25 files changed, 237 insertions, 76 deletions

diff --git a/net/ipv4/bpfilter/sockopt.c b/net/ipv4/bpfilter/sockopt.c
index 5e04ed25bc0e..1e976bb93d99 100644
--- a/net/ipv4/bpfilter/sockopt.c
+++ b/net/ipv4/bpfilter/sockopt.c
@@ -1,28 +1,54 @@
 // SPDX-License-Identifier: GPL-2.0
+#include <linux/init.h>
+#include <linux/module.h>
 #include <linux/uaccess.h>
 #include <linux/bpfilter.h>
 #include <uapi/linux/bpf.h>
 #include <linux/wait.h>
 #include <linux/kmod.h>
+#include <linux/fs.h>
+#include <linux/file.h>
 
-int (*bpfilter_process_sockopt)(struct sock *sk, int optname,
-                                char __user *optval,
-                                unsigned int optlen, bool is_set);
-EXPORT_SYMBOL_GPL(bpfilter_process_sockopt);
+struct bpfilter_umh_ops bpfilter_ops;
+EXPORT_SYMBOL_GPL(bpfilter_ops);
+
+static void bpfilter_umh_cleanup(struct umh_info *info)
+{
+        mutex_lock(&bpfilter_ops.lock);
+        bpfilter_ops.stop = true;
+        fput(info->pipe_to_umh);
+        fput(info->pipe_from_umh);
+        info->pid = 0;
+        mutex_unlock(&bpfilter_ops.lock);
+}
 
 static int bpfilter_mbox_request(struct sock *sk, int optname,
                                  char __user *optval,
                                  unsigned int optlen, bool is_set)
 {
-        if (!bpfilter_process_sockopt) {
-                int err = request_module("bpfilter");
+        int err;
+        mutex_lock(&bpfilter_ops.lock);
+        if (!bpfilter_ops.sockopt) {
+                mutex_unlock(&bpfilter_ops.lock);
+                err = request_module("bpfilter");
+                mutex_lock(&bpfilter_ops.lock);
 
                 if (err)
-                        return err;
-                if (!bpfilter_process_sockopt)
-                        return -ECHILD;
+                        goto out;
+                if (!bpfilter_ops.sockopt) {
+                        err = -ECHILD;
+                        goto out;
+                }
+        }
+        if (bpfilter_ops.stop) {
+                err = bpfilter_ops.start();
+                if (err)
+                        goto out;
         }
-        return bpfilter_process_sockopt(sk, optname, optval, optlen, is_set);
+        err = bpfilter_ops.sockopt(sk, optname, optval, optlen, is_set);
+out:
+        mutex_unlock(&bpfilter_ops.lock);
+        return err;
 }
 
 int bpfilter_ip_set_sockopt(struct sock *sk, int optname, char __user *optval,
@@ -41,3 +67,15 @@ int bpfilter_ip_get_sockopt(struct sock *sk, int optname, char __user *optval,
 
         return bpfilter_mbox_request(sk, optname, optval, len, false);
 }
+
+static int __init bpfilter_sockopt_init(void)
+{
+        mutex_init(&bpfilter_ops.lock);
+        bpfilter_ops.stop = true;
+        bpfilter_ops.info.cmdline = "bpfilter_umh";
+        bpfilter_ops.info.cleanup = &bpfilter_umh_cleanup;
+
+        return 0;
+}
+
+module_init(bpfilter_sockopt_init);
diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
index 04ba321ae5ce..e258a00b4a3d 100644
--- a/net/ipv4/devinet.c
+++ b/net/ipv4/devinet.c
@@ -1826,7 +1826,7 @@ put_tgt_net:
         if (fillargs.netnsid >= 0)
                 put_net(tgt_net);
 
-        return err < 0 ? err : skb->len;
+        return skb->len ? : err;
 }
 
 static void rtmsg_ifa(int event, struct in_ifaddr *ifa, struct nlmsghdr *nlh,
diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index 5459f41fc26f..10e809b296ec 100644
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -328,7 +328,7 @@ int esp_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *
                         skb->len += tailen;
                         skb->data_len += tailen;
                         skb->truesize += tailen;
-                        if (sk)
+                        if (sk && sk_fullsock(sk))
                                 refcount_add(tailen, &sk->sk_wmem_alloc);
 
