Merge branch 'fix/misc' into topic/misc

25 files changed, 146 insertions, 78 deletions

diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c
index 55be90826f5f..529842677817 100644
--- a/net/8021q/vlan_dev.c
+++ b/net/8021q/vlan_dev.c
@@ -708,7 +708,8 @@ static int vlan_dev_init(struct net_device *dev)
         netif_carrier_off(dev);
 
         /* IFF_BROADCAST|IFF_MULTICAST; ??? */
-        dev->flags  = real_dev->flags & ~(IFF_UP | IFF_PROMISC | IFF_ALLMULTI);
+        dev->flags  = real_dev->flags & ~(IFF_UP | IFF_PROMISC | IFF_ALLMULTI |
+                                          IFF_MASTER | IFF_SLAVE);
         dev->iflink = real_dev->ifindex;
         dev->state  = (real_dev->state & ((1<<__LINK_STATE_NOCARRIER) |
                                           (1<<__LINK_STATE_DORMANT))) |
diff --git a/net/caif/cfserl.c b/net/caif/cfserl.c
index cb4325a3dc83..965c5baace40 100644
--- a/net/caif/cfserl.c
+++ b/net/caif/cfserl.c
@@ -59,16 +59,18 @@ static int cfserl_receive(struct cflayer *l, struct cfpkt *newpkt)
         u8 stx = CFSERL_STX;
         int ret;
         u16 expectlen = 0;
+
         caif_assert(newpkt != NULL);
         spin_lock(&layr->sync);
 
         if (layr->incomplete_frm != NULL) {
-
                 layr->incomplete_frm =
                     cfpkt_append(layr->incomplete_frm, newpkt, expectlen);
                 pkt = layr->incomplete_frm;
-                if (pkt == NULL)
+                if (pkt == NULL) {
+                        spin_unlock(&layr->sync);
                         return -ENOMEM;
+                }
         } else {
                 pkt = newpkt;
         }
diff --git a/net/core/dev.c b/net/core/dev.c
index 1845b08c624e..d03470f5260a 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -2795,7 +2795,7 @@ static int __netif_receive_skb(struct sk_buff *skb)
         struct net_device *orig_dev;
         struct net_device *master;
         struct net_device *null_or_orig;
-        struct net_device *null_or_bond;
+        struct net_device *orig_or_bond;
         int ret = NET_RX_DROP;
         __be16 type;
 
@@ -2868,10 +2868,10 @@ ncls:
          * device that may have registered for a specific ptype.  The
          * handler may have to adjust skb->dev and orig_dev.
          */
-        null_or_bond = NULL;
+        orig_or_bond = orig_dev;
         if ((skb->dev->priv_flags & IFF_802_1Q_VLAN) &&
             (vlan_dev_real_dev(skb->dev)->priv_flags & IFF_BONDING)) {
-                null_or_bond = vlan_dev_real_dev(skb->dev);
+                orig_or_bond = vlan_dev_real_dev(skb->dev);
         }
 
         type = skb->protocol;
@@ -2879,7 +2879,7 @@ ncls:
                         &ptype_base[ntohs(type) & PTYPE_HASH_MASK], list) {
                 if (ptype->type == type && (ptype->dev == null_or_orig ||
                      ptype->dev == skb->dev || ptype->dev == orig_dev ||
-                     ptype->dev == null_or_bond)) {
+                     ptype->dev == orig_or_bond)) {
                         if (pt_prev)
                                 ret = deliver_skb(skb, pt_prev, orig_dev);
                         pt_prev = ptype;
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index f8abf68e3988..9f07e749d7b1 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -482,22 +482,22 @@ EXPORT_SYMBOL(consume_skb);
  *      reference count dropping and cleans up the skbuff as if it
  *      just came from __alloc_skb().
  */
-int skb_recycle_check(struct sk_buff *skb, int skb_size)
+bool skb_recycle_check(struct sk_buff *skb, int skb_size)
 {
         struct skb_shared_info *shinfo;
 
         if (irqs_disabled())
-                return 0;
+                return false;
 
         if (skb_is_nonlinear(skb) || skb->fclone != SKB_FCLONE_UNAVAILABLE)
-                return 0;
+                return false;
 
         skb_size = SKB_DATA_ALIGN(skb_size + NET_SKB_PAD);
         if (skb_end_pointer(skb) - skb->head < skb_size)
-                return 0;
+                return false;
 
         if (skb_shared(skb) || skb_cloned(skb))
-                return 0;
+                return false;
 
         skb_release_head_state(skb);
 
