buff *skb)
         return ip6_pkt_drop(skb, ICMPV6_NOROUTE, IPSTATS_MIB_OUTNOROUTES);
 }
 
-#ifdef CONFIG_IPV6_MULTIPLE_TABLES
-
 static int ip6_pkt_prohibit(struct sk_buff *skb)
 {
         return ip6_pkt_drop(skb, ICMPV6_ADM_PROHIBITED, IPSTATS_MIB_INNOROUTES);
@@ -2157,8 +2155,6 @@ static int ip6_pkt_prohibit_out(struct sk_buff *skb)
         return ip6_pkt_drop(skb, ICMPV6_ADM_PROHIBITED, IPSTATS_MIB_OUTNOROUTES);
 }
 
-#endif
-
 /*
  *      Allocate a dst for local (unicast / anycast) address.
  */
@@ -2168,12 +2164,10 @@ struct rt6_info *addrconf_dst_alloc(struct inet6_dev *idev,
                                     bool anycast)
 {
         struct net *net = dev_net(idev->dev);
-        struct rt6_info *rt = ip6_dst_alloc(net, net->loopback_dev, 0, NULL);
-
-        if (!rt) {
-                net_warn_ratelimited("Maximum number of routes reached, consider increasing route/max_size\n");
+        struct rt6_info *rt = ip6_dst_alloc(net, net->loopback_dev,
+                                            DST_NOCOUNT, NULL);
+        if (!rt)
                 return ERR_PTR(-ENOMEM);
-        }
 
         in6_dev_hold(idev);
 
diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
index 366fbba3359a..d3005b34476a 100644
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -702,8 +702,10 @@ static int ipip6_rcv(struct sk_buff *skb)
                 }
 
                 tstats = this_cpu_ptr(tunnel->dev->tstats);
+                u64_stats_update_begin(&tstats->syncp);
                 tstats->rx_packets++;
                 tstats->rx_bytes += skb->len;
+                u64_stats_update_end(&tstats->syncp);
 
                 netif_rx(skb);
 
@@ -924,7 +926,7 @@ static netdev_tx_t ipip6_tunnel_xmit(struct sk_buff *skb,
                 if (tunnel->parms.iph.daddr && skb_dst(skb))
                         skb_dst(skb)->ops->update_pmtu(skb_dst(skb), NULL, skb, mtu);
 
-                if (skb->len > mtu) {
+                if (skb->len > mtu && !skb_is_gso(skb)) {
                         icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
                         ip_rt_put(rt);
                         goto tx_error;
@@ -966,8 +968,10 @@ static netdev_tx_t ipip6_tunnel_xmit(struct sk_buff *skb,
         tos = INET_ECN_encapsulate(tos, ipv6_get_dsfield(iph6));
 
         skb = iptunnel_handle_offloads(skb, false, SKB_GSO_SIT);
-        if (IS_ERR(skb))
+        if (IS_ERR(skb)) {
+                ip_rt_put(rt);
                 goto out;
+        }
 
         err = iptunnel_xmit(rt, skb, fl4.saddr, fl4.daddr, IPPROTO_IPV6, tos,
                             ttl, df, !net_eq(tunnel->net, dev_net(dev)));
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 0740f93a114a..f67033b4bb66 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -156,7 +156,6 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
                         flowlabel = fl6_sock_lookup(sk, fl6.flowlabel);
                         if (flowlabel == NULL)
                                 return -EINVAL;
-                        usin->sin6_addr = flowlabel->dst;
                         fl6_sock_release(flowlabel);
                 }
         }
diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
index bcd5699313c3..089c741a3992 100644
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -1140,7 +1140,6 @@ do_udp_sendmsg:
                                 flowlabel = fl6_sock_lookup(sk, fl6.flowlabel);
                                 if (flowlabel == NULL)
                                         return -EINVAL;
-                                daddr = &flowlabel->dst;
                         }
                 }
 
diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
index d9b437e55007..bb6e206ea70b 100644
--- a/net/l2tp/l2tp_ip6.c
+++ b/net/l2tp/l2tp_ip6.c
@@ -528,7 +528,6 @@ static int l2tp_ip6_sendmsg(struct kiocb *iocb, struct sock *sk,
                                 flowlabel = fl6_sock_lookup(sk, fl6.flowlabel);
                                 if (flowlabel == NULL)
                                         return -EINVAL;
-                                daddr = &flowlabel->dst;
                         }
                 }
 
diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
index 7b01b9f5846c..c71b699eb555 100644
--- a/net/llc/af_llc.c
+++ b/net/llc/af_llc.c
@@ -715,7 +715,7 @@ static int llc_ui_recvmsg(struct kiocb *iocb, struct socket *sock,
         unsigned long cpu_flags;
         size_t copied = 0;
         u32 peek_seq = 0;
-        u32 *seq;
+        u32 *seq, skb_len;
         unsigned long used;
         int target;     /* Read at least this many bytes */
         long timeo;
@@ -812,6 +812,7 @@ static int llc_ui_recvmsg(struct kiocb *iocb, struct socket *sock,
                 }
                 continue;
         found_ok_skb:
+                skb_len = skb->len;
                 /* Ok so how much can we use? */
                 used = skb->len - offset;
                 if (len < used)
@@ -844,7 +845,7 @@ static int llc_ui_recvmsg(struct kiocb *iocb, struct socket *sock,
                 }
 
                 /* Partial read */
-                if (used + offset < skb->len)
+                if (used + offset < skb_len)
                         continue;
         } while (len > 0);
 
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 95667b088c5b..364ce0c5962f 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -1368,7 +1368,7 @@ static int sta_apply_parameters(struct ieee80211_local *local,
                         changed |=
                               ieee80211_mps_set_sta_local_pm(sta,
                                                              params->local_pm);
-                ieee80211_bss_info_change_notify(sdata, changed);
+                ieee80211_mbss_info_change_notify(sdata, changed);
 #endif
         }
 
@@ -2488,8 +2488,7 @@ static int ieee80211_set_power_mgmt(struct wiphy *wiphy, struct net_device *dev,
         struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
         struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr);
 
-        if (sdata->vif.type != NL80211_IFTYPE_STATION &&
-            sdata->vif.type != NL80211_IFTYPE_MESH_POINT)
+        if (sdata->vif.type != NL80211_IFTYPE_STATION)
                 return -EOPNOTSUPP;
 
         if (!(local->hw.flags & IEEE80211_HW_SUPPORTS_PS))
@@ -3120,9 +3119,17 @@ static int ieee80211_channel_switch(struct wiphy *wiphy, struct net_device *dev,
                     params->chandef.chan->band)
                         return -EINVAL;
 
+                ifmsh->chsw_init = true;
+                if (!ifmsh->pre_value)
+                        ifmsh->pre_value = 1;
+                else
+                        ifmsh->pre_value++;
+
                 err = ieee80211_mesh_csa_beacon(sdata, params, true);
-                if (err < 0)
+                if (err < 0) {
+                        ifmsh->chsw_init = false;
                         return err;
+                }
                 break;
 #endif
         default:
diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c
index 531be040b9ae..27a39de89679 100644
--- a/net/mac80211/ibss.c
+++ b/net/mac80211/ibss.c
@@ -823,6 +823,10 @@ ieee80211_ibss_process_chanswitch(struct ieee80211_sub_if_data *sdata,
         if (err)
                 return false;
 
+        /* channel switch is not supported, disconnect */
+        if (!(sdata->local->hw.wiphy->flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
+                goto disconnect;
+
         params.count = csa_ie.count;
         params.chandef = csa_ie.chandef;
 
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index 29dc505be125..4aea4e791113 100644
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -1228,6 +1228,7 @@ struct ieee80211_csa_ie {
         u8 mode;
         u8 count;
         u8 ttl;
+        u16 pre_value;
 };
 
 /* Parsed Information Elements */
diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
index ff101ea1d9ae..a0757913046e 100644
--- a/net/mac80211/iface.c
+++ b/net/mac80211/iface.c
@@ -1061,7 +1061,8 @@ static void ieee80211_uninit(struct net_device *dev)
 }
 
 static u16 ieee80211_netdev_select_queue(struct net_device *dev,
-                                         struct sk_buff *skb)
+                                         struct sk_buff *skb,
+                                         void *accel_priv)
 {
         return ieee80211_select_queue(IEEE80211_DEV_TO_SUB_IF(dev), skb);
 }
@@ -1078,7 +1079,8 @@ static const struct net_device_ops ieee80211_dataif_ops = {
 };
 
 static u16 ieee80211_monitor_select_queue(struct net_device *dev,
-                                          struct sk_buff *skb)
+                                          struct sk_buff *skb,
+                                          void *accel_priv)
 {
         struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
         struct ieee80211_local *local = sdata->local;
@@ -1325,7 +1327,6 @@ static void ieee80211_setup_sdata(struct ieee80211_sub_if_data *sdata,
                 sdata->vif.bss_conf.bssid = NULL;
                 break;
         case NL80211_IFTYPE_AP_VLAN:
-                break;
         case NL80211_IFTYPE_P2P_DEVICE:
                 sdata->vif.bss_conf.bssid = sdata->vif.addr;
                 break;
diff --git a/net/mac80211/main.c b/net/mac80211/main.c
index 21d5d44444d0..7d1c3ac48ed9 100644
--- a/net/mac80211/main.c
+++ b/net/mac80211/main.c
@@ -940,6 +940,8 @@ int ieee80211_register_hw(struct ieee80211_hw *hw)
                 wiphy_debug(local->hw.wiphy, "Failed to initialize wep: %d\n",
                             result);
 
+        local->hw.conf.flags = IEEE80211_CONF_IDLE;
+
         ieee80211_led_init(local);
 
         rtnl_lock();
@@ -1047,6 +1049,7 @@ void ieee80211_unregister_hw(struct ieee80211_hw *hw)
 
         cancel_work_sync(&local->restart_work);
         cancel_work_sync(&local->reconfig_filter);
+        flush_work(&local->sched_scan_stopped_work);
 
         ieee80211_clear_tx_pending(local);
         rate_control_deinitialize(local);
diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c
index 896fe3bd599e..ba105257d03f 100644
--- a/net/mac80211/mesh.c
+++ b/net/mac80211/mesh.c
@@ -943,14 +943,19 @@ ieee80211_mesh_process_chnswitch(struct ieee80211_sub_if_data *sdata,
                  params.chandef.chan->center_freq);
 
         params.block_tx = csa_ie.mode & WLAN_EID_CHAN_SWITCH_PARAM_TX_RESTRICT;
-        if (beacon)
+        if (beacon) {
                 ifmsh->chsw_ttl = csa_ie.ttl - 1;
-        else
-                ifmsh->chsw_ttl = 0;
+                if (ifmsh->pre_value >= csa_ie.pre_value)
+                        return false;
+                ifmsh->pre_value = csa_ie.pre_value;
+        }
 
-        if (ifmsh->chsw_ttl > 0)
+        if (ifmsh->chsw_ttl < ifmsh->mshcfg.dot11MeshTTL) {
                 if (ieee80211_mesh_csa_beacon(sdata, &params, false) < 0)
                         return false;
+        } else {
+                return false;
+        }
 
         sdata->csa_radar_required = params.radar_required;
 
@@ -1163,7 +1168,6 @@ static int mesh_fwd_csa_frame(struct ieee80211_sub_if_data *sdata,
         offset_ttl = (len < 42) ? 7 : 10;
         *(pos + offset_ttl) -= 1;
         *(pos + offset_ttl + 1) &= ~WLAN_EID_CHAN_SWITCH_PARAM_INITIATOR;
-        sdata->u.mesh.chsw_ttl = *(pos + offset_ttl);
 
         memcpy(mgmt_fwd, mgmt, len);
         eth_broadcast_addr(mgmt_fwd->da);
@@ -1182,7 +1186,7 @@ static void mesh_rx_csa_frame(struct ieee80211_sub_if_data *sdata,
         u16 pre_value;
         bool fwd_csa = true;
         size_t baselen;
-        u8 *pos, ttl;
+        u8 *pos;
 
         if (mgmt->u.action.u.measurement.action_code !=
             WLAN_ACTION_SPCT_CHL_SWITCH)
@@ -1193,8 +1197,8 @@ static void mesh_rx_csa_frame(struct ieee80211_sub_if_data *sdata,
                            u.action.u.chan_switch.variable);
         ieee802_11_parse_elems(pos, len - baselen, false, &elems);
 
-        ttl = elems.mesh_chansw_params_ie->mesh_ttl;
-        if (!--ttl)
+        ifmsh->chsw_ttl = elems.mesh_chansw_params_ie->mesh_ttl;
+        if (!--ifmsh->chsw_ttl)
                 fwd_csa = false;
 
         pre_value = le16_to_cpu(elems.mesh_chansw_params_ie->mesh_pre_value);
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index d7504ab61a34..b3a3ce316656 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -1910,6 +1910,8 @@ static void ieee80211_mgd_probe_ap(struct ieee80211_sub_if_data *sdata,
         if (ifmgd->flags & IEEE80211_STA_CONNECTION_POLL)
                 already = true;
 
