4 files changed, 37 insertions, 12 deletions

diff --git a/net/xfrm/xfrm_algo.c b/net/xfrm/xfrm_algo.c
index 58064d9e565..791ab2e77f3 100644
--- a/net/xfrm/xfrm_algo.c
+++ b/net/xfrm/xfrm_algo.c
@@ -462,8 +462,8 @@ static struct xfrm_algo_desc ealg_list[] = {
         .desc = {
                 .sadb_alg_id = SADB_X_EALG_AESCTR,
                 .sadb_alg_ivlen = 8,
-                .sadb_alg_minbits = 128,
-                .sadb_alg_maxbits = 256
+                .sadb_alg_minbits = 160,
+                .sadb_alg_maxbits = 288
         }
 },
 };
diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
index a026b0ef244..54a0dc2e2f8 100644
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -212,6 +212,11 @@ resume:
                 /* only the first xfrm gets the encap type */
                 encap_type = 0;
 
+                if (async && x->repl->check(x, skb, seq)) {
+                        XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATESEQERROR);
+                        goto drop_unlock;
+                }
+
                 x->repl->advance(x, seq);
 
                 x->curlft.bytes += skb->len;
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 5ce74a38552..7e088c055cf 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1349,14 +1349,16 @@ static inline struct xfrm_dst *xfrm_alloc_dst(struct net *net, int family)
                 BUG();
         }
         xdst = dst_alloc(dst_ops, NULL, 0, 0, 0);
-        memset(&xdst->u.rt6.rt6i_table, 0, sizeof(*xdst) - sizeof(struct dst_entry));
-        xfrm_policy_put_afinfo(afinfo);
 
-        if (likely(xdst))
+        if (likely(xdst)) {
+                memset(&xdst->u.rt6.rt6i_table, 0,
+                        sizeof(*xdst) - sizeof(struct dst_entry));
                 xdst->flo.ops = &xfrm_bundle_fc_ops;
-        else
+        } else
                 xdst = ERR_PTR(-ENOBUFS);
 
+        xfrm_policy_put_afinfo(afinfo);
+
         return xdst;
 }
 
@@ -1497,7 +1499,7 @@ static struct dst_entry *xfrm_bundle_create(struct xfrm_policy *policy,
                 goto free_dst;
 
         /* Copy neighbour for reachability confirmation */
-        dst0->neighbour = neigh_clone(dst->neighbour);
+        dst_set_neighbour(dst0, neigh_clone(dst_get_neighbour(dst)));
 
         xfrm_init_path((struct xfrm_dst *)dst0, dst, nfheader_len);
         xfrm_init_pmtu(dst_prev);
@@ -2274,8 +2276,6 @@ static void __xfrm_garbage_collect(struct net *net)
 {
         struct dst_entry *head, *next;
 
-        flow_cache_flush();
-
         spin_lock_bh(&xfrm_policy_sk_bundle_lock);
         head = xfrm_policy_sk_bundles;
         xfrm_policy_sk_bundles = NULL;
@@ -2288,6 +2288,18 @@ static void __xfrm_garbage_collect(struct net *net)
         }
 }
 
+static void xfrm_garbage_collect(struct net *net)
+{
+        flow_cache_flush();
+        __xfrm_garbage_collect(net);
+}
+
+static void xfrm_garbage_collect_deferred(struct net *net)
+{
+        flow_cache_flush_deferred();
+        __xfrm_garbage_collect(net);
+}
+
 static void xfrm_init_pmtu(struct dst_entry *dst)
 {
         do {
@@ -2385,6 +2397,11 @@ static unsigned int xfrm_default_mtu(const struct dst_entry *dst)
         return dst_mtu(dst->path);
 }
 
+static struct neighbour *xfrm_neigh_lookup(const struct dst_entry *dst, const void *daddr)
+{
+        return dst_neigh_lookup(dst->path, daddr);
+}
+
 int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo)
 {
         struct net *net;
@@ -2410,8 +2427,10 @@ int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo)
                         dst_ops->negative_advice = xfrm_negative_advice;
                 if (likely(dst_ops->link_failure == NULL))
                         dst_ops->link_failure = xfrm_link_failure;
+                if (likely(dst_ops->neigh_lookup == NULL))
+                        dst_ops->neigh_lookup = xfrm_neigh_lookup;
                 if (likely(afinfo->garbage_collect == NULL))
-                        afinfo->garbage_collect = __xfrm_garbage_collect;
+                        afinfo->garbage_collect = xfrm_garbage_collect_deferred;
                 xfrm_policy_afinfo[afinfo->family] = afinfo;
         }
         write_unlock_bh(&xfrm_policy_afinfo_lock);
@@ -2505,7 +2524,7 @@ static int xfrm_dev_event(struct notifier_block *this, unsigned long event, void
 
         switch (event) {
         case NETDEV_DOWN:
-                __xfrm_garbage_collect(dev_net(dev));
+                xfrm_garbage_collect(dev_net(dev));
         }
         return NOTIFY_DONE;
 }
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index c658cb3bc7c..0256b8a0a7c 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -2299,7 +2299,8 @@ static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
                 if (link->dump == NULL)
                         return -EINVAL;
 
-                return netlink_dump_start(net->xfrm.nlsk, skb, nlh, link->dump, link->done);
+                return netlink_dump_start(net->xfrm.nlsk, skb, nlh,
+                                          link->dump, link->done, 0);
         }
 
         err = nlmsg_parse(nlh, xfrm_msg_min[type], attrs, XFRMA_MAX,