@@ -509,7 +509,7 @@ int skb_recycle_check(struct sk_buff *skb, int skb_size)
         skb->data = skb->head + NET_SKB_PAD;
         skb_reset_tail_pointer(skb);
 
-        return 1;
+        return true;
 }
 EXPORT_SYMBOL(skb_recycle_check);
 
@@ -2965,6 +2965,34 @@ int skb_cow_data(struct sk_buff *skb, int tailbits, struct sk_buff **trailer)
 }
 EXPORT_SYMBOL_GPL(skb_cow_data);
 
+static void sock_rmem_free(struct sk_buff *skb)
+{
+        struct sock *sk = skb->sk;
+
+        atomic_sub(skb->truesize, &sk->sk_rmem_alloc);
+}
+
+/*
+ * Note: We dont mem charge error packets (no sk_forward_alloc changes)
+ */
+int sock_queue_err_skb(struct sock *sk, struct sk_buff *skb)
+{
+        if (atomic_read(&sk->sk_rmem_alloc) + skb->truesize >=
+            (unsigned)sk->sk_rcvbuf)
+                return -ENOMEM;
+
+        skb_orphan(skb);
+        skb->sk = sk;
+        skb->destructor = sock_rmem_free;
+        atomic_add(skb->truesize, &sk->sk_rmem_alloc);
+
+        skb_queue_tail(&sk->sk_error_queue, skb);
+        if (!sock_flag(sk, SOCK_DEAD))
+                sk->sk_data_ready(sk, skb->len);
+        return 0;
+}
+EXPORT_SYMBOL(sock_queue_err_skb);
+
 void skb_tstamp_tx(struct sk_buff *orig_skb,
                 struct skb_shared_hwtstamps *hwtstamps)
 {
@@ -2996,7 +3024,9 @@ void skb_tstamp_tx(struct sk_buff *orig_skb,
         memset(serr, 0, sizeof(*serr));
         serr->ee.ee_errno = ENOMSG;
         serr->ee.ee_origin = SO_EE_ORIGIN_TIMESTAMPING;
+
         err = sock_queue_err_skb(sk, skb);
+
         if (err)
                 kfree_skb(skb);
 }
diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig
index 8e3a1fd938ab..7c3a7d191249 100644
--- a/net/ipv4/Kconfig
+++ b/net/ipv4/Kconfig
@@ -303,7 +303,7 @@ config ARPD
           If unsure, say N.
 
 config SYN_COOKIES
-        bool "IP: TCP syncookie support (disabled per default)"
+        bool "IP: TCP syncookie support"
         ---help---
           Normal TCP/IP networking is open to an attack known as "SYN
           flooding". This denial-of-service attack prevents legitimate remote
@@ -328,13 +328,13 @@ config SYN_COOKIES
           server is really overloaded. If this happens frequently better turn
           them off.
 
-          If you say Y here, note that SYN cookies aren't enabled by default;
-          you can enable them by saying Y to "/proc file system support" and
+          If you say Y here, you can disable SYN cookies at run time by
+          saying Y to "/proc file system support" and
           "Sysctl support" below and executing the command
 
-          echo 1 >/proc/sys/net/ipv4/tcp_syncookies
+          echo 0 > /proc/sys/net/ipv4/tcp_syncookies
 
-          at boot time after the /proc file system has been mounted.
+          after the /proc file system has been mounted.
 
           If unsure, say N.
 
