17 files changed, 172 insertions, 128 deletions

diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index 8c54870db792..6d6dd345bc4d 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -1650,6 +1650,39 @@ static int __init init_ipv4_mibs(void)
         return register_pernet_subsys(&ipv4_mib_ops);
 }
 
+static __net_init int inet_init_net(struct net *net)
+{
+        /*
+         * Set defaults for local port range
+         */
+        seqlock_init(&net->ipv4.ip_local_ports.lock);
+        net->ipv4.ip_local_ports.range[0] =  32768;
+        net->ipv4.ip_local_ports.range[1] =  61000;
+
+        seqlock_init(&net->ipv4.ping_group_range.lock);
+        /*
+         * Sane defaults - nobody may create ping sockets.
+         * Boot scripts should set this to distro-specific group.
+         */
+        net->ipv4.ping_group_range.range[0] = make_kgid(&init_user_ns, 1);
+        net->ipv4.ping_group_range.range[1] = make_kgid(&init_user_ns, 0);
+        return 0;
+}
+
+static __net_exit void inet_exit_net(struct net *net)
+{
+}
+
+static __net_initdata struct pernet_operations af_inet_ops = {
+        .init = inet_init_net,
+        .exit = inet_exit_net,
+};
+
+static int __init init_inet_pernet_ops(void)
+{
+        return register_pernet_subsys(&af_inet_ops);
+}
+
 static int ipv4_proc_init(void);
 
 /*
@@ -1794,6 +1827,9 @@ static int __init inet_init(void)
         if (ip_mr_init())
                 pr_crit("%s: Cannot init ipv4 mroute\n", __func__);
 #endif
+
+        if (init_inet_pernet_ops())
+                pr_crit("%s: Cannot init ipv4 inet pernet ops\n", __func__);
         /*
          *      Initialise per-cpu ipv4 mibs
          */
diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
index 8a043f03c88e..b10cd43a4722 100644
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -821,13 +821,13 @@ struct fib_info *fib_create_info(struct fib_config *cfg)
         fi = kzalloc(sizeof(*fi)+nhs*sizeof(struct fib_nh), GFP_KERNEL);
         if (fi == NULL)
                 goto failure;
+        fib_info_cnt++;
         if (cfg->fc_mx) {
                 fi->fib_metrics = kzalloc(sizeof(u32) * RTAX_MAX, GFP_KERNEL);
                 if (!fi->fib_metrics)
                         goto failure;
         } else
                 fi->fib_metrics = (u32 *) dst_default_metrics;
-        fib_info_cnt++;
 
         fi->fib_net = hold_net(net);
         fi->fib_protocol = cfg->fc_protocol;
diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
index 0d1e2cb877ec..a56b8e6e866a 100644
--- a/net/ipv4/inet_connection_sock.c
+++ b/net/ipv4/inet_connection_sock.c
@@ -37,11 +37,11 @@ void inet_get_local_port_range(struct net *net, int *low, int *high)
         unsigned int seq;
 
         do {
-                seq = read_seqbegin(&net->ipv4.sysctl_local_ports.lock);
+                seq = read_seqbegin(&net->ipv4.ip_local_ports.lock);
 
-                *low = net->ipv4.sysctl_local_ports.range[0];
-                *high = net->ipv4.sysctl_local_ports.range[1];
-        } while (read_seqretry(&net->ipv4.sysctl_local_ports.lock, seq));
+                *low = net->ipv4.ip_local_ports.range[0];
+                *high = net->ipv4.ip_local_ports.range[1];
+        } while (read_seqretry(&net->ipv4.ip_local_ports.lock, seq));
 }
 EXPORT_SYMBOL(inet_get_local_port_range);
 
diff --git a/net/ipv4/ip_forward.c b/net/ipv4/ip_forward.c
index be8abe73bb9f..6f111e48e11c 100644
--- a/net/ipv4/ip_forward.c
+++ b/net/ipv4/ip_forward.c
@@ -42,12 +42,12 @@
 static bool ip_may_fragment(const struct sk_buff *skb)
 {
         return unlikely((ip_hdr(skb)->frag_off & htons(IP_DF)) == 0) ||
-               !skb->local_df;
+                skb->local_df;
 }
 
 static bool ip_exceeds_mtu(const struct sk_buff *skb, unsigned int mtu)
 {
-        if (skb->len <= mtu || skb->local_df)
+        if (skb->len <= mtu)
                 return false;
 
         if (skb_is_gso(skb) && skb_gso_network_seglen(skb) <= mtu)
@@ -56,53 +56,6 @@ static bool ip_exceeds_mtu(const struct sk_buff *skb, unsigned int mtu)
         return true;
 }
 