+        ifmgd->flags |= IEEE80211_STA_CONNECTION_POLL;
+
         mutex_unlock(&sdata->local->mtx);
 
         if (already)
diff --git a/net/mac80211/rc80211_minstrel_ht.c b/net/mac80211/rc80211_minstrel_ht.c
index 5d60779a0c1b..4096ff6cc24f 100644
--- a/net/mac80211/rc80211_minstrel_ht.c
+++ b/net/mac80211/rc80211_minstrel_ht.c
@@ -226,7 +226,7 @@ minstrel_ht_calc_tp(struct minstrel_ht_sta *mi, int group, int rate)
                 nsecs = 1000 * mi->overhead / MINSTREL_TRUNC(mi->avg_ampdu_len);
 
         nsecs += minstrel_mcs_groups[group].duration[rate];
-        tp = 1000000 * ((mr->probability * 1000) / nsecs);
+        tp = 1000000 * ((prob * 1000) / nsecs);
 
         mr->cur_tp = MINSTREL_TRUNC(tp);
 }
@@ -277,13 +277,15 @@ minstrel_ht_update_stats(struct minstrel_priv *mp, struct minstrel_ht_sta *mi)
                         if (!(mg->supported & BIT(i)))
                                 continue;
 
+                        index = MCS_GROUP_RATES * group + i;
+
                         /* initialize rates selections starting indexes */
                         if (!mg_rates_valid) {
                                 mg->max_tp_rate = mg->max_tp_rate2 =
                                         mg->max_prob_rate = i;
                                 if (!mi_rates_valid) {
                                         mi->max_tp_rate = mi->max_tp_rate2 =
-                                                mi->max_prob_rate = i;
+                                                mi->max_prob_rate = index;
                                         mi_rates_valid = true;
                                 }
                                 mg_rates_valid = true;
@@ -291,7 +293,6 @@ minstrel_ht_update_stats(struct minstrel_priv *mp, struct minstrel_ht_sta *mi)
 
                         mr = &mg->rates[i];
                         mr->retry_updated = false;
-                        index = MCS_GROUP_RATES * group + i;
                         minstrel_calc_rate_ewma(mr);
                         minstrel_ht_calc_tp(mi, group, i);
 
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index caecef870c0e..2b0debb0422b 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -911,7 +911,8 @@ static void ieee80211_rx_reorder_ampdu(struct ieee80211_rx_data *rx,
         u16 sc;
         u8 tid, ack_policy;
 
-        if (!ieee80211_is_data_qos(hdr->frame_control))
+        if (!ieee80211_is_data_qos(hdr->frame_control) ||
+            is_multicast_ether_addr(hdr->addr1))
                 goto dont_reorder;
 
         /*
diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c
index 5ad66a83ef7f..bcc4833d7542 100644
--- a/net/mac80211/scan.c
+++ b/net/mac80211/scan.c
@@ -1088,6 +1088,6 @@ void ieee80211_sched_scan_stopped(struct ieee80211_hw *hw)
 
         trace_api_sched_scan_stopped(local);
 
-        ieee80211_queue_work(&local->hw, &local->sched_scan_stopped_work);
+        schedule_work(&local->sched_scan_stopped_work);
 }
 EXPORT_SYMBOL(ieee80211_sched_scan_stopped);
diff --git a/net/mac80211/spectmgmt.c b/net/mac80211/spectmgmt.c
index a40da20b32e0..6ab009070084 100644
--- a/net/mac80211/spectmgmt.c
+++ b/net/mac80211/spectmgmt.c
@@ -78,6 +78,8 @@ int ieee80211_parse_ch_switch_ie(struct ieee80211_sub_if_data *sdata,
         if (elems->mesh_chansw_params_ie) {
                 csa_ie->ttl = elems->mesh_chansw_params_ie->mesh_ttl;
                 csa_ie->mode = elems->mesh_chansw_params_ie->mesh_flags;
+                csa_ie->pre_value = le16_to_cpu(
+                                elems->mesh_chansw_params_ie->mesh_pre_value);
         }
 
         new_freq = ieee80211_channel_to_frequency(new_chan_no, new_band);
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index c558b246ef00..ca7fa7f0613d 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -463,7 +463,6 @@ ieee80211_tx_h_unicast_ps_buf(struct ieee80211_tx_data *tx)
 {
         struct sta_info *sta = tx->sta;
         struct ieee80211_tx_info *info = IEEE80211_SKB_CB(tx->skb);
-        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)tx->skb->data;
         struct ieee80211_local *local = tx->local;
 
         if (unlikely(!sta))
@@ -474,15 +473,6 @@ ieee80211_tx_h_unicast_ps_buf(struct ieee80211_tx_data *tx)
                      !(info->flags & IEEE80211_TX_CTL_NO_PS_BUFFER))) {
                 int ac = skb_get_queue_mapping(tx->skb);
 
-                /* only deauth, disassoc and action are bufferable MMPDUs */
-                if (ieee80211_is_mgmt(hdr->frame_control) &&
-                    !ieee80211_is_deauth(hdr->frame_control) &&
-                    !ieee80211_is_disassoc(hdr->frame_control) &&
-                    !ieee80211_is_action(hdr->frame_control)) {
-                        info->flags |= IEEE80211_TX_CTL_NO_PS_BUFFER;
-                        return TX_CONTINUE;
-                }
-
                 ps_dbg(sta->sdata, "STA %pM aid %d: PS buffer for AC %d\n",
                        sta->sta.addr, sta->sta.aid, ac);
                 if (tx->local->total_ps_buffered >= TOTAL_MAX_TX_BUFFER)
@@ -525,9 +515,22 @@ ieee80211_tx_h_unicast_ps_buf(struct ieee80211_tx_data *tx)
 static ieee80211_tx_result debug_noinline
 ieee80211_tx_h_ps_buf(struct ieee80211_tx_data *tx)
 {
+        struct ieee80211_tx_info *info = IEEE80211_SKB_CB(tx->skb);
+        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)tx->skb->data;
+
         if (unlikely(tx->flags & IEEE80211_TX_PS_BUFFERED))
                 return TX_CONTINUE;
 
+        /* only deauth, disassoc and action are bufferable MMPDUs */
+        if (ieee80211_is_mgmt(hdr->frame_control) &&
+            !ieee80211_is_deauth(hdr->frame_control) &&
+            !ieee80211_is_disassoc(hdr->frame_control) &&
+            !ieee80211_is_action(hdr->frame_control)) {
+                if (tx->flags & IEEE80211_TX_UNICAST)
+                        info->flags |= IEEE80211_TX_CTL_NO_PS_BUFFER;
+                return TX_CONTINUE;
+        }
+
         if (tx->flags & IEEE80211_TX_UNICAST)
                 return ieee80211_tx_h_unicast_ps_buf(tx);
         else
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index 592a18171f95..9f9b9bd3fd44 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -2278,17 +2278,15 @@ void ieee80211_dfs_radar_detected_work(struct work_struct *work)
 {
         struct ieee80211_local *local =
                 container_of(work, struct ieee80211_local, radar_detected_work);
-        struct cfg80211_chan_def chandef;
+        struct cfg80211_chan_def chandef = local->hw.conf.chandef;
 
         ieee80211_dfs_cac_cancel(local);
 
         if (local->use_chanctx)
                 /* currently not handled */
                 WARN_ON(1);
-        else {
-                chandef = local->hw.conf.chandef;
+        else
                 cfg80211_radar_event(local->hw.wiphy, &chandef, GFP_KERNEL);
-        }
 }
 
 void ieee80211_radar_detected(struct ieee80211_hw *hw)
@@ -2459,14 +2457,9 @@ int ieee80211_send_action_csa(struct ieee80211_sub_if_data *sdata,
                           WLAN_EID_CHAN_SWITCH_PARAM_TX_RESTRICT : 0x00;
                 put_unaligned_le16(WLAN_REASON_MESH_CHAN, pos); /* Reason Cd */
                 pos += 2;
-                if (!ifmsh->pre_value)
-                        ifmsh->pre_value = 1;
-                else
-                        ifmsh->pre_value++;
                 pre_value = cpu_to_le16(ifmsh->pre_value);
                 memcpy(pos, &pre_value, 2);             /* Precedence Value */
                 pos += 2;
-                ifmsh->chsw_init = true;
         }
 
         ieee80211_tx_skb(sdata, skb);
diff --git a/net/netfilter/ipset/ip_set_hash_netnet.c b/net/netfilter/ipset/ip_set_hash_netnet.c
index 2bc2dec20b00..6226803fc490 100644
--- a/net/netfilter/ipset/ip_set_hash_netnet.c
+++ b/net/netfilter/ipset/ip_set_hash_netnet.c
@@ -59,7 +59,7 @@ hash_netnet4_data_equal(const struct hash_netnet4_elem *ip1,
                      u32 *multi)
 {
         return ip1->ipcmp == ip2->ipcmp &&
-               ip2->ccmp == ip2->ccmp;
+               ip1->ccmp == ip2->ccmp;
 }
 
 static inline int
diff --git a/net/netfilter/ipvs/ip_vs_nfct.c b/net/netfilter/ipvs/ip_vs_nfct.c
index c8beafd401aa..5a355a46d1dc 100644
--- a/net/netfilter/ipvs/ip_vs_nfct.c
+++ b/net/netfilter/ipvs/ip_vs_nfct.c
@@ -63,6 +63,7 @@
 #include <net/ip_vs.h>
 #include <net/netfilter/nf_conntrack_core.h>
 #include <net/netfilter/nf_conntrack_expect.h>
+#include <net/netfilter/nf_conntrack_seqadj.h>
 #include <net/netfilter/nf_conntrack_helper.h>
 #include <net/netfilter/nf_conntrack_zones.h>
 
@@ -97,6 +98,11 @@ ip_vs_update_conntrack(struct sk_buff *skb, struct ip_vs_conn *cp, int outin)
         if (CTINFO2DIR(ctinfo) != IP_CT_DIR_ORIGINAL)
                 return;
 
+        /* Applications may adjust TCP seqs */
+        if (cp->app && nf_ct_protonum(ct) == IPPROTO_TCP &&
+            !nfct_seqadj(ct) && !nfct_seqadj_ext_add(ct))
+                return;
+
         /*
          * The connection is not yet in the hashtable, so we update it.
          * CIP->VIP will remain the same, so leave the tuple in
diff --git a/net/netfilter/nf_conntrack_seqadj.c b/net/netfilter/nf_conntrack_seqadj.c
index 17c1bcb182c6..f6e2ae91a80b 100644
--- a/net/netfilter/nf_conntrack_seqadj.c
+++ b/net/netfilter/nf_conntrack_seqadj.c
@@ -36,6 +36,11 @@ int nf_ct_seqadj_set(struct nf_conn *ct, enum ip_conntrack_info ctinfo,
         if (off == 0)
                 return 0;
 
+        if (unlikely(!seqadj)) {
+                WARN_ONCE(1, "Missing nfct_seqadj_ext_add() setup call\n");
+                return 0;
+        }
+
         set_bit(IPS_SEQ_ADJUST_BIT, &ct->status);
 
         spin_lock_bh(&ct->lock);
diff --git a/net/netfilter/nf_conntrack_timestamp.c b/net/netfilter/nf_conntrack_timestamp.c
index 902fb0a6b38a..7a394df0deb7 100644
--- a/net/netfilter/nf_conntrack_timestamp.c
+++ b/net/netfilter/nf_conntrack_timestamp.c
@@ -97,7 +97,6 @@ int nf_conntrack_tstamp_pernet_init(struct net *net)
 void nf_conntrack_tstamp_pernet_fini(struct net *net)
 {
         nf_conntrack_tstamp_fini_sysctl(net);
-        nf_ct_extend_unregister(&tstamp_extend);
 }
 
 int nf_conntrack_tstamp_init(void)
diff --git a/net/netfilter/nf_nat_irc.c b/net/netfilter/nf_nat_irc.c
index f02b3605823e..1fb2258c3535 100644
--- a/net/netfilter/nf_nat_irc.c
+++ b/net/netfilter/nf_nat_irc.c
@@ -34,10 +34,14 @@ static unsigned int help(struct sk_buff *skb,
                          struct nf_conntrack_expect *exp)
 {
         char buffer[sizeof("4294967296 65635")];
+        struct nf_conn *ct = exp->master;
+        union nf_inet_addr newaddr;
         u_int16_t port;
         unsigned int ret;
 
         /* Reply comes from server. */
+        newaddr = ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3;
+
         exp->saved_proto.tcp.port = exp->tuple.dst.u.tcp.port;
         exp->dir = IP_CT_DIR_REPLY;
         exp->expectfn = nf_nat_follow_master;
@@ -57,17 +61,35 @@ static unsigned int help(struct sk_buff *skb,
         }
 
         if (port == 0) {
-                nf_ct_helper_log(skb, exp->master, "all ports in use");
+                nf_ct_helper_log(skb, ct, "all ports in use");
                 return NF_DROP;
         }
 