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 63958f3394a5..4b6c5ca610fc 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -336,7 +336,7 @@ ipt_do_table(struct sk_buff *skb,
         cpu        = smp_processor_id();
         table_base = private->entries[cpu];
         jumpstack  = (struct ipt_entry **)private->jumpstack[cpu];
-        stackptr   = &private->stackptr[cpu];
+        stackptr   = per_cpu_ptr(private->stackptr, cpu);
         origptr    = *stackptr;
 
         e = get_entry(table_base, private->hook_entry[hook]);
diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c
index 5c24db4a3c91..9f6b22206c52 100644
--- a/net/ipv4/syncookies.c
+++ b/net/ipv4/syncookies.c
@@ -347,7 +347,7 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb,
                                                { .sport = th->dest,
                                                  .dport = th->source } } };
                 security_req_classify_flow(req, &fl);
-                if (ip_route_output_key(&init_net, &rt, &fl)) {
+                if (ip_route_output_key(sock_net(sk), &rt, &fl)) {
                         reqsk_free(req);
                         goto out;
                 }
diff --git a/net/ipv4/tcp_hybla.c b/net/ipv4/tcp_hybla.c
index c209e054a634..377bc9349371 100644
--- a/net/ipv4/tcp_hybla.c
+++ b/net/ipv4/tcp_hybla.c
@@ -126,8 +126,8 @@ static void hybla_cong_avoid(struct sock *sk, u32 ack, u32 in_flight)
                  * calculate 2^fract in a <<7 value.
                  */
                 is_slowstart = 1;
-                increment = ((1 << ca->rho) * hybla_fraction(rho_fractions))
-                        - 128;
+                increment = ((1 << min(ca->rho, 16U)) *
+                        hybla_fraction(rho_fractions)) - 128;
         } else {
                 /*
                  * congestion avoidance
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 3e6dafcb1071..548d575e6cc6 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -2639,7 +2639,7 @@ static void DBGUNDO(struct sock *sk, const char *msg)
         if (sk->sk_family == AF_INET) {
                 printk(KERN_DEBUG "Undo %s %pI4/%u c%u l%u ss%u/%u p%u\n",
                        msg,
-                       &inet->daddr, ntohs(inet->dport),
+                       &inet->inet_daddr, ntohs(inet->inet_dport),
                        tp->snd_cwnd, tcp_left_out(tp),
                        tp->snd_ssthresh, tp->prior_ssthresh,
                        tp->packets_out);
@@ -2649,7 +2649,7 @@ static void DBGUNDO(struct sock *sk, const char *msg)
                 struct ipv6_pinfo *np = inet6_sk(sk);
                 printk(KERN_DEBUG "Undo %s %pI6/%u c%u l%u ss%u/%u p%u\n",
                        msg,
-                       &np->daddr, ntohs(inet->dport),
+                       &np->daddr, ntohs(inet->inet_dport),
                        tp->snd_cwnd, tcp_left_out(tp),
                        tp->snd_ssthresh, tp->prior_ssthresh,
                        tp->packets_out);
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 202cf09c4cd4..fe193e53af44 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -1555,6 +1555,7 @@ int tcp_v4_do_rcv(struct sock *sk, struct sk_buff *skb)
 #endif
 
         if (sk->sk_state == TCP_ESTABLISHED) { /* Fast path */
+                sock_rps_save_rxhash(sk, skb->rxhash);
                 TCP_CHECK_TIMER(sk);
                 if (tcp_rcv_established(sk, skb, tcp_hdr(skb), skb->len)) {
                         rsk = sk;
@@ -1579,7 +1580,9 @@ int tcp_v4_do_rcv(struct sock *sk, struct sk_buff *skb)
                         }
                         return 0;
                 }
-        }
+        } else
+                sock_rps_save_rxhash(sk, skb->rxhash);
+
 
         TCP_CHECK_TIMER(sk);
         if (tcp_rcv_state_process(sk, skb, tcp_hdr(skb), skb->len)) {
@@ -1672,8 +1675,6 @@ process:
 
         skb->dev = NULL;
 