-static bool ip_gso_exceeds_dst_mtu(const struct sk_buff *skb)
-{
-        unsigned int mtu;
-
-        if (skb->local_df || !skb_is_gso(skb))
-                return false;
-
-        mtu = ip_dst_mtu_maybe_forward(skb_dst(skb), true);
-
-        /* if seglen > mtu, do software segmentation for IP fragmentation on
-         * output.  DF bit cannot be set since ip_forward would have sent
-         * icmp error.
-         */
-        return skb_gso_network_seglen(skb) > mtu;
-}
-
-/* called if GSO skb needs to be fragmented on forward */
-static int ip_forward_finish_gso(struct sk_buff *skb)
-{
-        struct dst_entry *dst = skb_dst(skb);
-        netdev_features_t features;
-        struct sk_buff *segs;
-        int ret = 0;
-
-        features = netif_skb_dev_features(skb, dst->dev);
-        segs = skb_gso_segment(skb, features & ~NETIF_F_GSO_MASK);
-        if (IS_ERR(segs)) {
-                kfree_skb(skb);
-                return -ENOMEM;
-        }
-
-        consume_skb(skb);
-
-        do {
-                struct sk_buff *nskb = segs->next;
-                int err;
-
-                segs->next = NULL;
-                err = dst_output(segs);
-
-                if (err && ret == 0)
-                        ret = err;
-                segs = nskb;
-        } while (segs);
-
-        return ret;
-}
 
 static int ip_forward_finish(struct sk_buff *skb)
 {
@@ -114,9 +67,6 @@ static int ip_forward_finish(struct sk_buff *skb)
         if (unlikely(opt->optlen))
                 ip_forward_options(skb);
 
-        if (ip_gso_exceeds_dst_mtu(skb))
-                return ip_forward_finish_gso(skb);
-
         return dst_output(skb);
 }
 
diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
index c10a3ce5cbff..ed32313e307c 100644
--- a/net/ipv4/ip_fragment.c
+++ b/net/ipv4/ip_fragment.c
@@ -232,8 +232,9 @@ static void ip_expire(unsigned long arg)
                  * "Fragment Reassembly Timeout" message, per RFC792.
                  */
                 if (qp->user == IP_DEFRAG_AF_PACKET ||
-                    (qp->user == IP_DEFRAG_CONNTRACK_IN &&
-                     skb_rtable(head)->rt_type != RTN_LOCAL))
+                    ((qp->user >= IP_DEFRAG_CONNTRACK_IN) &&
+                     (qp->user <= __IP_DEFRAG_CONNTRACK_IN_END) &&
+                     (skb_rtable(head)->rt_type != RTN_LOCAL)))
                         goto out_rcu_unlock;
 
 
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index 1cbeba5edff9..a52f50187b54 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -211,6 +211,48 @@ static inline int ip_finish_output2(struct sk_buff *skb)
         return -EINVAL;
 }
 
