13 files changed, 268 insertions, 22 deletions
diff --git a/drivers/net/phy/Kconfig b/drivers/net/phy/Kconfig
index 983bbf4d5ef6..961f0b293913 100644
--- a/drivers/net/phy/Kconfig
+++ b/drivers/net/phy/Kconfig
@@ -15,6 +15,11 @@ if PHYLIB
 comment "MII PHY device drivers"
+config AT803X_PHY
+        tristate "Drivers for Atheros AT803X PHYs"
+        ---help---
+          Currently supports the AT8030 and AT8035 model
 config AMD_PHY
        tristate "Drivers for the AMD PHYs"
        ---help---
diff --git a/drivers/net/phy/Makefile b/drivers/net/phy/Makefile
index 426674debae4..9645e389a58d 100644
--- a/drivers/net/phy/Makefile
+++ b/drivers/net/phy/Makefile
@@ -25,6 +25,7 @@ obj-$(CONFIG_STE10XP)		+= ste10Xp.o
 obj-$(CONFIG_MICREL_PHY)        += micrel.o
 obj-$(CONFIG_MDIO_OCTEON)       += mdio-octeon.o
 obj-$(CONFIG_MICREL_KS8995MA)   += spi_ks8995.o
+obj-$(CONFIG_AT803X_PHY)        += at803x.o
 obj-$(CONFIG_AMD_PHY)           += amd.o
 obj-$(CONFIG_MDIO_BUS_MUX)      += mdio-mux.o
 obj-$(CONFIG_MDIO_BUS_MUX_GPIO) += mdio-mux-gpio.o
diff --git a/drivers/net/phy/at803x.c b/drivers/net/phy/at803x.c
new file mode 100644
index 000000000000..45cbc10de01c
--- /dev/null
+++ b/drivers/net/phy/at803x.c
@@ -0,0 +1,176 @@
+/*
+ * drivers/net/phy/at803x.c
+ *
+ * Driver for Atheros 803x PHY
+ *
+ * Author: Matus Ujhelyi <ujhelyi.m@gmail.com>
+ *
+ * This program is free software; you can redistribute  it and/or modify it
+ * under  the terms of  the GNU General  Public License as published by the
+ * Free Software Foundation;  either version 2 of the  License, or (at your
+ * option) any later version.
+ */
+#include <linux/phy.h>
+#include <linux/module.h>
+#include <linux/string.h>
+#include <linux/netdevice.h>
+#include <linux/etherdevice.h>
+#define AT803X_INTR_ENABLE                      0x12
+#define AT803X_INTR_STATUS                      0x13
+#define AT803X_WOL_ENABLE                       0x01
+#define AT803X_DEVICE_ADDR                      0x03
+#define AT803X_LOC_MAC_ADDR_0_15_OFFSET         0x804C
+#define AT803X_LOC_MAC_ADDR_16_31_OFFSET        0x804B
+#define AT803X_LOC_MAC_ADDR_32_47_OFFSET        0x804A
+#define AT803X_MMD_ACCESS_CONTROL               0x0D
+#define AT803X_MMD_ACCESS_CONTROL_DATA          0x0E
+#define AT803X_FUNC_DATA                        0x4003
+MODULE_DESCRIPTION("Atheros 803x PHY driver");
+MODULE_AUTHOR("Matus Ujhelyi");
+MODULE_LICENSE("GPL");
+static void at803x_set_wol_mac_addr(struct phy_device *phydev)
+{
+        struct net_device *ndev = phydev->attached_dev;
+        const u8 *mac;
+        unsigned int i, offsets[] = {
+                AT803X_LOC_MAC_ADDR_32_47_OFFSET,
+                AT803X_LOC_MAC_ADDR_16_31_OFFSET,
+                AT803X_LOC_MAC_ADDR_0_15_OFFSET,
+        };
+        if (!ndev)
+                return;
+        mac = (const u8 *) ndev->dev_addr;
+        if (!is_valid_ether_addr(mac))
+                return;
+        for (i = 0; i < 3; i++) {
+                phy_write(phydev, AT803X_MMD_ACCESS_CONTROL,
+                                  AT803X_DEVICE_ADDR);
+                phy_write(phydev, AT803X_MMD_ACCESS_CONTROL_DATA,
+                                  offsets[i]);
+                phy_write(phydev, AT803X_MMD_ACCESS_CONTROL,
+                                  AT803X_FUNC_DATA);
+                phy_write(phydev, AT803X_MMD_ACCESS_CONTROL_DATA,
+                                  mac[(i * 2) + 1] | (mac[(i * 2)] << 8));
+        }
+}
+static int at803x_config_init(struct phy_device *phydev)
+{
+        int val;
+        u32 features;