-        ret = nf_nat_mangle_tcp_packet(skb, exp->master, ctinfo,
-                                       protoff, matchoff, matchlen, buffer,
-                                       strlen(buffer));
+        /* strlen("\1DCC CHAT chat AAAAAAAA P\1\n")=27
+         * strlen("\1DCC SCHAT chat AAAAAAAA P\1\n")=28
+         * strlen("\1DCC SEND F AAAAAAAA P S\1\n")=26
+         * strlen("\1DCC MOVE F AAAAAAAA P S\1\n")=26
+         * strlen("\1DCC TSEND F AAAAAAAA P S\1\n")=27
+         *
+         * AAAAAAAAA: bound addr (1.0.0.0==16777216, min 8 digits,
+         *                        255.255.255.255==4294967296, 10 digits)
+         * P:         bound port (min 1 d, max 5d (65635))
+         * F:         filename   (min 1 d )
+         * S:         size       (min 1 d )
+         * 0x01, \n:  terminators
+         */
+        /* AAA = "us", ie. where server normally talks to. */
+        snprintf(buffer, sizeof(buffer), "%u %u", ntohl(newaddr.ip), port);
+        pr_debug("nf_nat_irc: inserting '%s' == %pI4, port %u\n",
+                 buffer, &newaddr.ip, port);
+
+        ret = nf_nat_mangle_tcp_packet(skb, ct, ctinfo, protoff, matchoff,
+                                       matchlen, buffer, strlen(buffer));
         if (ret != NF_ACCEPT) {
-                nf_ct_helper_log(skb, exp->master, "cannot mangle packet");
+                nf_ct_helper_log(skb, ct, "cannot mangle packet");
                 nf_ct_unexpect_related(exp);
         }
+
         return ret;
 }
 
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index dcddc49c0e08..71a9f49a768b 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -312,6 +312,9 @@ static int nf_tables_table_enable(struct nft_table *table)
         int err, i = 0;
 
         list_for_each_entry(chain, &table->chains, list) {
+                if (!(chain->flags & NFT_BASE_CHAIN))
+                        continue;
+
                 err = nf_register_hook(&nft_base_chain(chain)->ops);
                 if (err < 0)
                         goto err;
@@ -321,6 +324,9 @@ static int nf_tables_table_enable(struct nft_table *table)
         return 0;
 err:
         list_for_each_entry(chain, &table->chains, list) {
+                if (!(chain->flags & NFT_BASE_CHAIN))
+                        continue;
+
                 if (i-- <= 0)
                         break;
 
@@ -333,8 +339,10 @@ static int nf_tables_table_disable(struct nft_table *table)
 {
         struct nft_chain *chain;
 
-        list_for_each_entry(chain, &table->chains, list)
-                nf_unregister_hook(&nft_base_chain(chain)->ops);
+        list_for_each_entry(chain, &table->chains, list) {
+                if (chain->flags & NFT_BASE_CHAIN)
+                        nf_unregister_hook(&nft_base_chain(chain)->ops);
+        }
 
         return 0;
 }
@@ -1717,6 +1725,19 @@ nf_tables_delrule_one(struct nft_ctx *ctx, struct nft_rule *rule)
         return -ENOENT;
 }
 
+static int nf_table_delrule_by_chain(struct nft_ctx *ctx)
+{
+        struct nft_rule *rule;
+        int err;
+
+        list_for_each_entry(rule, &ctx->chain->rules, list) {
+                err = nf_tables_delrule_one(ctx, rule);
+                if (err < 0)
+                        return err;
+        }
+        return 0;
+}
+
 static int nf_tables_delrule(struct sock *nlsk, struct sk_buff *skb,
                              const struct nlmsghdr *nlh,
                              const struct nlattr * const nla[])
@@ -1725,8 +1746,8 @@ static int nf_tables_delrule(struct sock *nlsk, struct sk_buff *skb,
         const struct nft_af_info *afi;
         struct net *net = sock_net(skb->sk);
         const struct nft_table *table;
-        struct nft_chain *chain;
-        struct nft_rule *rule, *tmp;
+        struct nft_chain *chain = NULL;
+        struct nft_rule *rule;
         int family = nfmsg->nfgen_family, err = 0;
         struct nft_ctx ctx;
 
@@ -1738,22 +1759,29 @@ static int nf_tables_delrule(struct sock *nlsk, struct sk_buff *skb,
         if (IS_ERR(table))
                 return PTR_ERR(table);
 
-        chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
-        if (IS_ERR(chain))
-                return PTR_ERR(chain);
+        if (nla[NFTA_RULE_CHAIN]) {
+                chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
+                if (IS_ERR(chain))
+                        return PTR_ERR(chain);
+        }
 
         nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
 
-        if (nla[NFTA_RULE_HANDLE]) {
-                rule = nf_tables_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
-                if (IS_ERR(rule))
-                        return PTR_ERR(rule);
+        if (chain) {
+                if (nla[NFTA_RULE_HANDLE]) {
+                        rule = nf_tables_rule_lookup(chain,
+                                                     nla[NFTA_RULE_HANDLE]);
+                        if (IS_ERR(rule))
+                                return PTR_ERR(rule);
 
-                err = nf_tables_delrule_one(&ctx, rule);
-        } else {
-                /* Remove all rules in this chain */
-                list_for_each_entry_safe(rule, tmp, &chain->rules, list) {
                         err = nf_tables_delrule_one(&ctx, rule);
+                } else {
+                        err = nf_table_delrule_by_chain(&ctx);
+                }
+        } else {
+                list_for_each_entry(chain, &table->chains, list) {
+                        ctx.chain = chain;
+                        err = nf_table_delrule_by_chain(&ctx);
                         if (err < 0)
                                 break;
                 }
@@ -2078,17 +2106,21 @@ static int nf_tables_dump_sets_all(struct nft_ctx *ctx, struct sk_buff *skb,
                                    struct netlink_callback *cb)
 {
         const struct nft_set *set;
-        unsigned int idx = 0, s_idx = cb->args[0];
+        unsigned int idx, s_idx = cb->args[0];
         struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
 
         if (cb->args[1])
                 return skb->len;
 
         list_for_each_entry(table, &ctx->afi->tables, list) {
-                if (cur_table && cur_table != table)
-                        continue;
+                if (cur_table) {
+                        if (cur_table != table)
+                                continue;
 
+                        cur_table = NULL;
+                }
                 ctx->table = table;
+                idx = 0;
                 list_for_each_entry(set, &ctx->table->sets, list) {
                         if (idx < s_idx)
                                 goto cont;
@@ -2350,7 +2382,9 @@ static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
         enum nft_registers dreg;
 
         dreg = nft_type_to_reg(set->dtype);
-        return nft_validate_data_load(ctx, dreg, &elem->data, set->dtype);
+        return nft_validate_data_load(ctx, dreg, &elem->data,
+                                      set->dtype == NFT_DATA_VERDICT ?
+                                      NFT_DATA_VERDICT : NFT_DATA_VALUE);
 }
 
 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
index 3c4b69e5fe17..a155d19a225e 100644
--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -1053,6 +1053,7 @@ static void __net_exit nfnl_log_net_exit(struct net *net)
 #ifdef CONFIG_PROC_FS
         remove_proc_entry("nfnetlink_log", net->nf.proc_netfilter);
 #endif
+        nf_log_unset(net, &nfulnl_logger);
 }
 
 static struct pernet_operations nfnl_log_net_ops = {
diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c
index 8e0bb75e7c51..55c939f5371f 100644
--- a/net/netfilter/nft_exthdr.c
+++ b/net/netfilter/nft_exthdr.c
@@ -31,7 +31,7 @@ static void nft_exthdr_eval(const struct nft_expr *expr,
 {
         struct nft_exthdr *priv = nft_expr_priv(expr);
         struct nft_data *dest = &data[priv->dreg];
-        unsigned int offset;
+        unsigned int offset = 0;
         int err;
 
         err = ipv6_find_hdr(pkt->skb, &offset, priv->type, NULL, NULL);
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index 9ff035c71403..a3910fc2122b 100644
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -325,21 +325,24 @@ static void htable_gc(unsigned long htlong)
         add_timer(&ht->timer);
 }
 
-static void htable_destroy(struct xt_hashlimit_htable *hinfo)
+static void htable_remove_proc_entry(struct xt_hashlimit_htable *hinfo)
 {
         struct hashlimit_net *hashlimit_net = hashlimit_pernet(hinfo->net);
         struct proc_dir_entry *parent;
 
-        del_timer_sync(&hinfo->timer);
-
         if (hinfo->family == NFPROTO_IPV4)
                 parent = hashlimit_net->ipt_hashlimit;
         else
                 parent = hashlimit_net->ip6t_hashlimit;
 
-        if(parent != NULL)
+        if (parent != NULL)
                 remove_proc_entry(hinfo->name, parent);
+}
 
+static void htable_destroy(struct xt_hashlimit_htable *hinfo)
+{
+        del_timer_sync(&hinfo->timer);
+        htable_remove_proc_entry(hinfo);
         htable_selective_cleanup(hinfo, select_all);
         kfree(hinfo->name);
         vfree(hinfo);
@@ -883,21 +886,15 @@ static int __net_init hashlimit_proc_net_init(struct net *net)
 static void __net_exit hashlimit_proc_net_exit(struct net *net)
 {
         struct xt_hashlimit_htable *hinfo;
-        struct proc_dir_entry *pde;
         struct hashlimit_net *hashlimit_net = hashlimit_pernet(net);
 
-        /* recent_net_exit() is called before recent_mt_destroy(). Make sure
-         * that the parent xt_recent proc entry is is empty before trying to
-         * remove it.
+        /* hashlimit_net_exit() is called before hashlimit_mt_destroy().
+         * Make sure that the parent ipt_hashlimit and ip6t_hashlimit proc
+         * entries is empty before trying to remove it.
          */
         mutex_lock(&hashlimit_mutex);
-        pde = hashlimit_net->ipt_hashlimit;
-        if (pde == NULL)
-                pde = hashlimit_net->ip6t_hashlimit;
-
         hlist_for_each_entry(hinfo, &hashlimit_net->htables, node)
-                remove_proc_entry(hinfo->name, pde);
-
+                htable_remove_proc_entry(hinfo);
         hashlimit_net->ipt_hashlimit = NULL;
         hashlimit_net->ip6t_hashlimit = NULL;
         mutex_unlock(&hashlimit_mutex);
diff --git a/net/nfc/core.c b/net/nfc/core.c
index 872529105abc..83b9927e7d19 100644
--- a/net/nfc/core.c
+++ b/net/nfc/core.c
@@ -384,7 +384,7 @@ int nfc_dep_link_is_up(struct nfc_dev *dev, u32 target_idx,
 {
         dev->dep_link_up = true;
 
-        if (!dev->active_target) {
+        if (!dev->active_target && rf_mode == NFC_RF_INITIATOR) {
                 struct nfc_target *target;
 
                 target = nfc_find_target(dev, target_idx);
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index ba2548bd85bf..88cfbc189558 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -237,6 +237,30 @@ struct packet_skb_cb {
 static void __fanout_unlink(struct sock *sk, struct packet_sock *po);
 static void __fanout_link(struct sock *sk, struct packet_sock *po);
 
+static struct net_device *packet_cached_dev_get(struct packet_sock *po)
+{
+        struct net_device *dev;
+
+        rcu_read_lock();
+        dev = rcu_dereference(po->cached_dev);
+        if (likely(dev))
+                dev_hold(dev);
+        rcu_read_unlock();
+
+        return dev;
+}
+
+static void packet_cached_dev_assign(struct packet_sock *po,
+                                     struct net_device *dev)
+{
+        rcu_assign_pointer(po->cached_dev, dev);
+}
+
+static void packet_cached_dev_reset(struct packet_sock *po)
+{
+        RCU_INIT_POINTER(po->cached_dev, NULL);
+}
+
 /* register_prot_hook must be invoked with the po->bind_lock held,
  * or from a context in which asynchronous accesses to the packet
  * socket is not possible (packet_create()).
@@ -246,12 +270,10 @@ static void register_prot_hook(struct sock *sk)
         struct packet_sock *po = pkt_sk(sk);
 
         if (!po->running) {
-                if (po->fanout) {
+                if (po->fanout)
                         __fanout_link(sk, po);
-                } else {
+                else
                         dev_add_pack(&po->prot_hook);
-                        rcu_assign_pointer(po->cached_dev, po->prot_hook.dev);
-                }
 
                 sock_hold(sk);
                 po->running = 1;
@@ -270,12 +292,11 @@ static void __unregister_prot_hook(struct sock *sk, bool sync)
         struct packet_sock *po = pkt_sk(sk);
 
         po->running = 0;
-        if (po->fanout) {
+
+        if (po->fanout)
                 __fanout_unlink(sk, po);
-        } else {
+        else
                 __dev_remove_pack(&po->prot_hook);
-                RCU_INIT_POINTER(po->cached_dev, NULL);
-        }
 
         __sock_put(sk);
 
@@ -2059,19 +2080,6 @@ static int tpacket_fill_skb(struct packet_sock *po, struct sk_buff *skb,
         return tp_len;
 }
 
-static struct net_device *packet_cached_dev_get(struct packet_sock *po)
-{
-        struct net_device *dev;
-
-        rcu_read_lock();
-        dev = rcu_dereference(po->cached_dev);
-        if (dev)
-                dev_hold(dev);
-        rcu_read_unlock();
-
-        return dev;
-}
-
 static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
 {
         struct sk_buff *skb;
@@ -2088,7 +2096,7 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
 
         mutex_lock(&po->pg_vec_lock);
 
-        if (saddr == NULL) {
+        if (likely(saddr == NULL)) {
                 dev     = packet_cached_dev_get(po);
                 proto   = po->num;
                 addr    = NULL;
@@ -2242,7 +2250,7 @@ static int packet_snd(struct socket *sock,
          *      Get and verify the address.
          */
 
