Merge branch 'linus' into core/locking

Reason: Pull in the semaphore related changes

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>

21 files changed, 176 insertions, 79 deletions

diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig
index 7c3a7d191249..72380a30d1c8 100644
--- a/net/ipv4/Kconfig
+++ b/net/ipv4/Kconfig
@@ -46,7 +46,7 @@ config IP_ADVANCED_ROUTER
           rp_filter on use:
 
           echo 1 > /proc/sys/net/ipv4/conf/<device>/rp_filter
-           and
+           or
           echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
 
           Note that some distributions enable it in startup scripts.
@@ -217,6 +217,7 @@ config NET_IPIP
 
 config NET_IPGRE
         tristate "IP: GRE tunnels over IP"
+        depends on IPV6 || IPV6=n
         help
           Tunneling means encapsulating data of one protocol type within
           another protocol and sending it over a channel that understands the
diff --git a/net/ipv4/datagram.c b/net/ipv4/datagram.c
index f0550941df7b..721a8a37b45c 100644
--- a/net/ipv4/datagram.c
+++ b/net/ipv4/datagram.c
@@ -62,8 +62,11 @@ int ip4_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
         }
         if (!inet->inet_saddr)
                 inet->inet_saddr = rt->rt_src;  /* Update source address */
-        if (!inet->inet_rcv_saddr)
+        if (!inet->inet_rcv_saddr) {
                 inet->inet_rcv_saddr = rt->rt_src;
+                if (sk->sk_prot->rehash)
+                        sk->sk_prot->rehash(sk);
+        }
         inet->inet_daddr = rt->rt_dst;
         inet->inet_dport = usin->sin_port;
         sk->sk_state = TCP_ESTABLISHED;
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index a43968918350..7d02a9f999fa 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -246,6 +246,7 @@ int fib_validate_source(__be32 src, __be32 dst, u8 tos, int oif,
 
         struct fib_result res;
         int no_addr, rpf, accept_local;
+        bool dev_match;
         int ret;
         struct net *net;
 
@@ -273,12 +274,22 @@ int fib_validate_source(__be32 src, __be32 dst, u8 tos, int oif,
         }
         *spec_dst = FIB_RES_PREFSRC(res);
         fib_combine_itag(itag, &res);
+        dev_match = false;
+
 #ifdef CONFIG_IP_ROUTE_MULTIPATH
-        if (FIB_RES_DEV(res) == dev || res.fi->fib_nhs > 1)
+        for (ret = 0; ret < res.fi->fib_nhs; ret++) {
+                struct fib_nh *nh = &res.fi->fib_nh[ret];
+
+                if (nh->nh_dev == dev) {
+                        dev_match = true;
+                        break;
+                }
+        }
 #else
         if (FIB_RES_DEV(res) == dev)
+                dev_match = true;
 #endif
-        {
+        if (dev_match) {
                 ret = FIB_RES_NH(res).nh_scope >= RT_SCOPE_HOST;
                 fib_res_put(&res);
                 return ret;
diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
index 79d057a939ba..4a8e370862bc 100644
--- a/net/ipv4/fib_trie.c
+++ b/net/ipv4/fib_trie.c
@@ -186,7 +186,9 @@ static inline struct tnode *node_parent_rcu(struct node *node)
 {
         struct tnode *ret = node_parent(node);
 
-        return rcu_dereference(ret);
+        return rcu_dereference_check(ret,
+                                     rcu_read_lock_held() ||
+                                     lockdep_rtnl_is_held());
 }
 
 /* Same as rcu_assign_pointer
@@ -1753,7 +1755,9 @@ static struct leaf *leaf_walk_rcu(struct tnode *p, struct node *c)
 
 static struct leaf *trie_firstleaf(struct trie *t)
 {
-        struct tnode *n = (struct tnode *) rcu_dereference(t->trie);
+        struct tnode *n = (struct tnode *) rcu_dereference_check(t->trie,
+                                                        rcu_read_lock_held() ||
+                                                        lockdep_rtnl_is_held());
 
         if (!n)
                 return NULL;
diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
index a1ad0e7180d2..1fdcacd36ce7 100644
--- a/net/ipv4/igmp.c
+++ b/net/ipv4/igmp.c
@@ -834,7 +834,7 @@ static void igmp_heard_query(struct in_device *in_dev, struct sk_buff *skb,
         int                     mark = 0;
 