                         goto out;
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index 6df95be96311..fe4f6a624238 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -203,7 +203,7 @@ static void fib_flush(struct net *net)
                 struct fib_table *tb;
 
                 hlist_for_each_entry_safe(tb, tmp, head, tb_hlist)
-                        flushed += fib_table_flush(net, tb);
+                        flushed += fib_table_flush(net, tb, false);
         }
 
         if (flushed)
@@ -1463,7 +1463,7 @@ static void ip_fib_net_exit(struct net *net)
 
                 hlist_for_each_entry_safe(tb, tmp, head, tb_hlist) {
                         hlist_del(&tb->tb_hlist);
-                        fib_table_flush(net, tb);
+                        fib_table_flush(net, tb, true);
                         fib_free_table(tb);
                 }
         }
diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
index 237c9f72b265..a573e37e0615 100644
--- a/net/ipv4/fib_trie.c
+++ b/net/ipv4/fib_trie.c
@@ -1856,7 +1856,7 @@ void fib_table_flush_external(struct fib_table *tb)
 }
 
 /* Caller must hold RTNL. */
-int fib_table_flush(struct net *net, struct fib_table *tb)
+int fib_table_flush(struct net *net, struct fib_table *tb, bool flush_all)
 {
         struct trie *t = (struct trie *)tb->tb_data;
         struct key_vector *pn = t->kv;
@@ -1904,8 +1904,17 @@ int fib_table_flush(struct net *net, struct fib_table *tb)
                 hlist_for_each_entry_safe(fa, tmp, &n->leaf, fa_list) {
                         struct fib_info *fi = fa->fa_info;
 
-                        if (!fi || !(fi->fib_flags & RTNH_F_DEAD) ||
-                            tb->tb_id != fa->tb_id) {
+                        if (!fi || tb->tb_id != fa->tb_id ||
+                            (!(fi->fib_flags & RTNH_F_DEAD) &&
+                             !fib_props[fa->fa_type].error)) {
+                                slen = fa->fa_slen;
+                                continue;
+                        }
+
+                        /* Do not flush error routes if network namespace is
+                         * not being dismantled
+                         */
+                        if (!flush_all && fib_props[fa->fa_type].error) {
                                 slen = fa->fa_slen;
                                 continue;
                         }
diff --git a/net/ipv4/fou.c b/net/ipv4/fou.c
index 0c9f171fb085..437070d1ffb1 100644
--- a/net/ipv4/fou.c
+++ b/net/ipv4/fou.c
@@ -1020,10 +1020,11 @@ static int gue_err(struct sk_buff *skb, u32 info)
 {
         int transport_offset = skb_transport_offset(skb);
         struct guehdr *guehdr;
-        size_t optlen;
+        size_t len, optlen;
         int ret;
 
-        if (skb->len < sizeof(struct udphdr) + sizeof(struct guehdr))
+        len = sizeof(struct udphdr) + sizeof(struct guehdr);
+        if (!pskb_may_pull(skb, len))
                 return -EINVAL;
 
         guehdr = (struct guehdr *)&udp_hdr(skb)[1];
@@ -1058,6 +1059,10 @@ static int gue_err(struct sk_buff *skb, u32 info)
 
         optlen = guehdr->hlen << 2;
 
+        if (!pskb_may_pull(skb, len + optlen))
+                return -EINVAL;
+
+        guehdr = (struct guehdr *)&udp_hdr(skb)[1];
         if (validate_gue_flags(guehdr, optlen))
                 return -EINVAL;
 
@@ -1065,7 +1070,8 @@ static int gue_err(struct sk_buff *skb, u32 info)
          * recursion. Besides, this kind of encapsulation can't even be
          * configured currently. Discard this.
          */
-        if (guehdr->proto_ctype == IPPROTO_UDP)
+        if (guehdr->proto_ctype == IPPROTO_UDP ||
+            guehdr->proto_ctype == IPPROTO_UDPLITE)
                 return -EOPNOTSUPP;
 
         skb_set_transport_header(skb, -(int)sizeof(struct icmphdr));
diff --git a/net/ipv4/gre_demux.c b/net/ipv4/gre_demux.c
index a4bf22ee3aed..7c4a41dc04bb 100644
--- a/net/ipv4/gre_demux.c
+++ b/net/ipv4/gre_demux.c
@@ -25,6 +25,7 @@
 #include <linux/spinlock.h>
 #include <net/protocol.h>
 #include <net/gre.h>
+#include <net/erspan.h>
 