+        int status;
+        features = SUPPORTED_TP | SUPPORTED_MII | SUPPORTED_AUI |
+                   SUPPORTED_FIBRE | SUPPORTED_BNC;
+        val = phy_read(phydev, MII_BMSR);
+        if (val < 0)
+                return val;
+        if (val & BMSR_ANEGCAPABLE)
+                features |= SUPPORTED_Autoneg;
+        if (val & BMSR_100FULL)
+                features |= SUPPORTED_100baseT_Full;
+        if (val & BMSR_100HALF)
+                features |= SUPPORTED_100baseT_Half;
+        if (val & BMSR_10FULL)
+                features |= SUPPORTED_10baseT_Full;
+        if (val & BMSR_10HALF)
+                features |= SUPPORTED_10baseT_Half;
+        if (val & BMSR_ESTATEN) {
+                val = phy_read(phydev, MII_ESTATUS);
+                if (val < 0)
+                        return val;
+                if (val & ESTATUS_1000_TFULL)
+                        features |= SUPPORTED_1000baseT_Full;
+                if (val & ESTATUS_1000_THALF)
+                        features |= SUPPORTED_1000baseT_Half;
+        }
+        phydev->supported = features;
+        phydev->advertising = features;
+        /* enable WOL */
+        at803x_set_wol_mac_addr(phydev);
+        status = phy_write(phydev, AT803X_INTR_ENABLE, AT803X_WOL_ENABLE);
+        status = phy_read(phydev, AT803X_INTR_STATUS);
+        return 0;
+}
+/* ATHEROS 8035 */
+static struct phy_driver at8035_driver = {
+        .phy_id         = 0x004dd072,
+        .name           = "Atheros 8035 ethernet",
+        .phy_id_mask    = 0xffffffef,
+        .config_init    = at803x_config_init,
+        .features       = PHY_GBIT_FEATURES,
+        .flags          = PHY_HAS_INTERRUPT,
+        .config_aneg    = &genphy_config_aneg,
+        .read_status    = &genphy_read_status,
+        .driver         = {
+                .owner = THIS_MODULE,
+        },
+};
+/* ATHEROS 8030 */
+static struct phy_driver at8030_driver = {
+        .phy_id         = 0x004dd076,
+        .name           = "Atheros 8030 ethernet",
+        .phy_id_mask    = 0xffffffef,
+        .config_init    = at803x_config_init,
+        .features       = PHY_GBIT_FEATURES,
+        .flags          = PHY_HAS_INTERRUPT,
+        .config_aneg    = &genphy_config_aneg,
+        .read_status    = &genphy_read_status,
+        .driver         = {
+                .owner = THIS_MODULE,
+        },
+};
+static int __init atheros_init(void)
+{
+        int ret;
+        ret = phy_driver_register(&at8035_driver);
+        if (ret)
+                goto err1;
+        ret = phy_driver_register(&at8030_driver);
+        if (ret)
+                goto err2;
+        return 0;
+err2:
+        phy_driver_unregister(&at8035_driver);
+err1:
+        return ret;
+}
+static void __exit atheros_exit(void)
+{
+        phy_driver_unregister(&at8035_driver);
+        phy_driver_unregister(&at8030_driver);
+}
+module_init(atheros_init);
+module_exit(atheros_exit);
+static struct mdio_device_id __maybe_unused atheros_tbl[] = {
+        { 0x004dd076, 0xffffffef },
+        { 0x004dd072, 0xffffffef },
+        { }
+};
+MODULE_DEVICE_TABLE(mdio, atheros_tbl);
diff --git a/drivers/net/usb/ipheth.c b/drivers/net/usb/ipheth.c
index a28a983d465e..534d8becbbdc 100644
--- a/drivers/net/usb/ipheth.c
+++ b/drivers/net/usb/ipheth.c
@@ -62,6 +62,7 @@
 #define USB_PRODUCT_IPAD 0x129a
 #define USB_PRODUCT_IPHONE_4_VZW 0x129c
 #define USB_PRODUCT_IPHONE_4S   0x12a0
+#define USB_PRODUCT_IPHONE_5    0x12a8
 #define IPHETH_USBINTF_CLASS    255
 #define IPHETH_USBINTF_SUBCLASS 253