 
-        if (len == 8) {
+        if (len == 8 || IGMP_V2_SEEN(in_dev)) {
                 if (ih->code == 0) {
                         /* Alas, old v1 router presents here. */
 
diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
index 945b20a5ad50..35c93e8b6a46 100644
--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
@@ -45,7 +45,7 @@
 #include <net/netns/generic.h>
 #include <net/rtnetlink.h>
 
-#ifdef CONFIG_IPV6
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
 #include <net/ipv6.h>
 #include <net/ip6_fib.h>
 #include <net/ip6_route.h>
@@ -699,7 +699,7 @@ static netdev_tx_t ipgre_tunnel_xmit(struct sk_buff *skb, struct net_device *dev
                         if ((dst = rt->rt_gateway) == 0)
                                 goto tx_error_icmp;
                 }
-#ifdef CONFIG_IPV6
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
                 else if (skb->protocol == htons(ETH_P_IPV6)) {
                         struct in6_addr *addr6;
                         int addr_type;
@@ -774,7 +774,7 @@ static netdev_tx_t ipgre_tunnel_xmit(struct sk_buff *skb, struct net_device *dev
                         goto tx_error;
                 }
         }
-#ifdef CONFIG_IPV6
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
         else if (skb->protocol == htons(ETH_P_IPV6)) {
                 struct rt6_info *rt6 = (struct rt6_info *)skb_dst(skb);
 
@@ -850,7 +850,7 @@ static netdev_tx_t ipgre_tunnel_xmit(struct sk_buff *skb, struct net_device *dev
         if ((iph->ttl = tiph->ttl) == 0) {
                 if (skb->protocol == htons(ETH_P_IP))
                         iph->ttl = old_iph->ttl;
-#ifdef CONFIG_IPV6
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
                 else if (skb->protocol == htons(ETH_P_IPV6))
                         iph->ttl = ((struct ipv6hdr *)old_iph)->hop_limit;
 #endif
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index 04b69896df5f..7649d7750075 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -488,9 +488,8 @@ int ip_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *))
          * we can switch to copy when see the first bad fragment.
          */
         if (skb_has_frags(skb)) {
-                struct sk_buff *frag;
+                struct sk_buff *frag, *frag2;
                 int first_len = skb_pagelen(skb);
-                int truesizes = 0;
 
                 if (first_len - hlen > mtu ||
                     ((first_len - hlen) & 7) ||
@@ -503,18 +502,18 @@ int ip_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *))
                         if (frag->len > mtu ||
                             ((frag->len & 7) && frag->next) ||
                             skb_headroom(frag) < hlen)
-                            goto slow_path;
+                                goto slow_path_clean;
 
                         /* Partially cloned skb? */
                         if (skb_shared(frag))
-                                goto slow_path;
+                                goto slow_path_clean;
 
                         BUG_ON(frag->sk);
                         if (skb->sk) {
                                 frag->sk = skb->sk;
                                 frag->destructor = sock_wfree;
                         }
-                        truesizes += frag->truesize;
+                        skb->truesize -= frag->truesize;
                 }
 
                 /* Everything is OK. Generate! */
@@ -524,7 +523,6 @@ int ip_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *))
                 frag = skb_shinfo(skb)->frag_list;
                 skb_frag_list_init(skb);
                 skb->data_len = first_len - skb_headlen(skb);
-                skb->truesize -= truesizes;
                 skb->len = first_len;
                 iph->tot_len = htons(first_len);
                 iph->frag_off = htons(IP_MF);
@@ -576,6 +574,15 @@ int ip_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *))
                 }
                 IP_INC_STATS(dev_net(dev), IPSTATS_MIB_FRAGFAILS);
                 return err;
+
+slow_path_clean:
+                skb_walk_frags(skb, frag2) {
+                        if (frag2 == frag)
+                                break;
+                        frag2->sk = NULL;
+                        frag2->destructor = NULL;
+                        skb->truesize += frag2->truesize;
+                }
         }
 