 #include <net/icmp.h>
 #include <net/route.h>
@@ -119,6 +120,22 @@ int gre_parse_header(struct sk_buff *skb, struct tnl_ptk_info *tpi,
                         hdr_len += 4;
         }
         tpi->hdr_len = hdr_len;
+
+        /* ERSPAN ver 1 and 2 protocol sets GRE key field
+         * to 0 and sets the configured key in the
+         * inner erspan header field
+         */
+        if (greh->protocol == htons(ETH_P_ERSPAN) ||
+            greh->protocol == htons(ETH_P_ERSPAN2)) {
+                struct erspan_base_hdr *ershdr;
+
+                if (!pskb_may_pull(skb, nhs + hdr_len + sizeof(*ershdr)))
+                        return -EINVAL;
+
+                ershdr = (struct erspan_base_hdr *)options;
+                tpi->key = cpu_to_be32(get_session_id(ershdr));
+        }
+
         return hdr_len;
 }
 EXPORT_SYMBOL(gre_parse_header);
diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c
index 1a4e9ff02762..5731670c560b 100644
--- a/net/ipv4/inet_diag.c
+++ b/net/ipv4/inet_diag.c
@@ -108,6 +108,7 @@ static size_t inet_sk_attr_size(struct sock *sk,
                 + nla_total_size(1) /* INET_DIAG_TOS */
                 + nla_total_size(1) /* INET_DIAG_TCLASS */
                 + nla_total_size(4) /* INET_DIAG_MARK */
+                + nla_total_size(4) /* INET_DIAG_CLASS_ID */
                 + nla_total_size(sizeof(struct inet_diag_meminfo))
                 + nla_total_size(sizeof(struct inet_diag_msg))
                 + nla_total_size(SK_MEMINFO_VARS * sizeof(u32))
@@ -287,12 +288,19 @@ int inet_sk_diag_fill(struct sock *sk, struct inet_connection_sock *icsk,
                         goto errout;
         }
 
-        if (ext & (1 << (INET_DIAG_CLASS_ID - 1))) {
+        if (ext & (1 << (INET_DIAG_CLASS_ID - 1)) ||
+            ext & (1 << (INET_DIAG_TCLASS - 1))) {
                 u32 classid = 0;
 
 #ifdef CONFIG_SOCK_CGROUP_DATA
                 classid = sock_cgroup_classid(&sk->sk_cgrp_data);
 #endif
+                /* Fallback to socket priority if class id isn't set.
+                 * Classful qdiscs use it as direct reference to class.
+                 * For cgroup2 classid is always zero.
+                 */
+                if (!classid)
+                        classid = sk->sk_priority;
 
                 if (nla_put_u32(skb, INET_DIAG_CLASS_ID, classid))
                         goto errout;
diff --git a/net/ipv4/inetpeer.c b/net/ipv4/inetpeer.c
index d757b9642d0d..be778599bfed 100644
--- a/net/ipv4/inetpeer.c
+++ b/net/ipv4/inetpeer.c
@@ -216,6 +216,7 @@ struct inet_peer *inet_getpeer(struct inet_peer_base *base,
                         atomic_set(&p->rid, 0);
                         p->metrics[RTAX_LOCK-1] = INETPEER_METRICS_NEW;
                         p->rate_tokens = 0;
+                        p->n_redirects = 0;
                         /* 60*HZ is arbitrary, but chosen enough high so that the first
                          * calculation of tokens is at its maximum.
                          */
diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
index d1d09f3e5f9e..6ae89f2b541b 100644
--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
@@ -268,20 +268,11 @@ static int erspan_rcv(struct sk_buff *skb, struct tnl_ptk_info *tpi,
         int len;
 
         itn = net_generic(net, erspan_net_id);
-        len = gre_hdr_len + sizeof(*ershdr);
-
-        /* Check based hdr len */
-        if (unlikely(!pskb_may_pull(skb, len)))
-                return PACKET_REJECT;
 
         iph = ip_hdr(skb);
         ershdr = (struct erspan_base_hdr *)(skb->data + gre_hdr_len);
         ver = ershdr->ver;
 
-        /* The original GRE header does not have key field,
-         * Use ERSPAN 10-bit session ID as key.
-         */
-        tpi->key = cpu_to_be32(get_session_id(ershdr));
         tunnel = ip_tunnel_lookup(itn, skb->dev->ifindex,
                                   tpi->flags | TUNNEL_KEY,
                                   iph->saddr, iph->daddr, tpi->key);
@@ -569,8 +560,7 @@ err_free_skb:
         dev->stats.tx_dropped++;
 }
 
-static void erspan_fb_xmit(struct sk_buff *skb, struct net_device *dev,
-                           __be16 proto)
+static void erspan_fb_xmit(struct sk_buff *skb, struct net_device *dev)
 {
         struct ip_tunnel *tunnel = netdev_priv(dev);
         struct ip_tunnel_info *tun_info;
@@ -578,10 +568,10 @@ static void erspan_fb_xmit(struct sk_buff *skb, struct net_device *dev,
         struct erspan_metadata *md;
         struct rtable *rt = NULL;
         bool truncate = false;
+        __be16 df, proto;
         struct flowi4 fl;
         int tunnel_hlen;
         int version;
-        __be16 df;
         int nhoff;
         int thoff;
 