-        sock_rps_save_rxhash(sk, skb->rxhash);
-
         bh_lock_sock_nested(sk);
         ret = 0;
         if (!sock_owned_by_user(sk)) {
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 58585748bdac..eec4ff456e33 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -633,9 +633,9 @@ void __udp4_lib_err(struct sk_buff *skb, u32 info, struct udp_table *udptable)
         if (!inet->recverr) {
                 if (!harderr || sk->sk_state != TCP_ESTABLISHED)
                         goto out;
-        } else {
+        } else
                 ip_icmp_error(sk, skb, err, uh->dest, info, (u8 *)(uh+1));
-        }
+
         sk->sk_err = err;
         sk->sk_error_report(sk);
 out:
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 6f517bd83692..9d2d68f0e605 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -363,7 +363,7 @@ ip6t_do_table(struct sk_buff *skb,
         cpu        = smp_processor_id();
         table_base = private->entries[cpu];
         jumpstack  = (struct ip6t_entry **)private->jumpstack[cpu];
-        stackptr   = &private->stackptr[cpu];
+        stackptr   = per_cpu_ptr(private->stackptr, cpu);
         origptr    = *stackptr;
 
         e = get_entry(table_base, private->hook_entry[hook]);
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 294cbe8b0725..252d76199c41 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -814,7 +814,7 @@ struct dst_entry * ip6_route_output(struct net *net, struct sock *sk,
 {
         int flags = 0;
 
-        if (fl->oif || rt6_need_strict(&fl->fl6_dst))
+        if ((sk && sk->sk_bound_dev_if) || rt6_need_strict(&fl->fl6_dst))
                 flags |= RT6_LOOKUP_F_IFACE;
 
         if (!ipv6_addr_any(&fl->fl6_src))
diff --git a/net/mac80211/agg-tx.c b/net/mac80211/agg-tx.c
index c163d0a149f4..98258b7341e3 100644
--- a/net/mac80211/agg-tx.c
+++ b/net/mac80211/agg-tx.c
@@ -332,14 +332,16 @@ int ieee80211_start_tx_ba_session(struct ieee80211_sta *pubsta, u16 tid)
                 IEEE80211_QUEUE_STOP_REASON_AGGREGATION);
 
         spin_unlock(&local->ampdu_lock);
-        spin_unlock_bh(&sta->lock);
 
-        /* send an addBA request */
+        /* prepare tid data */
         sta->ampdu_mlme.dialog_token_allocator++;
         sta->ampdu_mlme.tid_tx[tid]->dialog_token =
                         sta->ampdu_mlme.dialog_token_allocator;
         sta->ampdu_mlme.tid_tx[tid]->ssn = start_seq_num;
 
+        spin_unlock_bh(&sta->lock);
+
+        /* send AddBA request */
         ieee80211_send_addba_request(sdata, pubsta->addr, tid,
                          sta->ampdu_mlme.tid_tx[tid]->dialog_token,
                          sta->ampdu_mlme.tid_tx[tid]->ssn,
diff --git a/net/mac80211/chan.c b/net/mac80211/chan.c
index 5d218c530a4e..32be11e4c4d9 100644
--- a/net/mac80211/chan.c
+++ b/net/mac80211/chan.c
@@ -5,7 +5,7 @@
 #include <linux/nl80211.h>
 #include "ieee80211_i.h"
 
-enum ieee80211_chan_mode
+static enum ieee80211_chan_mode
 __ieee80211_get_channel_mode(struct ieee80211_local *local,
                              struct ieee80211_sub_if_data *ignore)
 {
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 6e2a7bcd8cb8..5e0b65406c44 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -1818,17 +1818,26 @@ ieee80211_rx_h_ctrl(struct ieee80211_rx_data *rx, struct sk_buff_head *frames)
                 return RX_CONTINUE;
 
         if (ieee80211_is_back_req(bar->frame_control)) {
+                struct {
+                        __le16 control, start_seq_num;
+                } __packed bar_data;
+
                 if (!rx->sta)
                         return RX_DROP_MONITOR;
+
+                if (skb_copy_bits(skb, offsetof(struct ieee80211_bar, control),
+                                  &bar_data, sizeof(bar_data)))
+                        return RX_DROP_MONITOR;
+
                 spin_lock(&rx->sta->lock);
-                tid = le16_to_cpu(bar->control) >> 12;
+                tid = le16_to_cpu(bar_data.control) >> 12;
                 if (!rx->sta->ampdu_mlme.tid_active_rx[tid]) {
                         spin_unlock(&rx->sta->lock);
                         return RX_DROP_MONITOR;
                 }
                 tid_agg_rx = rx->sta->ampdu_mlme.tid_rx[tid];
 