@@ -113,6 +114,10 @@ static struct usb_device_id ipheth_table[] = {
                USB_VENDOR_APPLE, USB_PRODUCT_IPHONE_4S,
                IPHETH_USBINTF_CLASS, IPHETH_USBINTF_SUBCLASS,
                IPHETH_USBINTF_PROTO) },
+        { USB_DEVICE_AND_INTERFACE_INFO(
+                USB_VENDOR_APPLE, USB_PRODUCT_IPHONE_5,
+                IPHETH_USBINTF_CLASS, IPHETH_USBINTF_SUBCLASS,
+                IPHETH_USBINTF_PROTO) },
        { }
 };
 MODULE_DEVICE_TABLE(usb, ipheth_table);
diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
index 6883c371c59f..9d23ba2fe981 100644
--- a/drivers/net/usb/qmi_wwan.c
+++ b/drivers/net/usb/qmi_wwan.c
@@ -371,16 +371,57 @@ static const struct usb_device_id products[] = {
        },
        /* 3. Combined interface devices matching on interface number */
+        {QMI_FIXED_INTF(0x19d2, 0x0002, 1)},
+        {QMI_FIXED_INTF(0x19d2, 0x0012, 1)},
+        {QMI_FIXED_INTF(0x19d2, 0x0017, 3)},
+        {QMI_FIXED_INTF(0x19d2, 0x0021, 4)},
+        {QMI_FIXED_INTF(0x19d2, 0x0025, 1)},
+        {QMI_FIXED_INTF(0x19d2, 0x0031, 4)},
+        {QMI_FIXED_INTF(0x19d2, 0x0042, 4)},
+        {QMI_FIXED_INTF(0x19d2, 0x0049, 5)},
+        {QMI_FIXED_INTF(0x19d2, 0x0052, 4)},
        {QMI_FIXED_INTF(0x19d2, 0x0055, 1)},    /* ZTE (Vodafone) K3520-Z */
+        {QMI_FIXED_INTF(0x19d2, 0x0058, 4)},
        {QMI_FIXED_INTF(0x19d2, 0x0063, 4)},    /* ZTE (Vodafone) K3565-Z */
        {QMI_FIXED_INTF(0x19d2, 0x0104, 4)},    /* ZTE (Vodafone) K4505-Z */
+        {QMI_FIXED_INTF(0x19d2, 0x0113, 5)},
+        {QMI_FIXED_INTF(0x19d2, 0x0118, 5)},
+        {QMI_FIXED_INTF(0x19d2, 0x0121, 5)},
+        {QMI_FIXED_INTF(0x19d2, 0x0123, 4)},
+        {QMI_FIXED_INTF(0x19d2, 0x0124, 5)},
+        {QMI_FIXED_INTF(0x19d2, 0x0125, 6)},
+        {QMI_FIXED_INTF(0x19d2, 0x0126, 5)},
+        {QMI_FIXED_INTF(0x19d2, 0x0130, 1)},
+        {QMI_FIXED_INTF(0x19d2, 0x0133, 3)},
+        {QMI_FIXED_INTF(0x19d2, 0x0141, 5)},
        {QMI_FIXED_INTF(0x19d2, 0x0157, 5)},    /* ZTE MF683 */
+        {QMI_FIXED_INTF(0x19d2, 0x0158, 3)},
        {QMI_FIXED_INTF(0x19d2, 0x0167, 4)},    /* ZTE MF820D */
+        {QMI_FIXED_INTF(0x19d2, 0x0168, 4)},
+        {QMI_FIXED_INTF(0x19d2, 0x0176, 3)},
+        {QMI_FIXED_INTF(0x19d2, 0x0178, 3)},
+        {QMI_FIXED_INTF(0x19d2, 0x0191, 4)},    /* ZTE EuFi890 */
+        {QMI_FIXED_INTF(0x19d2, 0x0199, 1)},    /* ZTE MF820S */
+        {QMI_FIXED_INTF(0x19d2, 0x0200, 1)},
+        {QMI_FIXED_INTF(0x19d2, 0x0257, 3)},    /* ZTE MF821 */
        {QMI_FIXED_INTF(0x19d2, 0x0326, 4)},    /* ZTE MF821D */
        {QMI_FIXED_INTF(0x19d2, 0x1008, 4)},    /* ZTE (Vodafone) K3570-Z */
        {QMI_FIXED_INTF(0x19d2, 0x1010, 4)},    /* ZTE (Vodafone) K3571-Z */
+        {QMI_FIXED_INTF(0x19d2, 0x1012, 4)},
        {QMI_FIXED_INTF(0x19d2, 0x1018, 3)},    /* ZTE (Vodafone) K5006-Z */
+        {QMI_FIXED_INTF(0x19d2, 0x1021, 2)},
+        {QMI_FIXED_INTF(0x19d2, 0x1245, 4)},
+        {QMI_FIXED_INTF(0x19d2, 0x1247, 4)},
+        {QMI_FIXED_INTF(0x19d2, 0x1252, 4)},
+        {QMI_FIXED_INTF(0x19d2, 0x1254, 4)},
+        {QMI_FIXED_INTF(0x19d2, 0x1255, 3)},
+        {QMI_FIXED_INTF(0x19d2, 0x1255, 4)},
+        {QMI_FIXED_INTF(0x19d2, 0x1256, 4)},
+        {QMI_FIXED_INTF(0x19d2, 0x1401, 2)},
        {QMI_FIXED_INTF(0x19d2, 0x1402, 2)},    /* ZTE MF60 */
+        {QMI_FIXED_INTF(0x19d2, 0x1424, 2)},
+        {QMI_FIXED_INTF(0x19d2, 0x1425, 2)},
+        {QMI_FIXED_INTF(0x19d2, 0x1426, 2)},    /* ZTE MF91 */
        {QMI_FIXED_INTF(0x19d2, 0x2002, 4)},    /* ZTE (Vodafone) K3765-Z */