@@ -626,18 +616,20 @@ static void erspan_fb_xmit(struct sk_buff *skb, struct net_device *dev,
         if (version == 1) {
                 erspan_build_header(skb, ntohl(tunnel_id_to_key32(key->tun_id)),
                                     ntohl(md->u.index), truncate, true);
+                proto = htons(ETH_P_ERSPAN);
         } else if (version == 2) {
                 erspan_build_header_v2(skb,
                                        ntohl(tunnel_id_to_key32(key->tun_id)),
                                        md->u.md2.dir,
                                        get_hwid(&md->u.md2),
                                        truncate, true);
+                proto = htons(ETH_P_ERSPAN2);
         } else {
                 goto err_free_rt;
         }
 
         gre_build_header(skb, 8, TUNNEL_SEQ,
-                         htons(ETH_P_ERSPAN), 0, htonl(tunnel->o_seqno++));
+                         proto, 0, htonl(tunnel->o_seqno++));
 
         df = key->tun_flags & TUNNEL_DONT_FRAGMENT ?  htons(IP_DF) : 0;
 
@@ -721,12 +713,13 @@ static netdev_tx_t erspan_xmit(struct sk_buff *skb,
 {
         struct ip_tunnel *tunnel = netdev_priv(dev);
         bool truncate = false;
+        __be16 proto;
 
         if (!pskb_inet_may_pull(skb))
                 goto free_skb;
 
         if (tunnel->collect_md) {
-                erspan_fb_xmit(skb, dev, skb->protocol);
+                erspan_fb_xmit(skb, dev);
                 return NETDEV_TX_OK;
         }
 
@@ -742,19 +735,22 @@ static netdev_tx_t erspan_xmit(struct sk_buff *skb,
         }
 
         /* Push ERSPAN header */
-        if (tunnel->erspan_ver == 1)
+        if (tunnel->erspan_ver == 1) {
                 erspan_build_header(skb, ntohl(tunnel->parms.o_key),
                                     tunnel->index,
                                     truncate, true);
-        else if (tunnel->erspan_ver == 2)
+                proto = htons(ETH_P_ERSPAN);
+        } else if (tunnel->erspan_ver == 2) {
                 erspan_build_header_v2(skb, ntohl(tunnel->parms.o_key),
                                        tunnel->dir, tunnel->hwid,
                                        truncate, true);
-        else
+                proto = htons(ETH_P_ERSPAN2);
+        } else {
                 goto free_skb;
+        }
 
         tunnel->parms.o_flags &= ~TUNNEL_KEY;
-        __gre_xmit(skb, dev, &tunnel->parms.iph, htons(ETH_P_ERSPAN));
+        __gre_xmit(skb, dev, &tunnel->parms.iph, proto);
         return NETDEV_TX_OK;
 
 free_skb:
@@ -1459,12 +1455,31 @@ static int ipgre_fill_info(struct sk_buff *skb, const struct net_device *dev)
 {
         struct ip_tunnel *t = netdev_priv(dev);
         struct ip_tunnel_parm *p = &t->parms;
+        __be16 o_flags = p->o_flags;
+
+        if (t->erspan_ver == 1 || t->erspan_ver == 2) {
+                if (!t->collect_md)
+                        o_flags |= TUNNEL_KEY;
+
+                if (nla_put_u8(skb, IFLA_GRE_ERSPAN_VER, t->erspan_ver))
+                        goto nla_put_failure;
+
+                if (t->erspan_ver == 1) {
+                        if (nla_put_u32(skb, IFLA_GRE_ERSPAN_INDEX, t->index))
+                                goto nla_put_failure;
+                } else {
+                        if (nla_put_u8(skb, IFLA_GRE_ERSPAN_DIR, t->dir))
+                                goto nla_put_failure;
+                        if (nla_put_u16(skb, IFLA_GRE_ERSPAN_HWID, t->hwid))
+                                goto nla_put_failure;
+                }
+        }
 
         if (nla_put_u32(skb, IFLA_GRE_LINK, p->link) ||
             nla_put_be16(skb, IFLA_GRE_IFLAGS,
                          gre_tnl_flags_to_gre_flags(p->i_flags)) ||
             nla_put_be16(skb, IFLA_GRE_OFLAGS,
-                         gre_tnl_flags_to_gre_flags(p->o_flags)) ||
+                         gre_tnl_flags_to_gre_flags(o_flags)) ||
             nla_put_be32(skb, IFLA_GRE_IKEY, p->i_key) ||
             nla_put_be32(skb, IFLA_GRE_OKEY, p->o_key) ||
             nla_put_in_addr(skb, IFLA_GRE_LOCAL, p->iph.saddr) ||
@@ -1494,19 +1509,6 @@ static int ipgre_fill_info(struct sk_buff *skb, const struct net_device *dev)
                         goto nla_put_failure;
         }
 