+static int ip_finish_output_gso(struct sk_buff *skb)
+{
+        netdev_features_t features;
+        struct sk_buff *segs;
+        int ret = 0;
+
+        /* common case: locally created skb or seglen is <= mtu */
+        if (((IPCB(skb)->flags & IPSKB_FORWARDED) == 0) ||
+              skb_gso_network_seglen(skb) <= ip_skb_dst_mtu(skb))
+                return ip_finish_output2(skb);
+
+        /* Slowpath -  GSO segment length is exceeding the dst MTU.
+         *
+         * This can happen in two cases:
+         * 1) TCP GRO packet, DF bit not set
+         * 2) skb arrived via virtio-net, we thus get TSO/GSO skbs directly
+         * from host network stack.
+         */
+        features = netif_skb_features(skb);
+        segs = skb_gso_segment(skb, features & ~NETIF_F_GSO_MASK);
+        if (IS_ERR(segs)) {
+                kfree_skb(skb);
+                return -ENOMEM;
+        }
+
+        consume_skb(skb);
+
+        do {
+                struct sk_buff *nskb = segs->next;
+                int err;
+
+                segs->next = NULL;
+                err = ip_fragment(segs, ip_finish_output2);
+
+                if (err && ret == 0)
+                        ret = err;
+                segs = nskb;
+        } while (segs);
+
+        return ret;
+}
+
 static int ip_finish_output(struct sk_buff *skb)
 {
 #if defined(CONFIG_NETFILTER) && defined(CONFIG_XFRM)
@@ -220,10 +262,13 @@ static int ip_finish_output(struct sk_buff *skb)
                 return dst_output(skb);
         }
 #endif
-        if (skb->len > ip_skb_dst_mtu(skb) && !skb_is_gso(skb))
+        if (skb_is_gso(skb))
+                return ip_finish_output_gso(skb);
+
+        if (skb->len > ip_skb_dst_mtu(skb))
                 return ip_fragment(skb, ip_finish_output2);
-        else
-                return ip_finish_output2(skb);
+
+        return ip_finish_output2(skb);
 }
 
 int ip_mc_output(struct sock *sk, struct sk_buff *skb)
diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c
index fa5b7519765f..2acc2337d38b 100644
--- a/net/ipv4/ip_tunnel.c
+++ b/net/ipv4/ip_tunnel.c
@@ -442,6 +442,8 @@ int ip_tunnel_rcv(struct ip_tunnel *tunnel, struct sk_buff *skb,
                 tunnel->i_seqno = ntohl(tpi->seq) + 1;
         }
 
+        skb_reset_network_header(skb);
+
         err = IP_ECN_decapsulate(iph, skb);
         if (unlikely(err)) {
                 if (log_ecn_error)
@@ -538,9 +540,10 @@ void ip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev,
         unsigned int max_headroom;      /* The extra header space needed */
         __be32 dst;
         int err;
-        bool connected = true;
+        bool connected;
 
         inner_iph = (const struct iphdr *)skb_inner_network_header(skb);
+        connected = (tunnel->parms.iph.daddr != 0);
 
         dst = tnl_params->daddr;
         if (dst == 0) {
@@ -880,6 +883,7 @@ int ip_tunnel_init_net(struct net *net, int ip_tnl_net_id,
          */
         if (!IS_ERR(itn->fb_tunnel_dev)) {
                 itn->fb_tunnel_dev->features |= NETIF_F_NETNS_LOCAL;
+                itn->fb_tunnel_dev->mtu = ip_tunnel_bind_dev(itn->fb_tunnel_dev);
                 ip_tunnel_add(itn, netdev_priv(itn->fb_tunnel_dev));
         }
         rtnl_unlock();
diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c
index afcee51b90ed..13ef00f1e17b 100644
--- a/net/ipv4/ip_vti.c
+++ b/net/ipv4/ip_vti.c
@@ -239,6 +239,7 @@ static netdev_tx_t vti_tunnel_xmit(struct sk_buff *skb, struct net_device *dev)
 static int vti4_err(struct sk_buff *skb, u32 info)
 {
         __be32 spi;
+        __u32 mark;
         struct xfrm_state *x;
         struct ip_tunnel *tunnel;
         struct ip_esp_hdr *esph;
@@ -254,6 +255,8 @@ static int vti4_err(struct sk_buff *skb, u32 info)
         if (!tunnel)
                 return -1;
 
+        mark = be32_to_cpu(tunnel->parms.o_key);
+
         switch (protocol) {
         case IPPROTO_ESP:
                 esph = (struct ip_esp_hdr *)(skb->data+(iph->ihl<<2));
@@ -281,7 +284,7 @@ static int vti4_err(struct sk_buff *skb, u32 info)
                 return 0;
         }
 