        {QMI_FIXED_INTF(0x0f3d, 0x68a2, 8)},    /* Sierra Wireless MC7700 */
        {QMI_FIXED_INTF(0x114f, 0x68a2, 8)},    /* Sierra Wireless MC7750 */
diff --git a/net/8021q/vlan.c b/net/8021q/vlan.c
index 9096bcb08132..ee070722a3a3 100644
--- a/net/8021q/vlan.c
+++ b/net/8021q/vlan.c
@@ -463,7 +463,9 @@ static int vlan_device_event(struct notifier_block *unused, unsigned long event,
        case NETDEV_PRE_TYPE_CHANGE:
                /* Forbid underlaying device to change its type. */
-                return NOTIFY_BAD;
+                if (vlan_uses_dev(dev))
+                        return NOTIFY_BAD;
+                break;
        case NETDEV_NOTIFY_PEERS:
        case NETDEV_BONDING_FAILOVER:
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 432f4bb77238..a8c651216fa6 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -1163,8 +1163,12 @@ static bool rt_bind_exception(struct rtable *rt, struct fib_nh_exception *fnhe,
        spin_lock_bh(&fnhe_lock);
        if (daddr == fnhe->fnhe_daddr) {
-                struct rtable *orig;
+                struct rtable *orig = rcu_dereference(fnhe->fnhe_rth);
+                if (orig && rt_is_expired(orig)) {
+                        fnhe->fnhe_gw = 0;
+                        fnhe->fnhe_pmtu = 0;
+                        fnhe->fnhe_expires = 0;
+                }
                if (fnhe->fnhe_pmtu) {
                        unsigned long expires = fnhe->fnhe_expires;
                        unsigned long diff = expires - jiffies;
@@ -1181,7 +1185,6 @@ static bool rt_bind_exception(struct rtable *rt, struct fib_nh_exception *fnhe,
                } else if (!rt->rt_gateway)
                        rt->rt_gateway = daddr;
-                orig = rcu_dereference(fnhe->fnhe_rth);
                rcu_assign_pointer(fnhe->fnhe_rth, rt);
                if (orig)
                        rt_free(orig);
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index f32c02e2a543..b7c2f439b54f 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -549,14 +549,12 @@ int tcp_ioctl(struct sock *sk, int cmd, unsigned long arg)
                         !tp->urg_data ||
                         before(tp->urg_seq, tp->copied_seq) ||
                         !before(tp->urg_seq, tp->rcv_nxt)) {
-                        struct sk_buff *skb;
                        answ = tp->rcv_nxt - tp->copied_seq;
-                        /* Subtract 1, if FIN is in queue. */
+                        /* Subtract 1, if FIN was received */
-                        skb = skb_peek_tail(&sk->sk_receive_queue);
+                        if (answ && sock_flag(sk, SOCK_DONE))
-                        if (answ && skb)
+                                answ--;
-                                answ -= tcp_hdr(skb)->fin;
                } else
                        answ = tp->urg_seq - tp->copied_seq;
                release_sock(sk);
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 7e7198b51c06..c4ee43710aab 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -2589,6 +2589,8 @@ __ip_vs_get_timeouts(struct net *net, struct ip_vs_timeout_user *u)
        struct ip_vs_proto_data *pd;
 #endif
+        memset(u, 0, sizeof (*u));
 #ifdef CONFIG_IP_VS_PROTO_TCP
        pd = ip_vs_proto_data_get(net, IPPROTO_TCP);
        u->tcp_timeout = pd->timeout_table[IP_VS_TCP_S_ESTABLISHED] / HZ;
@@ -2766,7 +2768,6 @@ do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
        {
                struct ip_vs_timeout_user t;
-                memset(&t, 0, sizeof(t));
                __ip_vs_get_timeouts(net, &t);
