3 files changed, 39 insertions, 5 deletions

diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig
index 72380a30d1c..7cd7760144f 100644
--- a/net/ipv4/Kconfig
+++ b/net/ipv4/Kconfig
@@ -413,7 +413,7 @@ config INET_XFRM_MODE_BEET
           If unsure, say Y.
 
 config INET_LRO
-        bool "Large Receive Offload (ipv4/tcp)"
+        tristate "Large Receive Offload (ipv4/tcp)"
         default y
         ---help---
           Support for Large Receive Offload (ipv4/tcp).
diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
index 1fdcacd36ce..2a4bb76f213 100644
--- a/net/ipv4/igmp.c
+++ b/net/ipv4/igmp.c
@@ -834,7 +834,7 @@ static void igmp_heard_query(struct in_device *in_dev, struct sk_buff *skb,
         int                     mark = 0;
 
 
-        if (len == 8 || IGMP_V2_SEEN(in_dev)) {
+        if (len == 8) {
                 if (ih->code == 0) {
                         /* Alas, old v1 router presents here. */
 
@@ -856,6 +856,18 @@ static void igmp_heard_query(struct in_device *in_dev, struct sk_buff *skb,
                 igmpv3_clear_delrec(in_dev);
         } else if (len < 12) {
                 return; /* ignore bogus packet; freed by caller */
+        } else if (IGMP_V1_SEEN(in_dev)) {
+                /* This is a v3 query with v1 queriers present */
+                max_delay = IGMP_Query_Response_Interval;
+                group = 0;
+        } else if (IGMP_V2_SEEN(in_dev)) {
+                /* this is a v3 query with v2 queriers present;
+                 * Interpretation of the max_delay code is problematic here.
+                 * A real v2 host would use ih_code directly, while v3 has a
+                 * different encoding. We use the v3 encoding as more likely
+                 * to be intended in a v3 query.
+                 */
+                max_delay = IGMPV3_MRC(ih3->code)*(HZ/IGMP_TIMER_SCALE);
         } else { /* v3 */
                 if (!pskb_may_pull(skb, sizeof(struct igmpv3_query)))
                         return;
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
index 244f7cb08d6..37f8adb68c7 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
@@ -11,6 +11,7 @@
 #include <linux/proc_fs.h>
 #include <linux/seq_file.h>
 #include <linux/percpu.h>
+#include <linux/security.h>
 #include <net/net_namespace.h>
 
 #include <linux/netfilter.h>
@@ -87,6 +88,29 @@ static void ct_seq_stop(struct seq_file *s, void *v)
         rcu_read_unlock();
 }
 
+#ifdef CONFIG_NF_CONNTRACK_SECMARK
+static int ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
+{
+        int ret;
+        u32 len;
+        char *secctx;
+
+        ret = security_secid_to_secctx(ct->secmark, &secctx, &len);
+        if (ret)
+                return ret;
+
+        ret = seq_printf(s, "secctx=%s ", secctx);
+
+        security_release_secctx(secctx, len);
+        return ret;
+}
+#else
+static inline int ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
+{
+        return 0;
+}
+#endif
+
 static int ct_seq_show(struct seq_file *s, void *v)
 {
         struct nf_conntrack_tuple_hash *hash = v;
@@ -148,10 +172,8 @@ static int ct_seq_show(struct seq_file *s, void *v)
                 goto release;
 #endif
 
-#ifdef CONFIG_NF_CONNTRACK_SECMARK
-        if (seq_printf(s, "secmark=%u ", ct->secmark))
+        if (ct_show_secctx(s, ct))
                 goto release;
-#endif
 
         if (seq_printf(s, "use=%u\n", atomic_read(&ct->ct_general.use)))
                 goto release;