-        if (saddr == NULL) {
+        if (likely(saddr == NULL)) {
                 dev     = packet_cached_dev_get(po);
                 proto   = po->num;
                 addr    = NULL;
@@ -2451,6 +2459,8 @@ static int packet_release(struct socket *sock)
 
         spin_lock(&po->bind_lock);
         unregister_prot_hook(sk, false);
+        packet_cached_dev_reset(po);
+
         if (po->prot_hook.dev) {
                 dev_put(po->prot_hook.dev);
                 po->prot_hook.dev = NULL;
@@ -2506,14 +2516,17 @@ static int packet_do_bind(struct sock *sk, struct net_device *dev, __be16 protoc
 
         spin_lock(&po->bind_lock);
         unregister_prot_hook(sk, true);
+
         po->num = protocol;
         po->prot_hook.type = protocol;
         if (po->prot_hook.dev)
                 dev_put(po->prot_hook.dev);
-        po->prot_hook.dev = dev;
 
+        po->prot_hook.dev = dev;
         po->ifindex = dev ? dev->ifindex : 0;
 
+        packet_cached_dev_assign(po, dev);
+
         if (protocol == 0)
                 goto out_unlock;
 
@@ -2626,7 +2639,8 @@ static int packet_create(struct net *net, struct socket *sock, int protocol,
         po = pkt_sk(sk);
         sk->sk_family = PF_PACKET;
         po->num = proto;
-        RCU_INIT_POINTER(po->cached_dev, NULL);
+
+        packet_cached_dev_reset(po);
 
         sk->sk_destruct = packet_sock_destruct;
         sk_refcnt_debug_inc(sk);
@@ -3337,6 +3351,7 @@ static int packet_notifier(struct notifier_block *this,
                                                 sk->sk_error_report(sk);
                                 }
                                 if (msg == NETDEV_UNREGISTER) {
+                                        packet_cached_dev_reset(po);
                                         po->ifindex = -1;
                                         if (po->prot_hook.dev)
                                                 dev_put(po->prot_hook.dev);
diff --git a/net/rds/ib.c b/net/rds/ib.c
index b4c8b0022fee..ba2dffeff608 100644
--- a/net/rds/ib.c
+++ b/net/rds/ib.c
@@ -338,7 +338,8 @@ static int rds_ib_laddr_check(__be32 addr)
         ret = rdma_bind_addr(cm_id, (struct sockaddr *)&sin);
         /* due to this, we will claim to support iWARP devices unless we
            check node_type. */
-        if (ret || cm_id->device->node_type != RDMA_NODE_IB_CA)
+        if (ret || !cm_id->device ||
+            cm_id->device->node_type != RDMA_NODE_IB_CA)
                 ret = -EADDRNOTAVAIL;
 
         rdsdebug("addr %pI4 ret %d node type %d\n",
diff --git a/net/rds/ib_send.c b/net/rds/ib_send.c
index e59094981175..37be6e226d1b 100644
--- a/net/rds/ib_send.c
+++ b/net/rds/ib_send.c
@@ -552,9 +552,8 @@ int rds_ib_xmit(struct rds_connection *conn, struct rds_message *rm,
             && rm->m_inc.i_hdr.h_flags & RDS_FLAG_CONG_BITMAP) {
                 rds_cong_map_updated(conn->c_fcong, ~(u64) 0);
                 scat = &rm->data.op_sg[sg];
-                ret = sizeof(struct rds_header) + RDS_CONG_MAP_BYTES;
-                ret = min_t(int, ret, scat->length - conn->c_xmit_data_off);
-                return ret;
+                ret = max_t(int, RDS_CONG_MAP_BYTES, scat->length);
+                return sizeof(struct rds_header) + ret;
         }
 
         /* FIXME we may overallocate here */
diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
index 33af77246bfe..62ced6516c58 100644
--- a/net/rose/af_rose.c
+++ b/net/rose/af_rose.c
@@ -1253,6 +1253,7 @@ static int rose_recvmsg(struct kiocb *iocb, struct socket *sock,
 
         if (msg->msg_name) {
                 struct sockaddr_rose *srose;
+                struct full_sockaddr_rose *full_srose = msg->msg_name;
 
                 memset(msg->msg_name, 0, sizeof(struct full_sockaddr_rose));
                 srose = msg->msg_name;
@@ -1260,18 +1261,9 @@ static int rose_recvmsg(struct kiocb *iocb, struct socket *sock,
                 srose->srose_addr   = rose->dest_addr;
                 srose->srose_call   = rose->dest_call;
                 srose->srose_ndigis = rose->dest_ndigis;
-                if (msg->msg_namelen >= sizeof(struct full_sockaddr_rose)) {
-                        struct full_sockaddr_rose *full_srose = (struct full_sockaddr_rose *)msg->msg_name;
-                        for (n = 0 ; n < rose->dest_ndigis ; n++)
-                                full_srose->srose_digis[n] = rose->dest_digis[n];
-                        msg->msg_namelen = sizeof(struct full_sockaddr_rose);
-                } else {
-                        if (rose->dest_ndigis >= 1) {
-                                srose->srose_ndigis = 1;
-                                srose->srose_digi = rose->dest_digis[0];
-                        }
-                        msg->msg_namelen = sizeof(struct sockaddr_rose);
-                }
+                for (n = 0 ; n < rose->dest_ndigis ; n++)
+                        full_srose->srose_digis[n] = rose->dest_digis[n];
+                msg->msg_namelen = sizeof(struct full_sockaddr_rose);
         }
 
         skb_free_datagram(sk, skb);
diff --git a/net/sched/act_api.c b/net/sched/act_api.c
index fd7072827a40..69cb848e8345 100644
--- a/net/sched/act_api.c
+++ b/net/sched/act_api.c
@@ -270,6 +270,16 @@ int tcf_register_action(struct tc_action_ops *act)
 {
         struct tc_action_ops *a, **ap;
 
+        /* Must supply act, dump, cleanup and init */
+        if (!act->act || !act->dump || !act->cleanup || !act->init)
+                return -EINVAL;
+
+        /* Supply defaults */
+        if (!act->lookup)
+                act->lookup = tcf_hash_search;
+        if (!act->walk)
+                act->walk = tcf_generic_walker;
+
         write_lock(&act_mod_lock);
         for (ap = &act_base; (a = *ap) != NULL; ap = &a->next) {
                 if (act->type == a->type || (strcmp(act->kind, a->kind) == 0)) {
@@ -381,7 +391,7 @@ int tcf_action_exec(struct sk_buff *skb, const struct tc_action *act,
         }
         while ((a = act) != NULL) {
 repeat:
-                if (a->ops && a->ops->act) {
+                if (a->ops) {
                         ret = a->ops->act(skb, a, res);
                         if (TC_MUNGED & skb->tc_verd) {
                                 /* copied already, allow trampling */
@@ -405,7 +415,7 @@ void tcf_action_destroy(struct tc_action *act, int bind)
         struct tc_action *a;
 
         for (a = act; a; a = act) {
-                if (a->ops && a->ops->cleanup) {
+                if (a->ops) {
                         if (a->ops->cleanup(a, bind) == ACT_P_DELETED)
                                 module_put(a->ops->owner);
                         act = act->next;
@@ -424,7 +434,7 @@ tcf_action_dump_old(struct sk_buff *skb, struct tc_action *a, int bind, int ref)
 {
         int err = -EINVAL;
 
-        if (a->ops == NULL || a->ops->dump == NULL)
+        if (a->ops == NULL)
                 return err;
         return a->ops->dump(skb, a, bind, ref);
 }
@@ -436,7 +446,7 @@ tcf_action_dump_1(struct sk_buff *skb, struct tc_action *a, int bind, int ref)
         unsigned char *b = skb_tail_pointer(skb);
         struct nlattr *nest;
 
-        if (a->ops == NULL || a->ops->dump == NULL)
+        if (a->ops == NULL)
                 return err;
 
         if (nla_put_string(skb, TCA_KIND, a->ops->kind))
@@ -723,8 +733,6 @@ tcf_action_get_1(struct nlattr *nla, struct nlmsghdr *n, u32 portid)
         a->ops = tc_lookup_action(tb[TCA_ACT_KIND]);
         if (a->ops == NULL)
                 goto err_free;
-        if (a->ops->lookup == NULL)
-                goto err_mod;
         err = -ENOENT;
         if (a->ops->lookup(a, index) == 0)
                 goto err_mod;
@@ -1084,12 +1092,6 @@ tc_dump_action(struct sk_buff *skb, struct netlink_callback *cb)
         memset(&a, 0, sizeof(struct tc_action));
         a.ops = a_o;
 
-        if (a_o->walk == NULL) {
-                WARN(1, "tc_dump_action: %s !capable of dumping table\n",
-                     a_o->kind);
-                goto out_module_put;
-        }
-
         nlh = nlmsg_put(skb, NETLINK_CB(cb->skb).portid, cb->nlh->nlmsg_seq,
                         cb->nlh->nlmsg_type, sizeof(*t), 0);
         if (!nlh)
diff --git a/net/sched/act_csum.c b/net/sched/act_csum.c
index 3a4c0caa1f7d..11fe1a416433 100644
--- a/net/sched/act_csum.c
+++ b/net/sched/act_csum.c
@@ -77,16 +77,16 @@ static int tcf_csum_init(struct net *n, struct nlattr *nla, struct nlattr *est,
                                      &csum_idx_gen, &csum_hash_info);
                 if (IS_ERR(pc))
                         return PTR_ERR(pc);
-                p = to_tcf_csum(pc);
                 ret = ACT_P_CREATED;
         } else {
-                p = to_tcf_csum(pc);
-                if (!ovr) {
-                        tcf_hash_release(pc, bind, &csum_hash_info);
+                if (bind)/* dont override defaults */
+                        return 0;
+                tcf_hash_release(pc, bind, &csum_hash_info);
+                if (!ovr)
                         return -EEXIST;
-                }
         }
 
+        p = to_tcf_csum(pc);
         spin_lock_bh(&p->tcf_lock);
         p->tcf_action = parm->action;
         p->update_flags = parm->update_flags;
@@ -585,9 +585,7 @@ static struct tc_action_ops act_csum_ops = {
         .act            = tcf_csum,
         .dump           = tcf_csum_dump,
         .cleanup        = tcf_csum_cleanup,
-        .lookup         = tcf_hash_search,
         .init           = tcf_csum_init,
-        .walk           = tcf_generic_walker
 };
 
 MODULE_DESCRIPTION("Checksum updating actions");
diff --git a/net/sched/act_gact.c b/net/sched/act_gact.c
index fd2b3cff5fa2..eb9ba60ebab4 100644
--- a/net/sched/act_gact.c
+++ b/net/sched/act_gact.c
@@ -102,10 +102,11 @@ static int tcf_gact_init(struct net *net, struct nlattr *nla,
                         return PTR_ERR(pc);
                 ret = ACT_P_CREATED;
         } else {
-                if (!ovr) {
-                        tcf_hash_release(pc, bind, &gact_hash_info);
+                if (bind)/* dont override defaults */
+                        return 0;
+                tcf_hash_release(pc, bind, &gact_hash_info);
+                if (!ovr)
                         return -EEXIST;
-                }
         }
 
         gact = to_gact(pc);
@@ -206,9 +207,7 @@ static struct tc_action_ops act_gact_ops = {
         .act            =       tcf_gact,
         .dump           =       tcf_gact_dump,
         .cleanup        =       tcf_gact_cleanup,
-        .lookup         =       tcf_hash_search,
         .init           =       tcf_gact_init,
-        .walk           =       tcf_generic_walker
 };
 
 MODULE_AUTHOR("Jamal Hadi Salim(2002-4)");
diff --git a/net/sched/act_ipt.c b/net/sched/act_ipt.c
index 60d88b6b9560..dcbfe8ce04a6 100644
--- a/net/sched/act_ipt.c
+++ b/net/sched/act_ipt.c
@@ -141,10 +141,12 @@ static int tcf_ipt_init(struct net *net, struct nlattr *nla, struct nlattr *est,
                         return PTR_ERR(pc);
                 ret = ACT_P_CREATED;
         } else {
-                if (!ovr) {
-                        tcf_ipt_release(to_ipt(pc), bind);
+                if (bind)/* dont override defaults */
+                        return 0;
+                tcf_ipt_release(to_ipt(pc), bind);
+
+                if (!ovr)
                         return -EEXIST;
-                }
         }
         ipt = to_ipt(pc);
 
@@ -298,9 +300,7 @@ static struct tc_action_ops act_ipt_ops = {
         .act            =       tcf_ipt,
         .dump           =       tcf_ipt_dump,
         .cleanup        =       tcf_ipt_cleanup,
-        .lookup         =       tcf_hash_search,
         .init           =       tcf_ipt_init,
-        .walk           =       tcf_generic_walker
 };
 
 static struct tc_action_ops act_xt_ops = {
@@ -312,9 +312,7 @@ static struct tc_action_ops act_xt_ops = {
         .act            =       tcf_ipt,
         .dump           =       tcf_ipt_dump,
         .cleanup        =       tcf_ipt_cleanup,
-        .lookup         =       tcf_hash_search,
         .init           =       tcf_ipt_init,
-        .walk           =       tcf_generic_walker
 };
 
 MODULE_AUTHOR("Jamal Hadi Salim(2002-13)");
diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c
index 977c10e0631b..252378121ce7 100644
--- a/net/sched/act_mirred.c
+++ b/net/sched/act_mirred.c
@@ -271,9 +271,7 @@ static struct tc_action_ops act_mirred_ops = {
         .act            =       tcf_mirred,
         .dump           =       tcf_mirred_dump,
         .cleanup        =       tcf_mirred_cleanup,
-        .lookup         =       tcf_hash_search,
         .init           =       tcf_mirred_init,
-        .walk           =       tcf_generic_walker
 };
 