-        x = xfrm_state_lookup(net, skb->mark, (const xfrm_address_t *)&iph->daddr,
+        x = xfrm_state_lookup(net, mark, (const xfrm_address_t *)&iph->daddr,
                               spi, protocol, AF_INET);
         if (!x)
                 return 0;
diff --git a/net/ipv4/netfilter/nf_defrag_ipv4.c b/net/ipv4/netfilter/nf_defrag_ipv4.c
index 12e13bd82b5b..f40f321b41fc 100644
--- a/net/ipv4/netfilter/nf_defrag_ipv4.c
+++ b/net/ipv4/netfilter/nf_defrag_ipv4.c
@@ -22,7 +22,6 @@
 #endif
 #include <net/netfilter/nf_conntrack_zones.h>
 
-/* Returns new sk_buff, or NULL */
 static int nf_ct_ipv4_gather_frags(struct sk_buff *skb, u_int32_t user)
 {
         int err;
@@ -33,8 +32,10 @@ static int nf_ct_ipv4_gather_frags(struct sk_buff *skb, u_int32_t user)
         err = ip_defrag(skb, user);
         local_bh_enable();
 
-        if (!err)
+        if (!err) {
                 ip_send_check(ip_hdr(skb));
+                skb->local_df = 1;
+        }
 
         return err;
 }
diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
index 8210964a9f19..044a0ddf6a79 100644
--- a/net/ipv4/ping.c
+++ b/net/ipv4/ping.c
@@ -236,15 +236,15 @@ exit:
 static void inet_get_ping_group_range_net(struct net *net, kgid_t *low,
                                           kgid_t *high)
 {
-        kgid_t *data = net->ipv4.sysctl_ping_group_range;
+        kgid_t *data = net->ipv4.ping_group_range.range;
         unsigned int seq;
 
         do {
-                seq = read_seqbegin(&net->ipv4.sysctl_local_ports.lock);
+                seq = read_seqbegin(&net->ipv4.ping_group_range.lock);
 
                 *low = data[0];
                 *high = data[1];
-        } while (read_seqretry(&net->ipv4.sysctl_local_ports.lock, seq));
+        } while (read_seqretry(&net->ipv4.ping_group_range.lock, seq));
 }
 
 
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index db1e0da871f4..5e676be3daeb 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -1519,7 +1519,7 @@ static int __mkroute_input(struct sk_buff *skb,
         struct in_device *out_dev;
         unsigned int flags = 0;
         bool do_cache;
-        u32 itag;
+        u32 itag = 0;
 
         /* get a working reference to the output device */
         out_dev = __in_dev_get_rcu(FIB_RES_DEV(*res));
diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
index 44eba052b43d..5cde8f263d40 100644
--- a/net/ipv4/sysctl_net_ipv4.c
+++ b/net/ipv4/sysctl_net_ipv4.c
@@ -45,10 +45,10 @@ static int ip_ping_group_range_max[] = { GID_T_MAX, GID_T_MAX };
 /* Update system visible IP port range */
 static void set_local_port_range(struct net *net, int range[2])
 {
-        write_seqlock(&net->ipv4.sysctl_local_ports.lock);
-        net->ipv4.sysctl_local_ports.range[0] = range[0];
-        net->ipv4.sysctl_local_ports.range[1] = range[1];
-        write_sequnlock(&net->ipv4.sysctl_local_ports.lock);
+        write_seqlock(&net->ipv4.ip_local_ports.lock);
+        net->ipv4.ip_local_ports.range[0] = range[0];
+        net->ipv4.ip_local_ports.range[1] = range[1];
+        write_sequnlock(&net->ipv4.ip_local_ports.lock);
 }
 