 slow_path:
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index 6c40a8c46e79..64b70ad162e3 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -1129,6 +1129,9 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname,
         case IP_HDRINCL:
                 val = inet->hdrincl;
                 break;
+        case IP_NODEFRAG:
+                val = inet->nodefrag;
+                break;
         case IP_MTU_DISCOVER:
                 val = inet->pmtudisc;
                 break;
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 6bccba31d132..e8f4f9a57f12 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -735,6 +735,7 @@ static void get_counters(const struct xt_table_info *t,
                 if (cpu == curcpu)
                         continue;
                 i = 0;
+                local_bh_disable();
                 xt_info_wrlock(cpu);
                 xt_entry_foreach(iter, t->entries[cpu], t->size) {
                         ADD_COUNTER(counters[i], iter->counters.bcnt,
@@ -742,6 +743,7 @@ static void get_counters(const struct xt_table_info *t,
                         ++i;
                 }
                 xt_info_wrunlock(cpu);
+                local_bh_enable();
         }
         put_cpu();
 }
@@ -1418,6 +1420,9 @@ static int translate_compat_table(const char *name,
                 if (ret != 0)
                         break;
                 ++i;
+                if (strcmp(arpt_get_target(iter1)->u.user.name,
+                    XT_ERROR_TARGET) == 0)
+                        ++newinfo->stacksize;
         }
         if (ret) {
                 /*
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index c439721b165a..d163f2e3b2e9 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -909,6 +909,7 @@ get_counters(const struct xt_table_info *t,
                 if (cpu == curcpu)
                         continue;
                 i = 0;
+                local_bh_disable();
                 xt_info_wrlock(cpu);
                 xt_entry_foreach(iter, t->entries[cpu], t->size) {
                         ADD_COUNTER(counters[i], iter->counters.bcnt,
@@ -916,6 +917,7 @@ get_counters(const struct xt_table_info *t,
                         ++i; /* macro does multi eval of i */
                 }
                 xt_info_wrunlock(cpu);
+                local_bh_enable();
         }
         put_cpu();
 }
@@ -1749,6 +1751,9 @@ translate_compat_table(struct net *net,
                 if (ret != 0)
                         break;
                 ++i;
+                if (strcmp(ipt_get_target(iter1)->u.user.name,
+                    XT_ERROR_TARGET) == 0)
+                        ++newinfo->stacksize;
         }
         if (ret) {
                 /*
diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c
index b254dafaf429..43eec80c0e7c 100644
--- a/net/ipv4/netfilter/ipt_REJECT.c
+++ b/net/ipv4/netfilter/ipt_REJECT.c
@@ -112,6 +112,7 @@ static void send_reset(struct sk_buff *oldskb, int hook)
         /* ip_route_me_harder expects skb->dst to be set */
         skb_dst_set_noref(nskb, skb_dst(oldskb));
 
+        nskb->protocol = htons(ETH_P_IP);
         if (ip_route_me_harder(nskb, addr_type))
                 goto free_nskb;
 
diff --git a/net/ipv4/netfilter/nf_defrag_ipv4.c b/net/ipv4/netfilter/nf_defrag_ipv4.c
index eab8de32f200..f3a9b42b16c6 100644
--- a/net/ipv4/netfilter/nf_defrag_ipv4.c
+++ b/net/ipv4/netfilter/nf_defrag_ipv4.c
@@ -66,9 +66,11 @@ static unsigned int ipv4_conntrack_defrag(unsigned int hooknum,
                                           const struct net_device *out,
                                           int (*okfn)(struct sk_buff *))
 {
+        struct sock *sk = skb->sk;
         struct inet_sock *inet = inet_sk(skb->sk);
 
-        if (inet && inet->nodefrag)
+        if (sk && (sk->sk_family == PF_INET) &&
+            inet->nodefrag)
                 return NF_ACCEPT;
 