 MODULE_AUTHOR("Jamal Hadi Salim(2002)");
diff --git a/net/sched/act_nat.c b/net/sched/act_nat.c
index 876f0ef29694..76869538d028 100644
--- a/net/sched/act_nat.c
+++ b/net/sched/act_nat.c
@@ -70,15 +70,15 @@ static int tcf_nat_init(struct net *net, struct nlattr *nla, struct nlattr *est,
                                      &nat_idx_gen, &nat_hash_info);
                 if (IS_ERR(pc))
                         return PTR_ERR(pc);
-                p = to_tcf_nat(pc);
                 ret = ACT_P_CREATED;
         } else {
-                p = to_tcf_nat(pc);
-                if (!ovr) {
-                        tcf_hash_release(pc, bind, &nat_hash_info);
+                if (bind)
+                        return 0;
+                tcf_hash_release(pc, bind, &nat_hash_info);
+                if (!ovr)
                         return -EEXIST;
-                }
         }
+        p = to_tcf_nat(pc);
 
         spin_lock_bh(&p->tcf_lock);
         p->old_addr = parm->old_addr;
@@ -308,9 +308,7 @@ static struct tc_action_ops act_nat_ops = {
         .act            =       tcf_nat,
         .dump           =       tcf_nat_dump,
         .cleanup        =       tcf_nat_cleanup,
-        .lookup         =       tcf_hash_search,
         .init           =       tcf_nat_init,
-        .walk           =       tcf_generic_walker
 };
 
 MODULE_DESCRIPTION("Stateless NAT actions");
diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c
index 7ed78c9e505c..7aa2dcd989f8 100644
--- a/net/sched/act_pedit.c
+++ b/net/sched/act_pedit.c
@@ -84,10 +84,12 @@ static int tcf_pedit_init(struct net *net, struct nlattr *nla,
                 ret = ACT_P_CREATED;
         } else {
                 p = to_pedit(pc);
-                if (!ovr) {
-                        tcf_hash_release(pc, bind, &pedit_hash_info);
+                tcf_hash_release(pc, bind, &pedit_hash_info);
+                if (bind)
+                        return 0;
+                if (!ovr)
                         return -EEXIST;
-                }
+
                 if (p->tcfp_nkeys && p->tcfp_nkeys != parm->nkeys) {
                         keys = kmalloc(ksize, GFP_KERNEL);
                         if (keys == NULL)
@@ -243,9 +245,7 @@ static struct tc_action_ops act_pedit_ops = {
         .act            =       tcf_pedit,
         .dump           =       tcf_pedit_dump,
         .cleanup        =       tcf_pedit_cleanup,
-        .lookup         =       tcf_hash_search,
         .init           =       tcf_pedit_init,
-        .walk           =       tcf_generic_walker
 };
 
 MODULE_AUTHOR("Jamal Hadi Salim(2002-4)");
diff --git a/net/sched/act_police.c b/net/sched/act_police.c
index 272d8e924cf6..ef246d87e68b 100644
--- a/net/sched/act_police.c
+++ b/net/sched/act_police.c
@@ -177,10 +177,12 @@ static int tcf_act_police_locate(struct net *net, struct nlattr *nla,
                         if (bind) {
                                 police->tcf_bindcnt += 1;
                                 police->tcf_refcnt += 1;
+                                return 0;
                         }
                         if (ovr)
                                 goto override;
-                        return ret;
+                        /* not replacing */
+                        return -EEXIST;
                 }
         }
 
@@ -407,7 +409,6 @@ static struct tc_action_ops act_police_ops = {
         .act            =       tcf_act_police,
         .dump           =       tcf_act_police_dump,
         .cleanup        =       tcf_act_police_cleanup,
-        .lookup         =       tcf_hash_search,
         .init           =       tcf_act_police_locate,
         .walk           =       tcf_act_police_walker
 };
diff --git a/net/sched/act_simple.c b/net/sched/act_simple.c
index 7725eb4ab756..f7b45ab85388 100644
--- a/net/sched/act_simple.c
+++ b/net/sched/act_simple.c
@@ -142,10 +142,13 @@ static int tcf_simp_init(struct net *net, struct nlattr *nla,
                 ret = ACT_P_CREATED;
         } else {
                 d = to_defact(pc);
-                if (!ovr) {
-                        tcf_simp_release(d, bind);
+
+                if (bind)
+                        return 0;
+                tcf_simp_release(d, bind);
+                if (!ovr)
                         return -EEXIST;
-                }
+
                 reset_policy(d, defdata, parm);
         }
 
@@ -201,7 +204,6 @@ static struct tc_action_ops act_simp_ops = {
         .dump           =       tcf_simp_dump,
         .cleanup        =       tcf_simp_cleanup,
         .init           =       tcf_simp_init,
-        .walk           =       tcf_generic_walker,
 };
 
 MODULE_AUTHOR("Jamal Hadi Salim(2005)");
diff --git a/net/sched/act_skbedit.c b/net/sched/act_skbedit.c
index cb4221171f93..8fe9d25c3008 100644
--- a/net/sched/act_skbedit.c
+++ b/net/sched/act_skbedit.c
@@ -120,10 +120,11 @@ static int tcf_skbedit_init(struct net *net, struct nlattr *nla,
                 ret = ACT_P_CREATED;
         } else {
                 d = to_skbedit(pc);
-                if (!ovr) {
-                        tcf_hash_release(pc, bind, &skbedit_hash_info);
+                if (bind)
+                        return 0;
+                tcf_hash_release(pc, bind, &skbedit_hash_info);
+                if (!ovr)
                         return -EEXIST;
-                }
         }
 
         spin_lock_bh(&d->tcf_lock);
@@ -203,7 +204,6 @@ static struct tc_action_ops act_skbedit_ops = {
         .dump           =       tcf_skbedit_dump,
         .cleanup        =       tcf_skbedit_cleanup,
         .init           =       tcf_skbedit_init,
-        .walk           =       tcf_generic_walker,
 };
 
 MODULE_AUTHOR("Alexander Duyck, <alexander.h.duyck@intel.com>");
diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c
index 922a09406ba7..7fc899a943a8 100644
--- a/net/sched/sch_generic.c
+++ b/net/sched/sch_generic.c
@@ -126,7 +126,7 @@ int sch_direct_xmit(struct sk_buff *skb, struct Qdisc *q,
 
         HARD_TX_LOCK(dev, txq, smp_processor_id());
         if (!netif_xmit_frozen_or_stopped(txq))
-                ret = dev_hard_start_xmit(skb, dev, txq, NULL);
+                ret = dev_hard_start_xmit(skb, dev, txq);
 
         HARD_TX_UNLOCK(dev, txq);
 
diff --git a/net/sched/sch_htb.c b/net/sched/sch_htb.c
index 0e1e38b40025..717b2108f852 100644
--- a/net/sched/sch_htb.c
+++ b/net/sched/sch_htb.c
@@ -1477,11 +1477,22 @@ static int htb_change_class(struct Qdisc *sch, u32 classid,
                 sch_tree_lock(sch);
         }
 
+        rate64 = tb[TCA_HTB_RATE64] ? nla_get_u64(tb[TCA_HTB_RATE64]) : 0;
+
+        ceil64 = tb[TCA_HTB_CEIL64] ? nla_get_u64(tb[TCA_HTB_CEIL64]) : 0;
+
+        psched_ratecfg_precompute(&cl->rate, &hopt->rate, rate64);
+        psched_ratecfg_precompute(&cl->ceil, &hopt->ceil, ceil64);
+
         /* it used to be a nasty bug here, we have to check that node
          * is really leaf before changing cl->un.leaf !
          */
         if (!cl->level) {
-                cl->quantum = hopt->rate.rate / q->rate2quantum;
+                u64 quantum = cl->rate.rate_bytes_ps;
+
+                do_div(quantum, q->rate2quantum);
+                cl->quantum = min_t(u64, quantum, INT_MAX);
+
                 if (!hopt->quantum && cl->quantum < 1000) {
                         pr_warning(
                                "HTB: quantum of class %X is small. Consider r2q change.\n",
@@ -1500,13 +1511,6 @@ static int htb_change_class(struct Qdisc *sch, u32 classid,
                         cl->prio = TC_HTB_NUMPRIO - 1;
         }
 
-        rate64 = tb[TCA_HTB_RATE64] ? nla_get_u64(tb[TCA_HTB_RATE64]) : 0;
-
-        ceil64 = tb[TCA_HTB_CEIL64] ? nla_get_u64(tb[TCA_HTB_CEIL64]) : 0;
-
-        psched_ratecfg_precompute(&cl->rate, &hopt->rate, rate64);
-        psched_ratecfg_precompute(&cl->ceil, &hopt->ceil, ceil64);
-
         cl->buffer = PSCHED_TICKS2NS(hopt->buffer);
         cl->cbuffer = PSCHED_TICKS2NS(hopt->cbuffer);
 
diff --git a/net/sched/sch_tbf.c b/net/sched/sch_tbf.c
index a6090051c5db..887e672f9d7d 100644
--- a/net/sched/sch_tbf.c
+++ b/net/sched/sch_tbf.c
@@ -118,6 +118,32 @@ struct tbf_sched_data {
 };
 
 
+/* Time to Length, convert time in ns to length in bytes
+ * to determinate how many bytes can be sent in given time.
+ */
+static u64 psched_ns_t2l(const struct psched_ratecfg *r,
+                         u64 time_in_ns)
+{
+        /* The formula is :
+         * len = (time_in_ns * r->rate_bytes_ps) / NSEC_PER_SEC
+         */
+        u64 len = time_in_ns * r->rate_bytes_ps;
+
+        do_div(len, NSEC_PER_SEC);
+
+        if (unlikely(r->linklayer == TC_LINKLAYER_ATM)) {
+                do_div(len, 53);
+                len = len * 48;
+        }
+
+        if (len > r->overhead)
+                len -= r->overhead;
+        else
+                len = 0;
+
+        return len;
+}
+
 /*
  * Return length of individual segments of a gso packet,
  * including all headers (MAC, IP, TCP/UDP)
@@ -289,10 +315,11 @@ static int tbf_change(struct Qdisc *sch, struct nlattr *opt)
         struct tbf_sched_data *q = qdisc_priv(sch);
         struct nlattr *tb[TCA_TBF_MAX + 1];
         struct tc_tbf_qopt *qopt;
-        struct qdisc_rate_table *rtab = NULL;
-        struct qdisc_rate_table *ptab = NULL;
         struct Qdisc *child = NULL;
-        int max_size, n;
+        struct psched_ratecfg rate;
+        struct psched_ratecfg peak;
+        u64 max_size;
+        s64 buffer, mtu;
         u64 rate64 = 0, prate64 = 0;
 
         err = nla_parse_nested(tb, TCA_TBF_MAX, opt, tbf_policy);
@@ -304,38 +331,13 @@ static int tbf_change(struct Qdisc *sch, struct nlattr *opt)
                 goto done;
 
         qopt = nla_data(tb[TCA_TBF_PARMS]);
-        rtab = qdisc_get_rtab(&qopt->rate, tb[TCA_TBF_RTAB]);
-        if (rtab == NULL)
-                goto done;
-
-        if (qopt->peakrate.rate) {
-                if (qopt->peakrate.rate > qopt->rate.rate)
-                        ptab = qdisc_get_rtab(&qopt->peakrate, tb[TCA_TBF_PTAB]);
-                if (ptab == NULL)
-                        goto done;
-        }
-
-        for (n = 0; n < 256; n++)
-                if (rtab->data[n] > qopt->buffer)
-                        break;
-        max_size = (n << qopt->rate.cell_log) - 1;
-        if (ptab) {
-                int size;
-
-                for (n = 0; n < 256; n++)
-                        if (ptab->data[n] > qopt->mtu)
-                                break;
-                size = (n << qopt->peakrate.cell_log) - 1;
-                if (size < max_size)
-                        max_size = size;
-        }
-        if (max_size < 0)
-                goto done;
+        if (qopt->rate.linklayer == TC_LINKLAYER_UNAWARE)
+                qdisc_put_rtab(qdisc_get_rtab(&qopt->rate,
+                                              tb[TCA_TBF_RTAB]));
 
-        if (max_size < psched_mtu(qdisc_dev(sch)))
-                pr_warn_ratelimited("sch_tbf: burst %u is lower than device %s mtu (%u) !\n",
-                                    max_size, qdisc_dev(sch)->name,
-                                    psched_mtu(qdisc_dev(sch)));
+        if (qopt->peakrate.linklayer == TC_LINKLAYER_UNAWARE)
+                        qdisc_put_rtab(qdisc_get_rtab(&qopt->peakrate,
+                                                      tb[TCA_TBF_PTAB]));
 
         if (q->qdisc != &noop_qdisc) {
                 err = fifo_set_limit(q->qdisc, qopt->limit);
@@ -349,6 +351,39 @@ static int tbf_change(struct Qdisc *sch, struct nlattr *opt)
                 }
         }
 