 /* Validate changes from /proc interface. */
@@ -57,7 +57,7 @@ static int ipv4_local_port_range(struct ctl_table *table, int write,
                                  size_t *lenp, loff_t *ppos)
 {
         struct net *net =
-                container_of(table->data, struct net, ipv4.sysctl_local_ports.range);
+                container_of(table->data, struct net, ipv4.ip_local_ports.range);
         int ret;
         int range[2];
         struct ctl_table tmp = {
@@ -87,14 +87,14 @@ static void inet_get_ping_group_range_table(struct ctl_table *table, kgid_t *low
 {
         kgid_t *data = table->data;
         struct net *net =
-                container_of(table->data, struct net, ipv4.sysctl_ping_group_range);
+                container_of(table->data, struct net, ipv4.ping_group_range.range);
         unsigned int seq;
         do {
-                seq = read_seqbegin(&net->ipv4.sysctl_local_ports.lock);
+                seq = read_seqbegin(&net->ipv4.ip_local_ports.lock);
 
                 *low = data[0];
                 *high = data[1];
-        } while (read_seqretry(&net->ipv4.sysctl_local_ports.lock, seq));
+        } while (read_seqretry(&net->ipv4.ip_local_ports.lock, seq));
 }
 
 /* Update system visible IP port range */
@@ -102,11 +102,11 @@ static void set_ping_group_range(struct ctl_table *table, kgid_t low, kgid_t hig
 {
         kgid_t *data = table->data;
         struct net *net =
-                container_of(table->data, struct net, ipv4.sysctl_ping_group_range);
-        write_seqlock(&net->ipv4.sysctl_local_ports.lock);
+                container_of(table->data, struct net, ipv4.ping_group_range.range);
+        write_seqlock(&net->ipv4.ip_local_ports.lock);
         data[0] = low;
         data[1] = high;
-        write_sequnlock(&net->ipv4.sysctl_local_ports.lock);
+        write_sequnlock(&net->ipv4.ip_local_ports.lock);
 }
 
 /* Validate changes from /proc interface. */
@@ -805,7 +805,7 @@ static struct ctl_table ipv4_net_table[] = {
         },
         {
                 .procname       = "ping_group_range",
-                .data           = &init_net.ipv4.sysctl_ping_group_range,
+                .data           = &init_net.ipv4.ping_group_range.range,
                 .maxlen         = sizeof(gid_t)*2,
                 .mode           = 0644,
                 .proc_handler   = ipv4_ping_group_range,
@@ -819,8 +819,8 @@ static struct ctl_table ipv4_net_table[] = {
         },
         {
                 .procname       = "ip_local_port_range",
-                .maxlen         = sizeof(init_net.ipv4.sysctl_local_ports.range),
-                .data           = &init_net.ipv4.sysctl_local_ports.range,
+                .maxlen         = sizeof(init_net.ipv4.ip_local_ports.range),
+                .data           = &init_net.ipv4.ip_local_ports.range,
                 .mode           = 0644,
                 .proc_handler   = ipv4_local_port_range,
         },
@@ -858,20 +858,6 @@ static __net_init int ipv4_sysctl_init_net(struct net *net)
                         table[i].data += (void *)net - (void *)&init_net;
         }
 
-        /*
-         * Sane defaults - nobody may create ping sockets.
-         * Boot scripts should set this to distro-specific group.
-         */
-        net->ipv4.sysctl_ping_group_range[0] = make_kgid(&init_user_ns, 1);
-        net->ipv4.sysctl_ping_group_range[1] = make_kgid(&init_user_ns, 0);
-
-        /*
-         * Set defaults for local port range
-         */
-        seqlock_init(&net->ipv4.sysctl_local_ports.lock);
-        net->ipv4.sysctl_local_ports.range[0] =  32768;
-        net->ipv4.sysctl_local_ports.range[1] =  61000;
-
         net->ipv4.ipv4_hdr = register_net_sysctl(net, "net/ipv4", table);
         if (net->ipv4.ipv4_hdr == NULL)
                 goto err_reg;
diff --git a/net/ipv4/tcp_cubic.c b/net/ipv4/tcp_cubic.c
index 8bf224516ba2..b4f1b29b08bd 100644
--- a/net/ipv4/tcp_cubic.c
+++ b/net/ipv4/tcp_cubic.c
@@ -409,7 +409,7 @@ static void bictcp_acked(struct sock *sk, u32 cnt, s32 rtt_us)
                 ratio -= ca->delayed_ack >> ACK_RATIO_SHIFT;
                 ratio += cnt;
 