                if (copy_to_user(user, &t, sizeof(t)) != 0)
                        ret = -EFAULT;
diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c
index 16c712563860..ae7f5daeee43 100644
--- a/net/netfilter/xt_CT.c
+++ b/net/netfilter/xt_CT.c
@@ -180,9 +180,9 @@ xt_ct_set_timeout(struct nf_conn *ct, const struct xt_tgchk_param *par,
        typeof(nf_ct_timeout_find_get_hook) timeout_find_get;
        struct ctnl_timeout *timeout;
        struct nf_conn_timeout *timeout_ext;
-        const struct ipt_entry *e = par->entryinfo;
        struct nf_conntrack_l4proto *l4proto;
        int ret = 0;
+        u8 proto;
        rcu_read_lock();
        timeout_find_get = rcu_dereference(nf_ct_timeout_find_get_hook);
@@ -192,9 +192,11 @@ xt_ct_set_timeout(struct nf_conn *ct, const struct xt_tgchk_param *par,
                goto out;
        }
-        if (e->ip.invflags & IPT_INV_PROTO) {
+        proto = xt_ct_find_proto(par);
+        if (!proto) {
                ret = -EINVAL;
-                pr_info("You cannot use inversion on L4 protocol\n");
+                pr_info("You must specify a L4 protocol, and not use "
+                        "inversions on it.\n");
                goto out;
        }
@@ -214,7 +216,7 @@ xt_ct_set_timeout(struct nf_conn *ct, const struct xt_tgchk_param *par,
        /* Make sure the timeout policy matches any existing protocol tracker,
         * otherwise default to generic.
         */
-        l4proto = __nf_ct_l4proto_find(par->family, e->ip.proto);
+        l4proto = __nf_ct_l4proto_find(par->family, proto);
        if (timeout->l4proto->l4proto != l4proto->l4proto) {
                ret = -EINVAL;
                pr_info("Timeout policy `%s' can only be used by L4 protocol "
diff --git a/net/netfilter/xt_TEE.c b/net/netfilter/xt_TEE.c
index ee2e5bc5a8c7..bd93e51d30ac 100644
--- a/net/netfilter/xt_TEE.c
+++ b/net/netfilter/xt_TEE.c
@@ -70,6 +70,7 @@ tee_tg_route4(struct sk_buff *skb, const struct xt_tee_tginfo *info)
        fl4.daddr = info->gw.ip;
        fl4.flowi4_tos = RT_TOS(iph->tos);
        fl4.flowi4_scope = RT_SCOPE_UNIVERSE;
+        fl4.flowi4_flags = FLOWI_FLAG_KNOWN_NH;
        rt = ip_route_output_key(net, &fl4);
        if (IS_ERR(rt))
                return false;
diff --git a/net/netfilter/xt_nat.c b/net/netfilter/xt_nat.c
index 81aafa8e4fef..bea7464cc43f 100644
--- a/net/netfilter/xt_nat.c
+++ b/net/netfilter/xt_nat.c
@@ -111,7 +111,7 @@ static struct xt_target xt_nat_target_reg[] __read_mostly = {
                .family         = NFPROTO_IPV4,
                .table          = "nat",
                .hooks          = (1 << NF_INET_POST_ROUTING) |
-                                  (1 << NF_INET_LOCAL_OUT),
+                                  (1 << NF_INET_LOCAL_IN),
                .me             = THIS_MODULE,
        },
        {
@@ -123,7 +123,7 @@ static struct xt_target xt_nat_target_reg[] __read_mostly = {
                .family         = NFPROTO_IPV4,
                .table          = "nat",
                .hooks          = (1 << NF_INET_PRE_ROUTING) |
-                                  (1 << NF_INET_LOCAL_IN),
+                                  (1 << NF_INET_LOCAL_OUT),
                .me             = THIS_MODULE,
        },
        {
@@ -133,7 +133,7 @@ static struct xt_target xt_nat_target_reg[] __read_mostly = {
                .targetsize     = sizeof(struct nf_nat_range),
                .table          = "nat",
                .hooks          = (1 << NF_INET_POST_ROUTING) |