-        if (nla_put_u8(skb, IFLA_GRE_ERSPAN_VER, t->erspan_ver))
-                goto nla_put_failure;
-
-        if (t->erspan_ver == 1) {
-                if (nla_put_u32(skb, IFLA_GRE_ERSPAN_INDEX, t->index))
-                        goto nla_put_failure;
-        } else if (t->erspan_ver == 2) {
-                if (nla_put_u8(skb, IFLA_GRE_ERSPAN_DIR, t->dir))
-                        goto nla_put_failure;
-                if (nla_put_u16(skb, IFLA_GRE_ERSPAN_HWID, t->hwid))
-                        goto nla_put_failure;
-        }
-
         return 0;
 
 nla_put_failure:
diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c
index 26921f6b3b92..51d8efba6de2 100644
--- a/net/ipv4/ip_input.c
+++ b/net/ipv4/ip_input.c
@@ -488,6 +488,7 @@ static struct sk_buff *ip_rcv_core(struct sk_buff *skb, struct net *net)
                 goto drop;
         }
 
+        iph = ip_hdr(skb);
         skb->transport_header = skb->network_header + iph->ihl*4;
 
         /* Remove any debris in the socket control block */
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index fffcc130900e..82f341e84fae 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -148,19 +148,17 @@ static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb)
 
 static void ip_cmsg_recv_dstaddr(struct msghdr *msg, struct sk_buff *skb)
 {
+        __be16 _ports[2], *ports;
         struct sockaddr_in sin;
-        __be16 *ports;
-        int end;
-
-        end = skb_transport_offset(skb) + 4;
-        if (end > 0 && !pskb_may_pull(skb, end))
-                return;
 
         /* All current transport protocols have the port numbers in the
          * first four bytes of the transport header and this function is
          * written with this assumption in mind.
          */
-        ports = (__be16 *)skb_transport_header(skb);
+        ports = skb_header_pointer(skb, skb_transport_offset(skb),
+                                   sizeof(_ports), &_ports);
+        if (!ports)
+                return;
 
         sin.sin_family = AF_INET;
         sin.sin_addr.s_addr = ip_hdr(skb)->daddr;
diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c
index c4f5602308ed..054d01c16dc6 100644
--- a/net/ipv4/ip_tunnel.c
+++ b/net/ipv4/ip_tunnel.c
@@ -644,13 +644,19 @@ void ip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev,
         dst = tnl_params->daddr;
         if (dst == 0) {
                 /* NBMA tunnel */
+                struct ip_tunnel_info *tun_info;
 
                 if (!skb_dst(skb)) {
                         dev->stats.tx_fifo_errors++;
                         goto tx_error;
                 }
 
-                if (skb->protocol == htons(ETH_P_IP)) {
+                tun_info = skb_tunnel_info(skb);
+                if (tun_info && (tun_info->mode & IP_TUNNEL_INFO_TX) &&
+                    ip_tunnel_info_af(tun_info) == AF_INET &&
+                    tun_info->key.u.ipv4.dst)
+                        dst = tun_info->key.u.ipv4.dst;
+                else if (skb->protocol == htons(ETH_P_IP)) {
                         rt = skb_rtable(skb);
                         dst = rt_nexthop(rt, inner_iph->daddr);
                 }
diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c
index d7b43e700023..68a21bf75dd0 100644
--- a/net/ipv4/ip_vti.c
+++ b/net/ipv4/ip_vti.c
@@ -74,6 +74,33 @@ drop:
         return 0;
 }
 