-                start_seq_num = le16_to_cpu(bar->start_seq_num) >> 4;
+                start_seq_num = le16_to_cpu(bar_data.start_seq_num) >> 4;
 
                 /* reset session timer */
                 if (tid_agg_rx->timeout)
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 445de702b8b7..e34622fa0003 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -699,10 +699,8 @@ void xt_free_table_info(struct xt_table_info *info)
                 vfree(info->jumpstack);
         else
                 kfree(info->jumpstack);
-        if (sizeof(unsigned int) * nr_cpu_ids > PAGE_SIZE)
-                vfree(info->stackptr);
-        else
-                kfree(info->stackptr);
+
+        free_percpu(info->stackptr);
 
         kfree(info);
 }
@@ -753,14 +751,9 @@ static int xt_jumpstack_alloc(struct xt_table_info *i)
         unsigned int size;
         int cpu;
 
-        size = sizeof(unsigned int) * nr_cpu_ids;
-        if (size > PAGE_SIZE)
-                i->stackptr = vmalloc(size);
-        else
-                i->stackptr = kmalloc(size, GFP_KERNEL);
+        i->stackptr = alloc_percpu(unsigned int);
         if (i->stackptr == NULL)
                 return -ENOMEM;
-        memset(i->stackptr, 0, size);
 
         size = sizeof(void **) * nr_cpu_ids;
         if (size > PAGE_SIZE)
@@ -844,10 +837,6 @@ struct xt_table *xt_register_table(struct net *net,
         struct xt_table_info *private;
         struct xt_table *t, *table;
 
-        ret = xt_jumpstack_alloc(newinfo);
-        if (ret < 0)
-                return ERR_PTR(ret);
-
         /* Don't add one object to multiple lists. */
         table = kmemdup(input_table, sizeof(struct xt_table), GFP_KERNEL);
         if (!table) {
diff --git a/net/phonet/pep.c b/net/phonet/pep.c
index 7b048a35ca58..94d72e85a475 100644
--- a/net/phonet/pep.c
+++ b/net/phonet/pep.c
@@ -1045,12 +1045,12 @@ static void pep_sock_unhash(struct sock *sk)
         lock_sock(sk);
         if ((1 << sk->sk_state) & ~(TCPF_CLOSE|TCPF_LISTEN)) {
                 skparent = pn->listener;
-                sk_del_node_init(sk);
                 release_sock(sk);
 
-                sk = skparent;
                 pn = pep_sk(skparent);
-                lock_sock(sk);
+                lock_sock(skparent);
+                sk_del_node_init(sk);
+                sk = skparent;
         }
         /* Unhash a listening sock only when it is closed
          * and all of its active connected pipes are closed. */
diff --git a/net/rds/ib_cm.c b/net/rds/ib_cm.c
index 10ed0d55f759..f68832798db2 100644
--- a/net/rds/ib_cm.c
+++ b/net/rds/ib_cm.c
@@ -475,6 +475,7 @@ int rds_ib_cm_handle_connect(struct rdma_cm_id *cm_id,
         err = rds_ib_setup_qp(conn);
         if (err) {
                 rds_ib_conn_error(conn, "rds_ib_setup_qp failed (%d)\n", err);
+                mutex_unlock(&conn->c_cm_lock);
                 goto out;
         }
 
diff --git a/net/rds/iw_cm.c b/net/rds/iw_cm.c
index a9d951b4fbae..b5dd6ac39be8 100644
--- a/net/rds/iw_cm.c
+++ b/net/rds/iw_cm.c
@@ -452,6 +452,7 @@ int rds_iw_cm_handle_connect(struct rdma_cm_id *cm_id,
         err = rds_iw_setup_qp(conn);
         if (err) {
                 rds_iw_conn_error(conn, "rds_iw_setup_qp failed (%d)\n", err);
+                mutex_unlock(&conn->c_cm_lock);
                 goto out;
         }
 