 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
diff --git a/net/ipv4/netfilter/nf_nat_snmp_basic.c b/net/ipv4/netfilter/nf_nat_snmp_basic.c
index 1679e2c0963d..ee5f419d0a56 100644
--- a/net/ipv4/netfilter/nf_nat_snmp_basic.c
+++ b/net/ipv4/netfilter/nf_nat_snmp_basic.c
@@ -893,13 +893,15 @@ static void fast_csum(__sum16 *csum,
         unsigned char s[4];
 
         if (offset & 1) {
-                s[0] = s[2] = 0;
+                s[0] = ~0;
                 s[1] = ~*optr;
+                s[2] = 0;
                 s[3] = *nptr;
         } else {
-                s[1] = s[3] = 0;
                 s[0] = ~*optr;
+                s[1] = ~0;
                 s[2] = *nptr;
+                s[3] = 0;
         }
 
         *csum = csum_fold(csum_partial(s, 4, ~csum_unfold(*csum)));
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 3f56b6e6c6aa..ac6559cb54f9 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -1231,7 +1231,7 @@ restart:
                         }
 
                         if (net_ratelimit())
-                                printk(KERN_WARNING "Neighbour table overflow.\n");
+                                printk(KERN_WARNING "ipv4: Neighbour table overflow.\n");
                         rt_drop(rt);
                         return -ENOBUFS;
                 }
@@ -2738,6 +2738,11 @@ slow_output:
 }
 EXPORT_SYMBOL_GPL(__ip_route_output_key);
 
+static struct dst_entry *ipv4_blackhole_dst_check(struct dst_entry *dst, u32 cookie)
+{
+        return NULL;
+}
+
 static void ipv4_rt_blackhole_update_pmtu(struct dst_entry *dst, u32 mtu)
 {
 }
@@ -2746,7 +2751,7 @@ static struct dst_ops ipv4_dst_blackhole_ops = {
         .family                 =       AF_INET,
         .protocol               =       cpu_to_be16(ETH_P_IP),
         .destroy                =       ipv4_dst_destroy,
-        .check                  =       ipv4_dst_check,
+        .check                  =       ipv4_blackhole_dst_check,
         .update_pmtu            =       ipv4_rt_blackhole_update_pmtu,
         .entries                =       ATOMIC_INIT(0),
 };
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 176e11aaea77..f115ea68a4ef 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -386,8 +386,6 @@ unsigned int tcp_poll(struct file *file, struct socket *sock, poll_table *wait)
          */
 
         mask = 0;
-        if (sk->sk_err)
-                mask = POLLERR;
 
         /*
          * POLLHUP is certainly not done right. But poll() doesn't
@@ -451,11 +449,17 @@ unsigned int tcp_poll(struct file *file, struct socket *sock, poll_table *wait)
                                 if (sk_stream_wspace(sk) >= sk_stream_min_wspace(sk))
                                         mask |= POLLOUT | POLLWRNORM;
                         }
-                }
+                } else
+                        mask |= POLLOUT | POLLWRNORM;
 
                 if (tp->urg_data & TCP_URG_VALID)
                         mask |= POLLPRI;
         }
+        /* This barrier is coupled with smp_wmb() in tcp_reset() */
+        smp_rmb();
+        if (sk->sk_err)
+                mask |= POLLERR;
+
         return mask;
 }
 EXPORT_SYMBOL(tcp_poll);
@@ -939,7 +943,7 @@ int tcp_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
         sg = sk->sk_route_caps & NETIF_F_SG;
 
         while (--iovlen >= 0) {
-                int seglen = iov->iov_len;
+                size_t seglen = iov->iov_len;
                 unsigned char __user *from = iov->iov_base;
 
                 iov++;
@@ -2011,11 +2015,8 @@ adjudge_to_death:
                 }
         }
         if (sk->sk_state != TCP_CLOSE) {
-                int orphan_count = percpu_counter_read_positive(
-                                                sk->sk_prot->orphan_count);
-
                 sk_mem_reclaim(sk);
-                if (tcp_too_many_orphans(sk, orphan_count)) {
+                if (tcp_too_many_orphans(sk, 0)) {
                         if (net_ratelimit())
                                 printk(KERN_INFO "TCP: too many of orphaned "
                                        "sockets\n");
@@ -3212,7 +3213,7 @@ void __init tcp_init(void)
 {
         struct sk_buff *skb = NULL;
         unsigned long nr_pages, limit;
-        int order, i, max_share;
+        int i, max_share, cnt;
         unsigned long jiffy = jiffies;
 