-                ca->delayed_ack = min(ratio, ACK_RATIO_LIMIT);
+                ca->delayed_ack = clamp(ratio, 1U, ACK_RATIO_LIMIT);
         }
 
         /* Some calls are for duplicates without timetamps */
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index d6b46eb2f94c..3a26b3b23f16 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -2684,13 +2684,12 @@ static void tcp_process_loss(struct sock *sk, int flag, bool is_dupack)
         bool recovered = !before(tp->snd_una, tp->high_seq);
 
         if (tp->frto) { /* F-RTO RFC5682 sec 3.1 (sack enhanced version). */
-                if (flag & FLAG_ORIG_SACK_ACKED) {
-                        /* Step 3.b. A timeout is spurious if not all data are
-                         * lost, i.e., never-retransmitted data are (s)acked.
-                         */
-                        tcp_try_undo_loss(sk, true);
+                /* Step 3.b. A timeout is spurious if not all data are
+                 * lost, i.e., never-retransmitted data are (s)acked.
+                 */
+                if (tcp_try_undo_loss(sk, flag & FLAG_ORIG_SACK_ACKED))
                         return;
-                }
+
                 if (after(tp->snd_nxt, tp->high_seq) &&
                     (flag & FLAG_DATA_SACKED || is_dupack)) {
                         tp->frto = 0; /* Loss was real: 2nd part of step 3.a */
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 025e25093984..12d6016bdd9a 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -2441,8 +2441,14 @@ int __tcp_retransmit_skb(struct sock *sk, struct sk_buff *skb)
                 err = tcp_transmit_skb(sk, skb, 1, GFP_ATOMIC);
         }
 
-        if (likely(!err))
+        if (likely(!err)) {
                 TCP_SKB_CB(skb)->sacked |= TCPCB_EVER_RETRANS;
+                /* Update global TCP statistics. */
+                TCP_INC_STATS(sock_net(sk), TCP_MIB_RETRANSSEGS);
+                if (TCP_SKB_CB(skb)->tcp_flags & TCPHDR_SYN)
+                        NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPSYNRETRANS);
+                tp->total_retrans++;
+        }
         return err;
 }
 
@@ -2452,12 +2458,6 @@ int tcp_retransmit_skb(struct sock *sk, struct sk_buff *skb)
         int err = __tcp_retransmit_skb(sk, skb);
 
         if (err == 0) {
-                /* Update global TCP statistics. */
-                TCP_INC_STATS(sock_net(sk), TCP_MIB_RETRANSSEGS);
-                if (TCP_SKB_CB(skb)->tcp_flags & TCPHDR_SYN)
-                        NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPSYNRETRANS);
-                tp->total_retrans++;
-
 #if FASTRETRANS_DEBUG > 0
                 if (TCP_SKB_CB(skb)->sacked & TCPCB_SACKED_RETRANS) {
                         net_dbg_ratelimited("retrans_out leaked\n");
diff --git a/net/ipv4/xfrm4_output.c b/net/ipv4/xfrm4_output.c
index 40e701f2e1e0..186a8ecf92fa 100644
--- a/net/ipv4/xfrm4_output.c
+++ b/net/ipv4/xfrm4_output.c
@@ -62,10 +62,7 @@ int xfrm4_prepare_output(struct xfrm_state *x, struct sk_buff *skb)
         if (err)
                 return err;
 