diff --git a/net/sched/act_nat.c b/net/sched/act_nat.c
index d885ba311564..570949417f38 100644
--- a/net/sched/act_nat.c
+++ b/net/sched/act_nat.c
@@ -159,6 +159,9 @@ static int tcf_nat(struct sk_buff *skb, struct tc_action *a,
                         iph->daddr = new_addr;
 
                 csum_replace4(&iph->check, addr, new_addr);
+        } else if ((iph->frag_off & htons(IP_OFFSET)) ||
+                   iph->protocol != IPPROTO_ICMP) {
+                goto out;
         }
 
         ihl = iph->ihl * 4;
@@ -247,6 +250,7 @@ static int tcf_nat(struct sk_buff *skb, struct tc_action *a,
                 break;
         }
 
+out:
         return action;
 
 drop:
diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c
index fdbd0b7bd840..50e3d945e1f4 100644
--- a/net/sched/act_pedit.c
+++ b/net/sched/act_pedit.c
@@ -125,7 +125,7 @@ static int tcf_pedit(struct sk_buff *skb, struct tc_action *a,
 {
         struct tcf_pedit *p = a->priv;
         int i, munged = 0;
-        u8 *pptr;
+        unsigned int off;
 
         if (!(skb->tc_verd & TC_OK2MUNGE)) {
                 /* should we set skb->cloned? */
@@ -134,7 +134,7 @@ static int tcf_pedit(struct sk_buff *skb, struct tc_action *a,
                 }
         }
 
-        pptr = skb_network_header(skb);
+        off = skb_network_offset(skb);
 
         spin_lock(&p->tcf_lock);
 
@@ -144,17 +144,17 @@ static int tcf_pedit(struct sk_buff *skb, struct tc_action *a,
                 struct tc_pedit_key *tkey = p->tcfp_keys;
 
                 for (i = p->tcfp_nkeys; i > 0; i--, tkey++) {
-                        u32 *ptr;
+                        u32 *ptr, _data;
                         int offset = tkey->off;
 
                         if (tkey->offmask) {
-                                if (skb->len > tkey->at) {
-                                         char *j = pptr + tkey->at;
-                                         offset += ((*j & tkey->offmask) >>
-                                                   tkey->shift);
-                                } else {
+                                char *d, _d;
+
+                                d = skb_header_pointer(skb, off + tkey->at, 1,
+                                                       &_d);
+                                if (!d)
                                         goto bad;
-                                }
+                                offset += (*d & tkey->offmask) >> tkey->shift;
                         }
 
                         if (offset % 4) {
@@ -169,9 +169,13 @@ static int tcf_pedit(struct sk_buff *skb, struct tc_action *a,
                                 goto bad;
                         }
 
-                        ptr = (u32 *)(pptr+offset);
+                        ptr = skb_header_pointer(skb, off + offset, 4, &_data);
+                        if (!ptr)
+                                goto bad;
                         /* just do it, baby */
                         *ptr = ((*ptr & tkey->mask) ^ tkey->val);
+                        if (ptr == &_data)
+                                skb_store_bits(skb, off + offset, ptr, 4);
                         munged++;
                 }
 
diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c
index 96275422c619..4f522143811e 100644
--- a/net/sched/cls_u32.c
+++ b/net/sched/cls_u32.c
@@ -98,11 +98,11 @@ static int u32_classify(struct sk_buff *skb, struct tcf_proto *tp, struct tcf_re
 {
         struct {
                 struct tc_u_knode *knode;
-                u8                *ptr;
+                unsigned int      off;
         } stack[TC_U32_MAXDEPTH];
 
         struct tc_u_hnode *ht = (struct tc_u_hnode*)tp->root;
-        u8 *ptr = skb_network_header(skb);
+        unsigned int off = skb_network_offset(skb);
         struct tc_u_knode *n;
         int sdepth = 0;
         int off2 = 0;
@@ -134,8 +134,14 @@ next_knode:
 #endif
 