         BUILD_BUG_ON(sizeof(struct tcp_skb_cb) > sizeof(skb->cb));
@@ -3261,22 +3262,12 @@ void __init tcp_init(void)
                 INIT_HLIST_HEAD(&tcp_hashinfo.bhash[i].chain);
         }
 
-        /* Try to be a bit smarter and adjust defaults depending
-         * on available memory.
-         */
-        for (order = 0; ((1 << order) << PAGE_SHIFT) <
-                        (tcp_hashinfo.bhash_size * sizeof(struct inet_bind_hashbucket));
-                        order++)
-                ;
-        if (order >= 4) {
-                tcp_death_row.sysctl_max_tw_buckets = 180000;
-                sysctl_tcp_max_orphans = 4096 << (order - 4);
-                sysctl_max_syn_backlog = 1024;
-        } else if (order < 3) {
-                tcp_death_row.sysctl_max_tw_buckets >>= (3 - order);
-                sysctl_tcp_max_orphans >>= (3 - order);
-                sysctl_max_syn_backlog = 128;
-        }
+
+        cnt = tcp_hashinfo.ehash_mask + 1;
+
+        tcp_death_row.sysctl_max_tw_buckets = cnt / 2;
+        sysctl_tcp_max_orphans = cnt / 2;
+        sysctl_max_syn_backlog = max(128, cnt / 256);
 
         /* Set the pressure threshold to be a fraction of global memory that
          * is up to 1/2 at 256 MB, decreasing toward zero with the amount of
diff --git a/net/ipv4/tcp_cong.c b/net/ipv4/tcp_cong.c
index 0ec9bd0ae94f..850c737e08e2 100644
--- a/net/ipv4/tcp_cong.c
+++ b/net/ipv4/tcp_cong.c
@@ -196,10 +196,10 @@ void tcp_get_allowed_congestion_control(char *buf, size_t maxlen)
 int tcp_set_allowed_congestion_control(char *val)
 {
         struct tcp_congestion_ops *ca;
-        char *clone, *name;
+        char *saved_clone, *clone, *name;
         int ret = 0;
 
-        clone = kstrdup(val, GFP_USER);
+        saved_clone = clone = kstrdup(val, GFP_USER);
         if (!clone)
                 return -ENOMEM;
 
@@ -226,6 +226,7 @@ int tcp_set_allowed_congestion_control(char *val)
         }
 out:
         spin_unlock(&tcp_cong_list_lock);
+        kfree(saved_clone);
 
         return ret;
 }
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index e663b78a2ef6..b55f60f6fcbe 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -2545,7 +2545,8 @@ static void tcp_mark_head_lost(struct sock *sk, int packets)
                         cnt += tcp_skb_pcount(skb);
 
                 if (cnt > packets) {
-                        if (tcp_is_sack(tp) || (oldcnt >= packets))
+                        if ((tcp_is_sack(tp) && !tcp_is_fack(tp)) ||
+                            (oldcnt >= packets))
                                 break;
 
                         mss = skb_shinfo(skb)->gso_size;
@@ -4048,6 +4049,8 @@ static void tcp_reset(struct sock *sk)
         default:
                 sk->sk_err = ECONNRESET;
         }
+        /* This barrier is coupled with smp_rmb() in tcp_poll() */
+        smp_wmb();
 
         if (!sock_flag(sk, SOCK_DEAD))
                 sk->sk_error_report(sk);
diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
index 808bb920c9f5..74c54b30600f 100644
--- a/net/ipv4/tcp_timer.c
+++ b/net/ipv4/tcp_timer.c
@@ -66,18 +66,18 @@ static void tcp_write_err(struct sock *sk)
 static int tcp_out_of_resources(struct sock *sk, int do_reset)
 {
         struct tcp_sock *tp = tcp_sk(sk);
-        int orphans = percpu_counter_read_positive(&tcp_orphan_count);
+        int shift = 0;
 