-                                  (1 << NF_INET_LOCAL_OUT),
+                                  (1 << NF_INET_LOCAL_IN),
                .me             = THIS_MODULE,
        },
        {
@@ -143,7 +143,7 @@ static struct xt_target xt_nat_target_reg[] __read_mostly = {
                .targetsize     = sizeof(struct nf_nat_range),
                .table          = "nat",
                .hooks          = (1 << NF_INET_PRE_ROUTING) |
-                                  (1 << NF_INET_LOCAL_IN),
+                                  (1 << NF_INET_LOCAL_OUT),
                .me             = THIS_MODULE,
        },
 };
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 01e944a017a4..4da797fa5ec5 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -138,6 +138,8 @@ static int netlink_dump(struct sock *sk);
 static DEFINE_RWLOCK(nl_table_lock);
 static atomic_t nl_table_users = ATOMIC_INIT(0);
+#define nl_deref_protected(X) rcu_dereference_protected(X, lockdep_is_held(&nl_table_lock));
 static ATOMIC_NOTIFIER_HEAD(netlink_chain);
 static inline u32 netlink_group_mask(u32 group)
@@ -345,6 +347,11 @@ netlink_update_listeners(struct sock *sk)
        struct hlist_node *node;
        unsigned long mask;
        unsigned int i;
+        struct listeners *listeners;
+        listeners = nl_deref_protected(tbl->listeners);
+        if (!listeners)
+                return;
        for (i = 0; i < NLGRPLONGS(tbl->groups); i++) {
                mask = 0;
@@ -352,7 +359,7 @@ netlink_update_listeners(struct sock *sk)
                        if (i < NLGRPLONGS(nlk_sk(sk)->ngroups))
                                mask |= nlk_sk(sk)->groups[i];
                }
-                tbl->listeners->masks[i] = mask;
+                listeners->masks[i] = mask;
        }
        /* this function is only called with the netlink table "grabbed", which
         * makes sure updates are visible before bind or setsockopt return. */
@@ -536,7 +543,11 @@ static int netlink_release(struct socket *sock)
        if (netlink_is_kernel(sk)) {
                BUG_ON(nl_table[sk->sk_protocol].registered == 0);
                if (--nl_table[sk->sk_protocol].registered == 0) {
-                        kfree(nl_table[sk->sk_protocol].listeners);
+                        struct listeners *old;
+                        old = nl_deref_protected(nl_table[sk->sk_protocol].listeners);
+                        RCU_INIT_POINTER(nl_table[sk->sk_protocol].listeners, NULL);
+                        kfree_rcu(old, rcu);
                        nl_table[sk->sk_protocol].module = NULL;
                        nl_table[sk->sk_protocol].bind = NULL;
                        nl_table[sk->sk_protocol].flags = 0;
@@ -982,7 +993,7 @@ int netlink_has_listeners(struct sock *sk, unsigned int group)
        rcu_read_lock();
        listeners = rcu_dereference(nl_table[sk->sk_protocol].listeners);
-        if (group - 1 < nl_table[sk->sk_protocol].groups)
+        if (listeners && group - 1 < nl_table[sk->sk_protocol].groups)
                res = test_bit(group - 1, listeners->masks);
        rcu_read_unlock();
@@ -1625,7 +1636,7 @@ int __netlink_change_ngroups(struct sock *sk, unsigned int groups)
                new = kzalloc(sizeof(*new) + NLGRPSZ(groups), GFP_ATOMIC);
                if (!new)
                        return -ENOMEM;
-                old = rcu_dereference_protected(tbl->listeners, 1);
+                old = nl_deref_protected(tbl->listeners);
                memcpy(new->masks, old->masks, NLGRPSZ(tbl->groups));
                rcu_assign_pointer(tbl->listeners, new);