                 for (i = n->sel.nkeys; i>0; i--, key++) {
-
-                        if ((*(__be32*)(ptr+key->off+(off2&key->offmask))^key->val)&key->mask) {
+                        unsigned int toff;
+                        __be32 *data, _data;
+
+                        toff = off + key->off + (off2 & key->offmask);
+                        data = skb_header_pointer(skb, toff, 4, &_data);
+                        if (!data)
+                                goto out;
+                        if ((*data ^ key->val) & key->mask) {
                                 n = n->next;
                                 goto next_knode;
                         }
@@ -174,29 +180,45 @@ check_terminal:
                 if (sdepth >= TC_U32_MAXDEPTH)
                         goto deadloop;
                 stack[sdepth].knode = n;
-                stack[sdepth].ptr = ptr;
+                stack[sdepth].off = off;
                 sdepth++;
 
                 ht = n->ht_down;
                 sel = 0;
-                if (ht->divisor)
-                        sel = ht->divisor&u32_hash_fold(*(__be32*)(ptr+n->sel.hoff), &n->sel,n->fshift);
-
+                if (ht->divisor) {
+                        __be32 *data, _data;
+
+                        data = skb_header_pointer(skb, off + n->sel.hoff, 4,
+                                                  &_data);
+                        if (!data)
+                                goto out;
+                        sel = ht->divisor & u32_hash_fold(*data, &n->sel,
+                                                          n->fshift);
+                }
                 if (!(n->sel.flags&(TC_U32_VAROFFSET|TC_U32_OFFSET|TC_U32_EAT)))
                         goto next_ht;
 
                 if (n->sel.flags&(TC_U32_OFFSET|TC_U32_VAROFFSET)) {
                         off2 = n->sel.off + 3;
-                        if (n->sel.flags&TC_U32_VAROFFSET)
-                                off2 += ntohs(n->sel.offmask & *(__be16*)(ptr+n->sel.offoff)) >>n->sel.offshift;
+                        if (n->sel.flags & TC_U32_VAROFFSET) {
+                                __be16 *data, _data;
+
+                                data = skb_header_pointer(skb,
+                                                          off + n->sel.offoff,
+                                                          2, &_data);
+                                if (!data)
+                                        goto out;
+                                off2 += ntohs(n->sel.offmask & *data) >>
+                                        n->sel.offshift;
+                        }
                         off2 &= ~3;
                 }
                 if (n->sel.flags&TC_U32_EAT) {
-                        ptr += off2;
+                        off += off2;
                         off2 = 0;
                 }
 
-                if (ptr < skb_tail_pointer(skb))
+                if (off < skb->len)
                         goto next_ht;
         }
 
@@ -204,9 +226,10 @@ check_terminal:
         if (sdepth--) {
                 n = stack[sdepth].knode;
                 ht = n->ht_up;
-                ptr = stack[sdepth].ptr;
+                off = stack[sdepth].off;
                 goto check_terminal;
         }
+out:
         return -1;
 
 deadloop:
diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c
index 6a329158bdfa..a3cca0a94346 100644
--- a/net/xfrm/xfrm_output.c
+++ b/net/xfrm/xfrm_output.c
@@ -95,13 +95,13 @@ resume:
                         goto error_nolock;
                 }
 
-                dst = dst_pop(dst);
+                dst = skb_dst_pop(skb);
                 if (!dst) {
                         XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTERROR);
                         err = -EHOSTUNREACH;
                         goto error_nolock;
                 }
-                skb_dst_set(skb, dst);
+                skb_dst_set_noref(skb, dst);
                 x = dst->xfrm;
         } while (x && !(x->outer_mode->flags & XFRM_MODE_FLAG_TUNNEL));
 
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index d965a2bad8d3..4bf27d901333 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -2153,6 +2153,7 @@ int __xfrm_route_forward(struct sk_buff *skb, unsigned short family)
                 return 0;
         }
 
+        skb_dst_force(skb);
         dst = skb_dst(skb);
 
         res = xfrm_lookup(net, &dst, &fl, NULL, 0) == 0;