         /* If peer does not open window for long time, or did not transmit
          * anything for long time, penalize it. */
         if ((s32)(tcp_time_stamp - tp->lsndtime) > 2*TCP_RTO_MAX || !do_reset)
-                orphans <<= 1;
+                shift++;
 
         /* If some dubious ICMP arrived, penalize even more. */
         if (sk->sk_err_soft)
-                orphans <<= 1;
+                shift++;
 
-        if (tcp_too_many_orphans(sk, orphans)) {
+        if (tcp_too_many_orphans(sk, shift)) {
                 if (net_ratelimit())
                         printk(KERN_INFO "Out of socket memory\n");
 
@@ -135,13 +135,16 @@ static void tcp_mtu_probing(struct inet_connection_sock *icsk, struct sock *sk)
 
 /* This function calculates a "timeout" which is equivalent to the timeout of a
  * TCP connection after "boundary" unsuccessful, exponentially backed-off
- * retransmissions with an initial RTO of TCP_RTO_MIN.
+ * retransmissions with an initial RTO of TCP_RTO_MIN or TCP_TIMEOUT_INIT if
+ * syn_set flag is set.
  */
 static bool retransmits_timed_out(struct sock *sk,
-                                  unsigned int boundary)
+                                  unsigned int boundary,
+                                  bool syn_set)
 {
         unsigned int timeout, linear_backoff_thresh;
         unsigned int start_ts;
+        unsigned int rto_base = syn_set ? TCP_TIMEOUT_INIT : TCP_RTO_MIN;
 
         if (!inet_csk(sk)->icsk_retransmits)
                 return false;
@@ -151,12 +154,12 @@ static bool retransmits_timed_out(struct sock *sk,
         else
                 start_ts = tcp_sk(sk)->retrans_stamp;
 
-        linear_backoff_thresh = ilog2(TCP_RTO_MAX/TCP_RTO_MIN);
+        linear_backoff_thresh = ilog2(TCP_RTO_MAX/rto_base);
 
         if (boundary <= linear_backoff_thresh)
-                timeout = ((2 << boundary) - 1) * TCP_RTO_MIN;
+                timeout = ((2 << boundary) - 1) * rto_base;
         else
-                timeout = ((2 << linear_backoff_thresh) - 1) * TCP_RTO_MIN +
+                timeout = ((2 << linear_backoff_thresh) - 1) * rto_base +
                           (boundary - linear_backoff_thresh) * TCP_RTO_MAX;
 
         return (tcp_time_stamp - start_ts) >= timeout;
@@ -167,14 +170,15 @@ static int tcp_write_timeout(struct sock *sk)
 {
         struct inet_connection_sock *icsk = inet_csk(sk);
         int retry_until;
-        bool do_reset;
+        bool do_reset, syn_set = 0;
 
         if ((1 << sk->sk_state) & (TCPF_SYN_SENT | TCPF_SYN_RECV)) {
                 if (icsk->icsk_retransmits)
                         dst_negative_advice(sk);
                 retry_until = icsk->icsk_syn_retries ? : sysctl_tcp_syn_retries;
+                syn_set = 1;
         } else {
-                if (retransmits_timed_out(sk, sysctl_tcp_retries1)) {
+                if (retransmits_timed_out(sk, sysctl_tcp_retries1, 0)) {
                         /* Black hole detection */
                         tcp_mtu_probing(icsk, sk);
 
@@ -187,14 +191,14 @@ static int tcp_write_timeout(struct sock *sk)
 
                         retry_until = tcp_orphan_retries(sk, alive);
                         do_reset = alive ||
-                                   !retransmits_timed_out(sk, retry_until);
+                                   !retransmits_timed_out(sk, retry_until, 0);
 
                         if (tcp_out_of_resources(sk, do_reset))
                                 return 1;
                 }
         }
 