+        buffer = min_t(u64, PSCHED_TICKS2NS(qopt->buffer), ~0U);
+        mtu = min_t(u64, PSCHED_TICKS2NS(qopt->mtu), ~0U);
+
+        if (tb[TCA_TBF_RATE64])
+                rate64 = nla_get_u64(tb[TCA_TBF_RATE64]);
+        psched_ratecfg_precompute(&rate, &qopt->rate, rate64);
+
+        max_size = min_t(u64, psched_ns_t2l(&rate, buffer), ~0U);
+
+        if (qopt->peakrate.rate) {
+                if (tb[TCA_TBF_PRATE64])
+                        prate64 = nla_get_u64(tb[TCA_TBF_PRATE64]);
+                psched_ratecfg_precompute(&peak, &qopt->peakrate, prate64);
+                if (peak.rate_bytes_ps <= rate.rate_bytes_ps) {
+                        pr_warn_ratelimited("sch_tbf: peakrate %llu is lower than or equals to rate %llu !\n",
+                                            peak.rate_bytes_ps, rate.rate_bytes_ps);
+                        err = -EINVAL;
+                        goto done;
+                }
+
+                max_size = min_t(u64, max_size, psched_ns_t2l(&peak, mtu));
+        }
+
+        if (max_size < psched_mtu(qdisc_dev(sch)))
+                pr_warn_ratelimited("sch_tbf: burst %llu is lower than device %s mtu (%u) !\n",
+                                    max_size, qdisc_dev(sch)->name,
+                                    psched_mtu(qdisc_dev(sch)));
+
+        if (!max_size) {
+                err = -EINVAL;
+                goto done;
+        }
+
         sch_tree_lock(sch);
         if (child) {
                 qdisc_tree_decrease_qlen(q->qdisc, q->qdisc->q.qlen);
@@ -362,13 +397,9 @@ static int tbf_change(struct Qdisc *sch, struct nlattr *opt)
         q->tokens = q->buffer;
         q->ptokens = q->mtu;
 
-        if (tb[TCA_TBF_RATE64])
-                rate64 = nla_get_u64(tb[TCA_TBF_RATE64]);
-        psched_ratecfg_precompute(&q->rate, &rtab->rate, rate64);
-        if (ptab) {
-                if (tb[TCA_TBF_PRATE64])
-                        prate64 = nla_get_u64(tb[TCA_TBF_PRATE64]);
-                psched_ratecfg_precompute(&q->peak, &ptab->rate, prate64);
+        memcpy(&q->rate, &rate, sizeof(struct psched_ratecfg));
+        if (qopt->peakrate.rate) {
+                memcpy(&q->peak, &peak, sizeof(struct psched_ratecfg));
                 q->peak_present = true;
         } else {
                 q->peak_present = false;
@@ -377,10 +408,6 @@ static int tbf_change(struct Qdisc *sch, struct nlattr *opt)
         sch_tree_unlock(sch);
         err = 0;
 done:
-        if (rtab)
-                qdisc_put_rtab(rtab);
-        if (ptab)
-                qdisc_put_rtab(ptab);
         return err;
 }
 
diff --git a/net/sctp/associola.c b/net/sctp/associola.c
index 68a27f9796d2..31ed008c8e13 100644
--- a/net/sctp/associola.c
+++ b/net/sctp/associola.c
@@ -154,8 +154,7 @@ static struct sctp_association *sctp_association_init(struct sctp_association *a
 
         asoc->timeouts[SCTP_EVENT_TIMEOUT_HEARTBEAT] = 0;
         asoc->timeouts[SCTP_EVENT_TIMEOUT_SACK] = asoc->sackdelay;
-        asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE] =
-                min_t(unsigned long, sp->autoclose, net->sctp.max_autoclose) * HZ;
+        asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE] = sp->autoclose * HZ;
 
         /* Initializes the timers */
         for (i = SCTP_EVENT_TIMEOUT_NONE; i < SCTP_NUM_TIMEOUT_TYPES; ++i)
@@ -291,8 +290,6 @@ static struct sctp_association *sctp_association_init(struct sctp_association *a
                 asoc->peer.ipv6_address = 1;
         INIT_LIST_HEAD(&asoc->asocs);
 
-        asoc->autoclose = sp->autoclose;
-
         asoc->default_stream = sp->default_stream;
         asoc->default_ppid = sp->default_ppid;
         asoc->default_flags = sp->default_flags;
diff --git a/net/sctp/output.c b/net/sctp/output.c
index 0e2644d0a773..0fb140f8f088 100644
--- a/net/sctp/output.c
+++ b/net/sctp/output.c
@@ -581,7 +581,8 @@ int sctp_packet_transmit(struct sctp_packet *packet)
                 unsigned long timeout;
 
                 /* Restart the AUTOCLOSE timer when sending data. */
-                if (sctp_state(asoc, ESTABLISHED) && asoc->autoclose) {
+                if (sctp_state(asoc, ESTABLISHED) &&
+                    asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) {
                         timer = &asoc->timers[SCTP_EVENT_TIMEOUT_AUTOCLOSE];
                         timeout = asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE];
 
diff --git a/net/sctp/outqueue.c b/net/sctp/outqueue.c
index f51ba985a36e..59268f6e2c36 100644
--- a/net/sctp/outqueue.c
+++ b/net/sctp/outqueue.c
@@ -208,8 +208,6 @@ void sctp_outq_init(struct sctp_association *asoc, struct sctp_outq *q)
         INIT_LIST_HEAD(&q->retransmit);
         INIT_LIST_HEAD(&q->sacked);
         INIT_LIST_HEAD(&q->abandoned);
-
-        q->empty = 1;
 }
 
 /* Free the outqueue structure and any related pending chunks.
@@ -332,7 +330,6 @@ int sctp_outq_tail(struct sctp_outq *q, struct sctp_chunk *chunk)
                                 SCTP_INC_STATS(net, SCTP_MIB_OUTUNORDERCHUNKS);
                         else
                                 SCTP_INC_STATS(net, SCTP_MIB_OUTORDERCHUNKS);
-                        q->empty = 0;
                         break;
                 }
         } else {
@@ -654,7 +651,6 @@ redo:
                         if (chunk->fast_retransmit == SCTP_NEED_FRTX)
                                 chunk->fast_retransmit = SCTP_DONT_FRTX;
 
-                        q->empty = 0;
                         q->asoc->stats.rtxchunks++;
                         break;
                 }
@@ -1065,8 +1061,6 @@ static int sctp_outq_flush(struct sctp_outq *q, int rtx_timeout)
 
                         sctp_transport_reset_timers(transport);
 
-                        q->empty = 0;
-
                         /* Only let one DATA chunk get bundled with a
                          * COOKIE-ECHO chunk.
                          */
@@ -1275,29 +1269,17 @@ int sctp_outq_sack(struct sctp_outq *q, struct sctp_chunk *chunk)
                  "advertised peer ack point:0x%x\n", __func__, asoc, ctsn,
                  asoc->adv_peer_ack_point);
 
-        /* See if all chunks are acked.
-         * Make sure the empty queue handler will get run later.
-         */
-        q->empty = (list_empty(&q->out_chunk_list) &&
-                    list_empty(&q->retransmit));
-        if (!q->empty)
-                goto finish;
-
-        list_for_each_entry(transport, transport_list, transports) {
-                q->empty = q->empty && list_empty(&transport->transmitted);
-                if (!q->empty)
-                        goto finish;
-        }
-
-        pr_debug("%s: sack queue is empty\n", __func__);
-finish:
-        return q->empty;
+        return sctp_outq_is_empty(q);
 }
 
-/* Is the outqueue empty?  */
+/* Is the outqueue empty?
+ * The queue is empty when we have not pending data, no in-flight data
+ * and nothing pending retransmissions.
+ */
 int sctp_outq_is_empty(const struct sctp_outq *q)
 {
-        return q->empty;
+        return q->out_qlen == 0 && q->outstanding_bytes == 0 &&
+               list_empty(&q->retransmit);
 }
 
 /********************************************************************
diff --git a/net/sctp/probe.c b/net/sctp/probe.c
index 53c452efb40b..5e68b94ee640 100644
--- a/net/sctp/probe.c
+++ b/net/sctp/probe.c
@@ -38,6 +38,7 @@
 #include <net/sctp/sctp.h>
 #include <net/sctp/sm.h>
 
+MODULE_SOFTDEP("pre: sctp");
 MODULE_AUTHOR("Wei Yongjun <yjwei@cn.fujitsu.com>");
 MODULE_DESCRIPTION("SCTP snooper");
 MODULE_LICENSE("GPL");
@@ -182,6 +183,20 @@ static struct jprobe sctp_recv_probe = {
         .entry  = jsctp_sf_eat_sack,
 };
 
+static __init int sctp_setup_jprobe(void)
+{
+        int ret = register_jprobe(&sctp_recv_probe);
+
+        if (ret) {
+                if (request_module("sctp"))
+                        goto out;
+                ret = register_jprobe(&sctp_recv_probe);
+        }
+
+out:
+        return ret;
+}
+
 static __init int sctpprobe_init(void)
 {
         int ret = -ENOMEM;
@@ -202,7 +217,7 @@ static __init int sctpprobe_init(void)
                          &sctpprobe_fops))
                 goto free_kfifo;
 
-        ret = register_jprobe(&sctp_recv_probe);
+        ret = sctp_setup_jprobe();
         if (ret)
                 goto remove_proc;
 
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index dfe3f36ff2aa..a26065be7289 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -820,7 +820,7 @@ sctp_disposition_t sctp_sf_do_5_1D_ce(struct net *net,
         SCTP_INC_STATS(net, SCTP_MIB_PASSIVEESTABS);
         sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());
 
-        if (new_asoc->autoclose)
+        if (new_asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE])
                 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
                                 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
 
@@ -908,7 +908,7 @@ sctp_disposition_t sctp_sf_do_5_1E_ca(struct net *net,
         SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB);
         SCTP_INC_STATS(net, SCTP_MIB_ACTIVEESTABS);
         sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());
-        if (asoc->autoclose)
+        if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE])
                 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
                                 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
 
@@ -2970,7 +2970,7 @@ sctp_disposition_t sctp_sf_eat_data_6_2(struct net *net,
         if (chunk->chunk_hdr->flags & SCTP_DATA_SACK_IMM)
                 force = SCTP_FORCE();
 
-        if (asoc->autoclose) {
+        if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) {
                 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
                                 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
         }
@@ -3878,7 +3878,7 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn(struct net *net,
                                 SCTP_CHUNK(chunk));
 
         /* Count this as receiving DATA. */
-        if (asoc->autoclose) {
+        if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE]) {
                 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
                                 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
         }
@@ -5267,7 +5267,7 @@ sctp_disposition_t sctp_sf_do_9_2_start_shutdown(
         sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
                         SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
 
-        if (asoc->autoclose)
+        if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE])
                 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
                                 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
 
@@ -5346,7 +5346,7 @@ sctp_disposition_t sctp_sf_do_9_2_shutdown_ack(
         sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_RESTART,
                         SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
 
-        if (asoc->autoclose)
+        if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE])
                 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
                                 SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));
 
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 72046b9729a8..42b709c95cf3 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -2196,6 +2196,7 @@ static int sctp_setsockopt_autoclose(struct sock *sk, char __user *optval,
                                      unsigned int optlen)
 {
         struct sctp_sock *sp = sctp_sk(sk);
+        struct net *net = sock_net(sk);
 
         /* Applicable to UDP-style socket only */
         if (sctp_style(sk, TCP))
@@ -2205,6 +2206,9 @@ static int sctp_setsockopt_autoclose(struct sock *sk, char __user *optval,
         if (copy_from_user(&sp->autoclose, optval, optlen))
                 return -EFAULT;
 
+        if (sp->autoclose > net->sctp.max_autoclose)
+                sp->autoclose = net->sctp.max_autoclose;
+
         return 0;
 }
 
@@ -2811,6 +2815,8 @@ static int sctp_setsockopt_rtoinfo(struct sock *sk, char __user *optval, unsigne
 {
         struct sctp_rtoinfo rtoinfo;
         struct sctp_association *asoc;
+        unsigned long rto_min, rto_max;
+        struct sctp_sock *sp = sctp_sk(sk);
 
         if (optlen != sizeof (struct sctp_rtoinfo))
                 return -EINVAL;
@@ -2824,26 +2830,36 @@ static int sctp_setsockopt_rtoinfo(struct sock *sk, char __user *optval, unsigne
         if (!asoc && rtoinfo.srto_assoc_id && sctp_style(sk, UDP))
                 return -EINVAL;
 
+        rto_max = rtoinfo.srto_max;
+        rto_min = rtoinfo.srto_min;
+
+        if (rto_max)
+                rto_max = asoc ? msecs_to_jiffies(rto_max) : rto_max;
+        else
+                rto_max = asoc ? asoc->rto_max : sp->rtoinfo.srto_max;
+
+        if (rto_min)
+                rto_min = asoc ? msecs_to_jiffies(rto_min) : rto_min;
+        else
+                rto_min = asoc ? asoc->rto_min : sp->rtoinfo.srto_min;
+
+        if (rto_min > rto_max)
+                return -EINVAL;
+
         if (asoc) {
                 if (rtoinfo.srto_initial != 0)
                         asoc->rto_initial =
                                 msecs_to_jiffies(rtoinfo.srto_initial);
-                if (rtoinfo.srto_max != 0)
-                        asoc->rto_max = msecs_to_jiffies(rtoinfo.srto_max);
-                if (rtoinfo.srto_min != 0)
-                        asoc->rto_min = msecs_to_jiffies(rtoinfo.srto_min);
+                asoc->rto_max = rto_max;
+                asoc->rto_min = rto_min;
         } else {
                 /* If there is no association or the association-id = 0
                  * set the values to the endpoint.
                  */
-                struct sctp_sock *sp = sctp_sk(sk);
-
                 if (rtoinfo.srto_initial != 0)
                         sp->rtoinfo.srto_initial = rtoinfo.srto_initial;
-                if (rtoinfo.srto_max != 0)
-                        sp->rtoinfo.srto_max = rtoinfo.srto_max;
-                if (rtoinfo.srto_min != 0)
-                        sp->rtoinfo.srto_min = rtoinfo.srto_min;
+                sp->rtoinfo.srto_max = rto_max;
+                sp->rtoinfo.srto_min = rto_min;
         }
 
         return 0;
diff --git a/net/sctp/sysctl.c b/net/sctp/sysctl.c
index 6b36561a1b3b..b0565afb61c7 100644
--- a/net/sctp/sysctl.c
+++ b/net/sctp/sysctl.c
@@ -56,11 +56,16 @@ extern long sysctl_sctp_mem[3];
 extern int sysctl_sctp_rmem[3];
 extern int sysctl_sctp_wmem[3];
 