+static int vti_input_ipip(struct sk_buff *skb, int nexthdr, __be32 spi,
+                     int encap_type)
+{
+        struct ip_tunnel *tunnel;
+        const struct iphdr *iph = ip_hdr(skb);
+        struct net *net = dev_net(skb->dev);
+        struct ip_tunnel_net *itn = net_generic(net, vti_net_id);
+
+        tunnel = ip_tunnel_lookup(itn, skb->dev->ifindex, TUNNEL_NO_KEY,
+                                  iph->saddr, iph->daddr, 0);
+        if (tunnel) {
+                if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb))
+                        goto drop;
+
+                XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = tunnel;
+
+                skb->dev = tunnel->dev;
+
+                return xfrm_input(skb, nexthdr, spi, encap_type);
+        }
+
+        return -EINVAL;
+drop:
+        kfree_skb(skb);
+        return 0;
+}
+
 static int vti_rcv(struct sk_buff *skb)
 {
         XFRM_SPI_SKB_CB(skb)->family = AF_INET;
@@ -82,6 +109,14 @@ static int vti_rcv(struct sk_buff *skb)
         return vti_input(skb, ip_hdr(skb)->protocol, 0, 0);
 }
 
+static int vti_rcv_ipip(struct sk_buff *skb)
+{
+        XFRM_SPI_SKB_CB(skb)->family = AF_INET;
+        XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr);
+
+        return vti_input_ipip(skb, ip_hdr(skb)->protocol, ip_hdr(skb)->saddr, 0);
+}
+
 static int vti_rcv_cb(struct sk_buff *skb, int err)
 {
         unsigned short family;
@@ -435,6 +470,12 @@ static struct xfrm4_protocol vti_ipcomp4_protocol __read_mostly = {
         .priority       =       100,
 };
 
+static struct xfrm_tunnel ipip_handler __read_mostly = {
+        .handler        =       vti_rcv_ipip,
+        .err_handler    =       vti4_err,
+        .priority       =       0,
+};
+
 static int __net_init vti_init_net(struct net *net)
 {
         int err;
@@ -603,6 +644,13 @@ static int __init vti_init(void)
         if (err < 0)
                 goto xfrm_proto_comp_failed;
 
+        msg = "ipip tunnel";
+        err = xfrm4_tunnel_register(&ipip_handler, AF_INET);
+        if (err < 0) {
+                pr_info("%s: cant't register tunnel\n",__func__);
+                goto xfrm_tunnel_failed;
+        }
+
         msg = "netlink interface";
         err = rtnl_link_register(&vti_link_ops);
         if (err < 0)
@@ -612,6 +660,8 @@ static int __init vti_init(void)
 
 rtnl_link_failed:
         xfrm4_protocol_deregister(&vti_ipcomp4_protocol, IPPROTO_COMP);
+xfrm_tunnel_failed:
+        xfrm4_tunnel_deregister(&ipip_handler, AF_INET);
 xfrm_proto_comp_failed:
         xfrm4_protocol_deregister(&vti_ah4_protocol, IPPROTO_AH);
 xfrm_proto_ah_failed:
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index b61977db9b7f..2a909e5f9ba0 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -846,9 +846,9 @@ static int clusterip_net_init(struct net *net)
 
 static void clusterip_net_exit(struct net *net)
 {
+#ifdef CONFIG_PROC_FS
         struct clusterip_net *cn = clusterip_pernet(net);
 
-#ifdef CONFIG_PROC_FS
         mutex_lock(&cn->mutex);
         proc_remove(cn->procdir);
         cn->procdir = NULL;
diff --git a/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c b/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c
index 2687db015b6f..fa2ba7c500e4 100644
--- a/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c
@@ -215,6 +215,7 @@ int nf_nat_icmp_reply_translation(struct sk_buff *skb,
 
         /* Change outer to look like the reply to an incoming packet */
         nf_ct_invert_tuplepr(&target, &ct->tuplehash[!dir].tuple);
+        target.dst.protonum = IPPROTO_ICMP;
         if (!nf_nat_ipv4_manip_pkt(skb, 0, &target, manip))
                 return 0;
 
diff --git a/net/ipv4/netfilter/nf_nat_snmp_basic_main.c b/net/ipv4/netfilter/nf_nat_snmp_basic_main.c
index a0aa13bcabda..0a8a60c1bf9a 100644
--- a/net/ipv4/netfilter/nf_nat_snmp_basic_main.c
+++ b/net/ipv4/netfilter/nf_nat_snmp_basic_main.c
@@ -105,6 +105,8 @@ static void fast_csum(struct snmp_ctx *ctx, unsigned char offset)
 int snmp_version(void *context, size_t hdrlen, unsigned char tag,
                  const void *data, size_t datalen)
 {
+        if (datalen != 1)
+                return -EINVAL;
         if (*(unsigned char *)data > 1)
                 return -ENOTSUPP;
         return 1;
@@ -114,8 +116,11 @@ int snmp_helper(void *context, size_t hdrlen, unsigned char tag,
                 const void *data, size_t datalen)
 {
         struct snmp_ctx *ctx = (struct snmp_ctx *)context;
-        __be32 *pdata = (__be32 *)data;
+        __be32 *pdata;
 