-        memset(IPCB(skb), 0, sizeof(*IPCB(skb)));
-        IPCB(skb)->flags |= IPSKB_XFRM_TUNNEL_SIZE | IPSKB_XFRM_TRANSFORMED;
-
-        skb->protocol = htons(ETH_P_IP);
+        IPCB(skb)->flags |= IPSKB_XFRM_TUNNEL_SIZE;
 
         return x->outer_mode->output2(x, skb);
 }
@@ -73,27 +70,34 @@ EXPORT_SYMBOL(xfrm4_prepare_output);
 
 int xfrm4_output_finish(struct sk_buff *skb)
 {
+        memset(IPCB(skb), 0, sizeof(*IPCB(skb)));
+        skb->protocol = htons(ETH_P_IP);
+
+#ifdef CONFIG_NETFILTER
+        IPCB(skb)->flags |= IPSKB_XFRM_TRANSFORMED;
+#endif
+
+        return xfrm_output(skb);
+}
+
+static int __xfrm4_output(struct sk_buff *skb)
+{
+        struct xfrm_state *x = skb_dst(skb)->xfrm;
+
 #ifdef CONFIG_NETFILTER
-        if (!skb_dst(skb)->xfrm) {
+        if (!x) {
                 IPCB(skb)->flags |= IPSKB_REROUTED;
                 return dst_output(skb);
         }
-
-        IPCB(skb)->flags |= IPSKB_XFRM_TRANSFORMED;
 #endif
 
-        skb->protocol = htons(ETH_P_IP);
-        return xfrm_output(skb);
+        return x->outer_mode->afinfo->output_finish(skb);
 }
 
 int xfrm4_output(struct sock *sk, struct sk_buff *skb)
 {
-        struct dst_entry *dst = skb_dst(skb);
-        struct xfrm_state *x = dst->xfrm;
-
         return NF_HOOK_COND(NFPROTO_IPV4, NF_INET_POST_ROUTING, skb,
-                            NULL, dst->dev,
-                            x->outer_mode->afinfo->output_finish,
+                            NULL, skb_dst(skb)->dev, __xfrm4_output,
                             !(IPCB(skb)->flags & IPSKB_REROUTED));
 }
 
diff --git a/net/ipv4/xfrm4_protocol.c b/net/ipv4/xfrm4_protocol.c
index 7f7b243e8139..a2ce0101eaac 100644
--- a/net/ipv4/xfrm4_protocol.c
+++ b/net/ipv4/xfrm4_protocol.c
@@ -50,8 +50,12 @@ int xfrm4_rcv_cb(struct sk_buff *skb, u8 protocol, int err)
 {
         int ret;
         struct xfrm4_protocol *handler;
+        struct xfrm4_protocol __rcu **head = proto_handlers(protocol);
 
-        for_each_protocol_rcu(*proto_handlers(protocol), handler)
+        if (!head)
+                return 0;
+
+        for_each_protocol_rcu(*head, handler)
                 if ((ret = handler->cb_handler(skb, err)) <= 0)
                         return ret;
 
@@ -64,15 +68,20 @@ int xfrm4_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi,
 {
         int ret;
         struct xfrm4_protocol *handler;
+        struct xfrm4_protocol __rcu **head = proto_handlers(nexthdr);
 
         XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = NULL;
         XFRM_SPI_SKB_CB(skb)->family = AF_INET;
         XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr);
 
-        for_each_protocol_rcu(*proto_handlers(nexthdr), handler)
+        if (!head)
+                goto out;
+
+        for_each_protocol_rcu(*head, handler)
                 if ((ret = handler->input_handler(skb, nexthdr, spi, encap_type)) != -EINVAL)
                         return ret;
 
+out:
         icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
 
         kfree_skb(skb);
@@ -208,6 +217,9 @@ int xfrm4_protocol_register(struct xfrm4_protocol *handler,
         int ret = -EEXIST;
         int priority = handler->priority;
 
+        if (!proto_handlers(protocol) || !netproto(protocol))
+                return -EINVAL;
+
         mutex_lock(&xfrm4_protocol_mutex);
 
         if (!rcu_dereference_protected(*proto_handlers(protocol),
@@ -250,6 +262,9 @@ int xfrm4_protocol_deregister(struct xfrm4_protocol *handler,
         struct xfrm4_protocol *t;
         int ret = -ENOENT;
 
+        if (!proto_handlers(protocol) || !netproto(protocol))
+                return -EINVAL;
+
         mutex_lock(&xfrm4_protocol_mutex);
 
         for (pprev = proto_handlers(protocol);