-static int proc_sctp_do_hmac_alg(struct ctl_table *ctl,
-                                int write,
+static int proc_sctp_do_hmac_alg(struct ctl_table *ctl, int write,
+                                void __user *buffer, size_t *lenp,
+                                loff_t *ppos);
+static int proc_sctp_do_rto_min(struct ctl_table *ctl, int write,
+                                void __user *buffer, size_t *lenp,
+                                loff_t *ppos);
+static int proc_sctp_do_rto_max(struct ctl_table *ctl, int write,
                                 void __user *buffer, size_t *lenp,
-
                                 loff_t *ppos);
+
 static struct ctl_table sctp_table[] = {
         {
                 .procname       = "sctp_mem",
@@ -102,17 +107,17 @@ static struct ctl_table sctp_net_table[] = {
                 .data           = &init_net.sctp.rto_min,
                 .maxlen         = sizeof(unsigned int),
                 .mode           = 0644,
-                .proc_handler   = proc_dointvec_minmax,
+                .proc_handler   = proc_sctp_do_rto_min,
                 .extra1         = &one,
-                .extra2         = &timer_max
+                .extra2         = &init_net.sctp.rto_max
         },
         {
                 .procname       = "rto_max",
                 .data           = &init_net.sctp.rto_max,
                 .maxlen         = sizeof(unsigned int),
                 .mode           = 0644,
-                .proc_handler   = proc_dointvec_minmax,
-                .extra1         = &one,
+                .proc_handler   = proc_sctp_do_rto_max,
+                .extra1         = &init_net.sctp.rto_min,
                 .extra2         = &timer_max
         },
         {
@@ -294,8 +299,7 @@ static struct ctl_table sctp_net_table[] = {
         { /* sentinel */ }
 };
 
-static int proc_sctp_do_hmac_alg(struct ctl_table *ctl,
-                                int write,
+static int proc_sctp_do_hmac_alg(struct ctl_table *ctl, int write,
                                 void __user *buffer, size_t *lenp,
                                 loff_t *ppos)
 {
@@ -342,6 +346,60 @@ static int proc_sctp_do_hmac_alg(struct ctl_table *ctl,
         return ret;
 }
 
+static int proc_sctp_do_rto_min(struct ctl_table *ctl, int write,
+                                void __user *buffer, size_t *lenp,
+                                loff_t *ppos)
+{
+        struct net *net = current->nsproxy->net_ns;
+        int new_value;
+        struct ctl_table tbl;
+        unsigned int min = *(unsigned int *) ctl->extra1;
+        unsigned int max = *(unsigned int *) ctl->extra2;
+        int ret;
+
+        memset(&tbl, 0, sizeof(struct ctl_table));
+        tbl.maxlen = sizeof(unsigned int);
+
+        if (write)
+                tbl.data = &new_value;
+        else
+                tbl.data = &net->sctp.rto_min;
+        ret = proc_dointvec(&tbl, write, buffer, lenp, ppos);
+        if (write) {
+                if (ret || new_value > max || new_value < min)
+                        return -EINVAL;
+                net->sctp.rto_min = new_value;
+        }
+        return ret;
+}
+
+static int proc_sctp_do_rto_max(struct ctl_table *ctl, int write,
+                                void __user *buffer, size_t *lenp,
+                                loff_t *ppos)
+{
+        struct net *net = current->nsproxy->net_ns;
+        int new_value;
+        struct ctl_table tbl;
+        unsigned int min = *(unsigned int *) ctl->extra1;
+        unsigned int max = *(unsigned int *) ctl->extra2;
+        int ret;
+
+        memset(&tbl, 0, sizeof(struct ctl_table));
+        tbl.maxlen = sizeof(unsigned int);
+
+        if (write)
+                tbl.data = &new_value;
+        else
+                tbl.data = &net->sctp.rto_max;
+        ret = proc_dointvec(&tbl, write, buffer, lenp, ppos);
+        if (write) {
+                if (ret || new_value > max || new_value < min)
+                        return -EINVAL;
+                net->sctp.rto_max = new_value;
+        }
+        return ret;
+}
+
 int sctp_sysctl_net_register(struct net *net)
 {
         struct ctl_table *table;
diff --git a/net/sctp/transport.c b/net/sctp/transport.c
index e332efb124cc..efc46ffed1fd 100644
--- a/net/sctp/transport.c
+++ b/net/sctp/transport.c
@@ -573,7 +573,7 @@ void sctp_transport_burst_limited(struct sctp_transport *t)
         u32 old_cwnd = t->cwnd;
         u32 max_burst_bytes;
 
-        if (t->burst_limited)
+        if (t->burst_limited || asoc->max_burst == 0)
                 return;
 
         max_burst_bytes = t->flight_size + (asoc->max_burst * asoc->pathmtu);
diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c
index 97912b40c254..42fdfc634e56 100644
--- a/net/sunrpc/auth_gss/auth_gss.c
+++ b/net/sunrpc/auth_gss/auth_gss.c
@@ -1517,7 +1517,7 @@ out:
 static int
 gss_refresh_null(struct rpc_task *task)
 {
-        return -EACCES;
+        return 0;
 }
 
 static __be32 *
diff --git a/net/tipc/core.c b/net/tipc/core.c
index fd4eeeaa972a..c6d3f75a9e1b 100644
--- a/net/tipc/core.c
+++ b/net/tipc/core.c
@@ -113,7 +113,6 @@ err:
 static void tipc_core_stop(void)
 {
         tipc_netlink_stop();
-        tipc_handler_stop();
         tipc_cfg_stop();
         tipc_subscr_stop();
         tipc_nametbl_stop();
@@ -146,9 +145,10 @@ static int tipc_core_start(void)
                 res = tipc_subscr_start();
         if (!res)
                 res = tipc_cfg_init();
-        if (res)
+        if (res) {
+                tipc_handler_stop();
                 tipc_core_stop();
-
+        }
         return res;
 }
 
@@ -178,6 +178,7 @@ static int __init tipc_init(void)
 
 static void __exit tipc_exit(void)
 {
+        tipc_handler_stop();
         tipc_core_stop_net();
         tipc_core_stop();
         pr_info("Deactivated\n");
diff --git a/net/tipc/handler.c b/net/tipc/handler.c
index b36f0fcd9bdf..e4bc8a296744 100644
--- a/net/tipc/handler.c
+++ b/net/tipc/handler.c
@@ -56,12 +56,13 @@ unsigned int tipc_k_signal(Handler routine, unsigned long argument)
 {
         struct queue_item *item;
 
+        spin_lock_bh(&qitem_lock);
         if (!handler_enabled) {
                 pr_err("Signal request ignored by handler\n");
+                spin_unlock_bh(&qitem_lock);
                 return -ENOPROTOOPT;
         }
 
-        spin_lock_bh(&qitem_lock);
         item = kmem_cache_alloc(tipc_queue_item_cache, GFP_ATOMIC);
         if (!item) {
                 pr_err("Signal queue out of memory\n");
@@ -112,10 +113,14 @@ void tipc_handler_stop(void)
         struct list_head *l, *n;
         struct queue_item *item;
 
-        if (!handler_enabled)
+        spin_lock_bh(&qitem_lock);
+        if (!handler_enabled) {
+                spin_unlock_bh(&qitem_lock);
                 return;
-
+        }
         handler_enabled = 0;
+        spin_unlock_bh(&qitem_lock);
+
         tasklet_kill(&tipc_tasklet);
 
         spin_lock_bh(&qitem_lock);
diff --git a/net/tipc/link.c b/net/tipc/link.c
index 69cd9bf3f561..13b987745820 100644
--- a/net/tipc/link.c
+++ b/net/tipc/link.c
@@ -1498,6 +1498,7 @@ void tipc_recv_msg(struct sk_buff *head, struct tipc_bearer *b_ptr)
                 int type;
 
                 head = head->next;
+                buf->next = NULL;
 
                 /* Ensure bearer is still enabled */
                 if (unlikely(!b_ptr->active))
diff --git a/net/tipc/port.c b/net/tipc/port.c
index c081a7632302..d43f3182b1d4 100644
--- a/net/tipc/port.c
+++ b/net/tipc/port.c
@@ -251,18 +251,15 @@ struct tipc_port *tipc_createport(struct sock *sk,
         return p_ptr;
 }
 
-int tipc_deleteport(u32 ref)
+int tipc_deleteport(struct tipc_port *p_ptr)
 {
-        struct tipc_port *p_ptr;
         struct sk_buff *buf = NULL;
 
-        tipc_withdraw(ref, 0, NULL);
-        p_ptr = tipc_port_lock(ref);
-        if (!p_ptr)
-                return -EINVAL;
+        tipc_withdraw(p_ptr, 0, NULL);
 
-        tipc_ref_discard(ref);
-        tipc_port_unlock(p_ptr);
+        spin_lock_bh(p_ptr->lock);
+        tipc_ref_discard(p_ptr->ref);
+        spin_unlock_bh(p_ptr->lock);
 
         k_cancel_timer(&p_ptr->timer);
         if (p_ptr->connected) {
@@ -704,47 +701,36 @@ int tipc_set_portimportance(u32 ref, unsigned int imp)
 }
 
 
-int tipc_publish(u32 ref, unsigned int scope, struct tipc_name_seq const *seq)
+int tipc_publish(struct tipc_port *p_ptr, unsigned int scope,
+                 struct tipc_name_seq const *seq)
 {
-        struct tipc_port *p_ptr;
         struct publication *publ;
         u32 key;
-        int res = -EINVAL;
 
-        p_ptr = tipc_port_lock(ref);
-        if (!p_ptr)
+        if (p_ptr->connected)
                 return -EINVAL;
+        key = p_ptr->ref + p_ptr->pub_count + 1;
+        if (key == p_ptr->ref)
+                return -EADDRINUSE;
 
-        if (p_ptr->connected)
-                goto exit;
-        key = ref + p_ptr->pub_count + 1;
-        if (key == ref) {
-                res = -EADDRINUSE;
-                goto exit;
-        }
         publ = tipc_nametbl_publish(seq->type, seq->lower, seq->upper,
                                     scope, p_ptr->ref, key);
         if (publ) {
                 list_add(&publ->pport_list, &p_ptr->publications);
                 p_ptr->pub_count++;
                 p_ptr->published = 1;
-                res = 0;
+                return 0;
         }
-exit:
-        tipc_port_unlock(p_ptr);
-        return res;
+        return -EINVAL;
 }
 
-int tipc_withdraw(u32 ref, unsigned int scope, struct tipc_name_seq const *seq)
+int tipc_withdraw(struct tipc_port *p_ptr, unsigned int scope,
+                  struct tipc_name_seq const *seq)
 {
-        struct tipc_port *p_ptr;
         struct publication *publ;
         struct publication *tpubl;
         int res = -EINVAL;
 
-        p_ptr = tipc_port_lock(ref);
-        if (!p_ptr)
-                return -EINVAL;
         if (!seq) {
                 list_for_each_entry_safe(publ, tpubl,
                                          &p_ptr->publications, pport_list) {
@@ -771,7 +757,6 @@ int tipc_withdraw(u32 ref, unsigned int scope, struct tipc_name_seq const *seq)
         }
         if (list_empty(&p_ptr->publications))
                 p_ptr->published = 0;
-        tipc_port_unlock(p_ptr);
         return res;
 }
 
diff --git a/net/tipc/port.h b/net/tipc/port.h
index 912253597343..34f12bd4074e 100644
--- a/net/tipc/port.h
+++ b/net/tipc/port.h
@@ -116,7 +116,7 @@ int tipc_reject_msg(struct sk_buff *buf, u32 err);
 
 void tipc_acknowledge(u32 port_ref, u32 ack);
 
-int tipc_deleteport(u32 portref);
+int tipc_deleteport(struct tipc_port *p_ptr);
 
 int tipc_portimportance(u32 portref, unsigned int *importance);
 int tipc_set_portimportance(u32 portref, unsigned int importance);
@@ -127,9 +127,9 @@ int tipc_set_portunreliable(u32 portref, unsigned int isunreliable);
 int tipc_portunreturnable(u32 portref, unsigned int *isunreturnable);
 int tipc_set_portunreturnable(u32 portref, unsigned int isunreturnable);
 