+        if (datalen != 4)
+                return -EINVAL;
+        pdata = (__be32 *)data;
         if (*pdata == ctx->from) {
                 pr_debug("%s: %pI4 to %pI4\n", __func__,
                          (void *)&ctx->from, (void *)&ctx->to);
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index ce92f73cf104..5163b64f8fb3 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -887,13 +887,15 @@ void ip_rt_send_redirect(struct sk_buff *skb)
         /* No redirected packets during ip_rt_redirect_silence;
          * reset the algorithm.
          */
-        if (time_after(jiffies, peer->rate_last + ip_rt_redirect_silence))
+        if (time_after(jiffies, peer->rate_last + ip_rt_redirect_silence)) {
                 peer->rate_tokens = 0;
+                peer->n_redirects = 0;
+        }
 
         /* Too many ignored redirects; do not send anything
          * set dst.rate_last to the last seen redirected packet.
          */
-        if (peer->rate_tokens >= ip_rt_redirect_number) {
+        if (peer->n_redirects >= ip_rt_redirect_number) {
                 peer->rate_last = jiffies;
                 goto out_put_peer;
         }
@@ -910,6 +912,7 @@ void ip_rt_send_redirect(struct sk_buff *skb)
                 icmp_send(skb, ICMP_REDIRECT, ICMP_REDIR_HOST, gw);
                 peer->rate_last = jiffies;
                 ++peer->rate_tokens;
+                ++peer->n_redirects;
 #ifdef CONFIG_IP_ROUTE_VERBOSE
                 if (log_martians &&
                     peer->rate_tokens == ip_rt_redirect_number)
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 27e2f6837062..cf3c5095c10e 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -1186,7 +1186,7 @@ int tcp_sendmsg_locked(struct sock *sk, struct msghdr *msg, size_t size)
         flags = msg->msg_flags;
 
         if (flags & MSG_ZEROCOPY && size && sock_flag(sk, SOCK_ZEROCOPY)) {
-                if (sk->sk_state != TCP_ESTABLISHED) {
+                if ((1 << sk->sk_state) & ~(TCPF_ESTABLISHED | TCPF_CLOSE_WAIT)) {
                         err = -EINVAL;
                         goto out_err;
                 }
@@ -2528,6 +2528,7 @@ void tcp_write_queue_purge(struct sock *sk)
         sk_mem_reclaim(sk);
         tcp_clear_all_retrans_hints(tcp_sk(sk));
         tcp_sk(sk)->packets_out = 0;
+        inet_csk(sk)->icsk_backoff = 0;
 }
 
 int tcp_disconnect(struct sock *sk, int flags)
@@ -2576,7 +2577,6 @@ int tcp_disconnect(struct sock *sk, int flags)
         tp->write_seq += tp->max_window + 2;
         if (tp->write_seq == 0)
                 tp->write_seq = 1;
-        icsk->icsk_backoff = 0;
         tp->snd_cwnd = 2;
         icsk->icsk_probes_out = 0;
         tp->snd_ssthresh = TCP_INFINITE_SSTHRESH;
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index efc6fef692ff..ec3cea9d6828 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -536,12 +536,15 @@ int tcp_v4_err(struct sk_buff *icmp_skb, u32 info)
                 if (sock_owned_by_user(sk))
                         break;
 
+                skb = tcp_rtx_queue_head(sk);
+                if (WARN_ON_ONCE(!skb))
+                        break;
+
                 icsk->icsk_backoff--;
                 icsk->icsk_rto = tp->srtt_us ? __tcp_set_rto(tp) :
                                                TCP_TIMEOUT_INIT;
                 icsk->icsk_rto = inet_csk_rto_backoff(icsk, TCP_RTO_MAX);
 
-                skb = tcp_rtx_queue_head(sk);
 
                 tcp_mstamp_refresh(tp);
                 delta_us = (u32)(tp->tcp_mstamp - tcp_skb_timestamp_us(skb));
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 730bc44dbad9..ccc78f3a4b60 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -2347,6 +2347,7 @@ static bool tcp_write_xmit(struct sock *sk, unsigned int mss_now, int nonagle,
                         /* "skb_mstamp_ns" is used as a start point for the retransmit timer */
                         skb->skb_mstamp_ns = tp->tcp_wstamp_ns = tp->tcp_clock_cache;
                         list_move_tail(&skb->tcp_tsorted_anchor, &tp->tsorted_sent_queue);
+                        tcp_init_tso_segs(skb, mss_now);
                         goto repair; /* Skip network transmission */
                 }
 
diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
index f87dbc78b6bc..71a29e9c0620 100644
--- a/net/ipv4/tcp_timer.c
+++ b/net/ipv4/tcp_timer.c
@@ -226,7 +226,7 @@ static int tcp_write_timeout(struct sock *sk)
         if ((1 << sk->sk_state) & (TCPF_SYN_SENT | TCPF_SYN_RECV)) {
                 if (icsk->icsk_retransmits) {
                         dst_negative_advice(sk);
-                } else if (!tp->syn_data && !tp->syn_fastopen) {
+                } else {
                         sk_rethink_txhash(sk);
                 }
                 retry_until = icsk->icsk_syn_retries ? : net->ipv4.sysctl_tcp_syn_retries;
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 3fb0ed5e4789..372fdc5381a9 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -562,10 +562,12 @@ static int __udp4_lib_err_encap_no_sk(struct sk_buff *skb, u32 info)
 
         for (i = 0; i < MAX_IPTUN_ENCAP_OPS; i++) {
                 int (*handler)(struct sk_buff *skb, u32 info);
+                const struct ip_tunnel_encap_ops *encap;
 
-                if (!iptun_encaps[i])
+                encap = rcu_dereference(iptun_encaps[i]);
+                if (!encap)
                         continue;
-                handler = rcu_dereference(iptun_encaps[i]->err_handler);
+                handler = encap->err_handler;
                 if (handler && !handler(skb, info))
                         return 0;
         }
@@ -847,15 +849,23 @@ static int udp_send_skb(struct sk_buff *skb, struct flowi4 *fl4,
                 const int hlen = skb_network_header_len(skb) +
                                  sizeof(struct udphdr);
 
-                if (hlen + cork->gso_size > cork->fragsize)
+                if (hlen + cork->gso_size > cork->fragsize) {
+                        kfree_skb(skb);
                         return -EINVAL;
-                if (skb->len > cork->gso_size * UDP_MAX_SEGMENTS)
+                }
+                if (skb->len > cork->gso_size * UDP_MAX_SEGMENTS) {
+                        kfree_skb(skb);
                         return -EINVAL;
-                if (sk->sk_no_check_tx)
+                }
+                if (sk->sk_no_check_tx) {
+                        kfree_skb(skb);
                         return -EINVAL;
+                }
                 if (skb->ip_summed != CHECKSUM_PARTIAL || is_udplite ||
-                    dst_xfrm(skb_dst(skb)))
+                    dst_xfrm(skb_dst(skb))) {
+                        kfree_skb(skb);
                         return -EIO;
+                }
 
                 skb_shinfo(skb)->gso_size = cork->gso_size;
                 skb_shinfo(skb)->gso_type = SKB_GSO_UDP_L4;
@@ -1918,7 +1928,7 @@ void udp_lib_rehash(struct sock *sk, u16 newhash)
 }
 EXPORT_SYMBOL(udp_lib_rehash);
 
-static void udp_v4_rehash(struct sock *sk)
+void udp_v4_rehash(struct sock *sk)
 {
         u16 new_hash = ipv4_portaddr_hash(sock_net(sk),
                                           inet_sk(sk)->inet_rcv_saddr,
diff --git a/net/ipv4/udp_impl.h b/net/ipv4/udp_impl.h
index 322672655419..6b2fa77eeb1c 100644
--- a/net/ipv4/udp_impl.h
+++ b/net/ipv4/udp_impl.h
@@ -10,6 +10,7 @@ int __udp4_lib_rcv(struct sk_buff *, struct udp_table *, int);
 int __udp4_lib_err(struct sk_buff *, u32, struct udp_table *);
 
 int udp_v4_get_port(struct sock *sk, unsigned short snum);
+void udp_v4_rehash(struct sock *sk);
 
 int udp_setsockopt(struct sock *sk, int level, int optname,
                    char __user *optval, unsigned int optlen);
diff --git a/net/ipv4/udplite.c b/net/ipv4/udplite.c
index 39c7f17d916f..3c94b8f0ff27 100644
--- a/net/ipv4/udplite.c
+++ b/net/ipv4/udplite.c
@@ -53,6 +53,7 @@ struct proto 	udplite_prot = {
         .sendpage          = udp_sendpage,
         .hash              = udp_lib_hash,
         .unhash            = udp_lib_unhash,
+        .rehash            = udp_v4_rehash,
         .get_port          = udp_v4_get_port,
         .memory_allocated  = &udp_memory_allocated,
         .sysctl_mem        = sysctl_udp_mem,