-int tipc_publish(u32 portref, unsigned int scope,
+int tipc_publish(struct tipc_port *p_ptr, unsigned int scope,
                  struct tipc_name_seq const *name_seq);
-int tipc_withdraw(u32 portref, unsigned int scope,
+int tipc_withdraw(struct tipc_port *p_ptr, unsigned int scope,
                   struct tipc_name_seq const *name_seq);
 
 int tipc_connect(u32 portref, struct tipc_portid const *port);
diff --git a/net/tipc/socket.c b/net/tipc/socket.c
index 3b61851bb927..e741416d1d24 100644
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -354,7 +354,7 @@ static int release(struct socket *sock)
          * Delete TIPC port; this ensures no more messages are queued
          * (also disconnects an active connection & sends a 'FIN-' to peer)
          */
-        res = tipc_deleteport(tport->ref);
+        res = tipc_deleteport(tport);
 
         /* Discard any remaining (connection-based) messages in receive queue */
         __skb_queue_purge(&sk->sk_receive_queue);
@@ -386,30 +386,46 @@ static int release(struct socket *sock)
  */
 static int bind(struct socket *sock, struct sockaddr *uaddr, int uaddr_len)
 {
+        struct sock *sk = sock->sk;
         struct sockaddr_tipc *addr = (struct sockaddr_tipc *)uaddr;
-        u32 portref = tipc_sk_port(sock->sk)->ref;
+        struct tipc_port *tport = tipc_sk_port(sock->sk);
+        int res = -EINVAL;
 
-        if (unlikely(!uaddr_len))
-                return tipc_withdraw(portref, 0, NULL);
+        lock_sock(sk);
+        if (unlikely(!uaddr_len)) {
+                res = tipc_withdraw(tport, 0, NULL);
+                goto exit;
+        }
 
-        if (uaddr_len < sizeof(struct sockaddr_tipc))
-                return -EINVAL;
-        if (addr->family != AF_TIPC)
-                return -EAFNOSUPPORT;
+        if (uaddr_len < sizeof(struct sockaddr_tipc)) {
+                res = -EINVAL;
+                goto exit;
+        }
+        if (addr->family != AF_TIPC) {
+                res = -EAFNOSUPPORT;
+                goto exit;
+        }
 
         if (addr->addrtype == TIPC_ADDR_NAME)
                 addr->addr.nameseq.upper = addr->addr.nameseq.lower;
-        else if (addr->addrtype != TIPC_ADDR_NAMESEQ)
-                return -EAFNOSUPPORT;
+        else if (addr->addrtype != TIPC_ADDR_NAMESEQ) {
+                res = -EAFNOSUPPORT;
+                goto exit;
+        }
 
         if ((addr->addr.nameseq.type < TIPC_RESERVED_TYPES) &&
             (addr->addr.nameseq.type != TIPC_TOP_SRV) &&
-            (addr->addr.nameseq.type != TIPC_CFG_SRV))
-                return -EACCES;
+            (addr->addr.nameseq.type != TIPC_CFG_SRV)) {
+                res = -EACCES;
+                goto exit;
+        }
 
-        return (addr->scope > 0) ?
-                tipc_publish(portref, addr->scope, &addr->addr.nameseq) :
-                tipc_withdraw(portref, -addr->scope, &addr->addr.nameseq);
+        res = (addr->scope > 0) ?
+                tipc_publish(tport, addr->scope, &addr->addr.nameseq) :
+                tipc_withdraw(tport, -addr->scope, &addr->addr.nameseq);
+exit:
+        release_sock(sk);
+        return res;
 }
 
 /**
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 01625ccc3ae6..a427623ee574 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -530,13 +530,17 @@ static int unix_seqpacket_sendmsg(struct kiocb *, struct socket *,
 static int unix_seqpacket_recvmsg(struct kiocb *, struct socket *,
                                   struct msghdr *, size_t, int);
 
-static void unix_set_peek_off(struct sock *sk, int val)
+static int unix_set_peek_off(struct sock *sk, int val)
 {
         struct unix_sock *u = unix_sk(sk);
 
-        mutex_lock(&u->readlock);
+        if (mutex_lock_interruptible(&u->readlock))
+                return -EINTR;
+
         sk->sk_peek_off = val;
         mutex_unlock(&u->readlock);
+
+        return 0;
 }
 
 
@@ -714,7 +718,9 @@ static int unix_autobind(struct socket *sock)
         int err;
         unsigned int retries = 0;
 
-        mutex_lock(&u->readlock);
+        err = mutex_lock_interruptible(&u->readlock);
+        if (err)
+                return err;
 
         err = 0;
         if (u->addr)
@@ -873,7 +879,9 @@ static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
                 goto out;
         addr_len = err;
 
-        mutex_lock(&u->readlock);
+        err = mutex_lock_interruptible(&u->readlock);
+        if (err)
+                goto out;
 
         err = -EINVAL;
         if (u->addr)
diff --git a/net/wireless/core.c b/net/wireless/core.c
index aff959e5a1b3..52b865fb7351 100644
--- a/net/wireless/core.c
+++ b/net/wireless/core.c
@@ -451,6 +451,15 @@ int wiphy_register(struct wiphy *wiphy)
         int i;
         u16 ifmodes = wiphy->interface_modes;
 
+        /* support for 5/10 MHz is broken due to nl80211 API mess - disable */
+        wiphy->flags &= ~WIPHY_FLAG_SUPPORTS_5_10_MHZ;
+
+        /*
+         * There are major locking problems in nl80211/mac80211 for CSA,
+         * disable for all drivers until this has been reworked.
+         */
+        wiphy->flags &= ~WIPHY_FLAG_HAS_CHANNEL_SWITCH;
+
 #ifdef CONFIG_PM
         if (WARN_ON(wiphy->wowlan &&
                     (wiphy->wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
diff --git a/net/wireless/ibss.c b/net/wireless/ibss.c
index 9d797df56649..89737ee2669a 100644
--- a/net/wireless/ibss.c
+++ b/net/wireless/ibss.c
@@ -262,7 +262,7 @@ int cfg80211_ibss_wext_join(struct cfg80211_registered_device *rdev,
 
         /* try to find an IBSS channel if none requested ... */
         if (!wdev->wext.ibss.chandef.chan) {
-                wdev->wext.ibss.chandef.width = NL80211_CHAN_WIDTH_20_NOHT;
+                struct ieee80211_channel *new_chan = NULL;
 
                 for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
                         struct ieee80211_supported_band *sband;
@@ -278,18 +278,19 @@ int cfg80211_ibss_wext_join(struct cfg80211_registered_device *rdev,
                                         continue;
                                 if (chan->flags & IEEE80211_CHAN_DISABLED)
                                         continue;
-                                wdev->wext.ibss.chandef.chan = chan;
-                                wdev->wext.ibss.chandef.center_freq1 =
-                                        chan->center_freq;
+                                new_chan = chan;
                                 break;
                         }
 
-                        if (wdev->wext.ibss.chandef.chan)
+                        if (new_chan)
                                 break;
                 }
 
-                if (!wdev->wext.ibss.chandef.chan)
+                if (!new_chan)
                         return -EINVAL;
+
+                cfg80211_chandef_create(&wdev->wext.ibss.chandef, new_chan,
+                                        NL80211_CHAN_NO_HT);
         }
 
         /* don't join -- SSID is not there */
@@ -363,9 +364,8 @@ int cfg80211_ibss_wext_siwfreq(struct net_device *dev,
                 return err;
 
         if (chan) {
-                wdev->wext.ibss.chandef.chan = chan;
-                wdev->wext.ibss.chandef.width = NL80211_CHAN_WIDTH_20_NOHT;
-                wdev->wext.ibss.chandef.center_freq1 = freq;
+                cfg80211_chandef_create(&wdev->wext.ibss.chandef, chan,
+                                        NL80211_CHAN_NO_HT);
                 wdev->wext.ibss.channel_fixed = true;
         } else {
                 /* cfg80211_ibss_wext_join will pick one if needed */
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index a1eb21073176..138dc3bb8b67 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -2687,7 +2687,7 @@ static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
         hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
                              NL80211_CMD_NEW_KEY);
         if (!hdr)
-                return -ENOBUFS;
+                goto nla_put_failure;
 
         cookie.msg = msg;
         cookie.idx = key_idx;
@@ -5349,6 +5349,10 @@ static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
                                 err = -EINVAL;
                                 goto out_free;
                         }
+
+                        if (!wiphy->bands[band])
+                                continue;
+
                         err = ieee80211_get_ratemask(wiphy->bands[band],
                                                      nla_data(attr),
                                                      nla_len(attr),
@@ -9633,8 +9637,9 @@ static int nl80211_add_scan_req(struct sk_buff *msg,
             nla_put(msg, NL80211_ATTR_IE, req->ie_len, req->ie))
                 goto nla_put_failure;
 
-        if (req->flags)
-                nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags);
+        if (req->flags &&
+            nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags))
+                goto nla_put_failure;
 
         return 0;
  nla_put_failure:
@@ -11093,6 +11098,8 @@ void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
                 struct nlattr *reasons;
 
                 reasons = nla_nest_start(msg, NL80211_ATTR_WOWLAN_TRIGGERS);
+                if (!reasons)
+                        goto free_msg;
 
                 if (wakeup->disconnect &&
                     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
@@ -11118,16 +11125,18 @@ void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
                                 wakeup->pattern_idx))
                         goto free_msg;
 
-                if (wakeup->tcp_match)
-                        nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH);
+                if (wakeup->tcp_match &&
+                    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
+                        goto free_msg;
 
-                if (wakeup->tcp_connlost)
-                        nla_put_flag(msg,
-                                     NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST);
+                if (wakeup->tcp_connlost &&
+                    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
+                        goto free_msg;
 
-                if (wakeup->tcp_nomoretokens)
-                        nla_put_flag(msg,
-                                NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS);
+                if (wakeup->tcp_nomoretokens &&
+                    nla_put_flag(msg,
+                                 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
+                        goto free_msg;
 
                 if (wakeup->packet) {
                         u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
@@ -11263,24 +11272,29 @@ void cfg80211_ft_event(struct net_device *netdev,
                 return;
 
         hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
-        if (!hdr) {
-                nlmsg_free(msg);
-                return;
-        }
+        if (!hdr)
+                goto out;
 
-        nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx);
-        nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex);
-        nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap);
-        if (ft_event->ies)
-                nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies);
-        if (ft_event->ric_ies)
-                nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
-                        ft_event->ric_ies);
+        if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
+            nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
+            nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
+                goto out;
+
+        if (ft_event->ies &&
+            nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
+                goto out;
+        if (ft_event->ric_ies &&
+            nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
+                    ft_event->ric_ies))
+                goto out;
 
         genlmsg_end(msg, hdr);
 
         genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
                                 NL80211_MCGRP_MLME, GFP_KERNEL);
+        return;
+ out:
+        nlmsg_free(msg);
 }
 EXPORT_SYMBOL(cfg80211_ft_event);
 
diff --git a/net/wireless/radiotap.c b/net/wireless/radiotap.c
index a271c27fac77..722da616438c 100644
--- a/net/wireless/radiotap.c
+++ b/net/wireless/radiotap.c
@@ -124,6 +124,10 @@ int ieee80211_radiotap_iterator_init(
         /* find payload start allowing for extended bitmap(s) */
 
         if (iterator->_bitmap_shifter & (1<<IEEE80211_RADIOTAP_EXT)) {
+                if ((unsigned long)iterator->_arg -
+                    (unsigned long)iterator->_rtheader + sizeof(uint32_t) >
+                    (unsigned long)iterator->_max_length)
+                        return -EINVAL;
                 while (get_unaligned_le32(iterator->_arg) &
                                         (1 << IEEE80211_RADIOTAP_EXT)) {
                         iterator->_arg += sizeof(uint32_t);
diff --git a/net/wireless/sme.c b/net/wireless/sme.c
index 65f800890d70..d3c5bd7c6b51 100644
--- a/net/wireless/sme.c
+++ b/net/wireless/sme.c
@@ -632,6 +632,16 @@ void __cfg80211_connect_result(struct net_device *dev, const u8 *bssid,
         }
 #endif
 
+        if (!bss && (status == WLAN_STATUS_SUCCESS)) {
+                WARN_ON_ONCE(!wiphy_to_dev(wdev->wiphy)->ops->connect);
+                bss = cfg80211_get_bss(wdev->wiphy, NULL, bssid,
+                                       wdev->ssid, wdev->ssid_len,
+                                       WLAN_CAPABILITY_ESS,
+                                       WLAN_CAPABILITY_ESS);
+                if (bss)
+                        cfg80211_hold_bss(bss_from_pub(bss));
+        }
+
         if (wdev->current_bss) {
                 cfg80211_unhold_bss(wdev->current_bss);
                 cfg80211_put_bss(wdev->wiphy, &wdev->current_bss->pub);
@@ -649,16 +659,8 @@ void __cfg80211_connect_result(struct net_device *dev, const u8 *bssid,
                 return;
         }
 
-        if (!bss) {
-                WARN_ON_ONCE(!wiphy_to_dev(wdev->wiphy)->ops->connect);
-                bss = cfg80211_get_bss(wdev->wiphy, NULL, bssid,
-                                       wdev->ssid, wdev->ssid_len,
-                                       WLAN_CAPABILITY_ESS,
-                                       WLAN_CAPABILITY_ESS);
-                if (WARN_ON(!bss))
-                        return;
-                cfg80211_hold_bss(bss_from_pub(bss));
-        }
+        if (WARN_ON(!bss))
+                return;
 
         wdev->current_bss = bss_from_pub(bss);