-        if (retransmits_timed_out(sk, retry_until)) {
+        if (retransmits_timed_out(sk, retry_until, syn_set)) {
                 /* Has it gone just too far? */
                 tcp_write_err(sk);
                 return 1;
@@ -436,7 +440,7 @@ out_reset_timer:
                 icsk->icsk_rto = min(icsk->icsk_rto << 1, TCP_RTO_MAX);
         }
         inet_csk_reset_xmit_timer(sk, ICSK_TIME_RETRANS, icsk->icsk_rto, TCP_RTO_MAX);
-        if (retransmits_timed_out(sk, sysctl_tcp_retries1 + 1))
+        if (retransmits_timed_out(sk, sysctl_tcp_retries1 + 1, 0))
                 __sk_dst_reset(sk);
 
 out:;
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 32e0bef60d0a..fb23c2e63b52 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1260,6 +1260,49 @@ void udp_lib_unhash(struct sock *sk)
 }
 EXPORT_SYMBOL(udp_lib_unhash);
 
+/*
+ * inet_rcv_saddr was changed, we must rehash secondary hash
+ */
+void udp_lib_rehash(struct sock *sk, u16 newhash)
+{
+        if (sk_hashed(sk)) {
+                struct udp_table *udptable = sk->sk_prot->h.udp_table;
+                struct udp_hslot *hslot, *hslot2, *nhslot2;
+
+                hslot2 = udp_hashslot2(udptable, udp_sk(sk)->udp_portaddr_hash);
+                nhslot2 = udp_hashslot2(udptable, newhash);
+                udp_sk(sk)->udp_portaddr_hash = newhash;
+                if (hslot2 != nhslot2) {
+                        hslot = udp_hashslot(udptable, sock_net(sk),
+                                             udp_sk(sk)->udp_port_hash);
+                        /* we must lock primary chain too */
+                        spin_lock_bh(&hslot->lock);
+
+                        spin_lock(&hslot2->lock);
+                        hlist_nulls_del_init_rcu(&udp_sk(sk)->udp_portaddr_node);
+                        hslot2->count--;
+                        spin_unlock(&hslot2->lock);
+
+                        spin_lock(&nhslot2->lock);
+                        hlist_nulls_add_head_rcu(&udp_sk(sk)->udp_portaddr_node,
+                                                 &nhslot2->head);
+                        nhslot2->count++;
+                        spin_unlock(&nhslot2->lock);
+
+                        spin_unlock_bh(&hslot->lock);
+                }
+        }
+}
+EXPORT_SYMBOL(udp_lib_rehash);
+
+static void udp_v4_rehash(struct sock *sk)
+{
+        u16 new_hash = udp4_portaddr_hash(sock_net(sk),
+                                          inet_sk(sk)->inet_rcv_saddr,
+                                          inet_sk(sk)->inet_num);
+        udp_lib_rehash(sk, new_hash);
+}
+
 static int __udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
 {
         int rc;
@@ -1843,6 +1886,7 @@ struct proto udp_prot = {
         .backlog_rcv       = __udp_queue_rcv_skb,
         .hash              = udp_lib_hash,
         .unhash            = udp_lib_unhash,
+        .rehash            = udp_v4_rehash,
         .get_port          = udp_v4_get_port,
         .memory_allocated  = &udp_memory_allocated,
         .sysctl_mem        = sysctl_udp_mem,
diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c
index 869078d4eeb9..a580349f0b8a 100644
--- a/net/ipv4/xfrm4_policy.c
+++ b/net/ipv4/xfrm4_policy.c
@@ -61,7 +61,7 @@ static int xfrm4_get_saddr(struct net *net,
 
 static int xfrm4_get_tos(struct flowi *fl)
 {
-        return fl->fl4_tos;
+        return IPTOS_RT_MASK & fl->fl4_tos; /* Strip ECN bits */
 }
 
 static int xfrm4_init_path(struct xfrm_dst *path, struct dst_entry *dst,
diff --git a/net/ipv4/xfrm4_state.c b/net/ipv4/xfrm4_state.c
index 1ef1366a0a03..47947624eccc 100644
--- a/net/ipv4/xfrm4_state.c
+++ b/net/ipv4/xfrm4_state.c
@@ -21,21 +21,25 @@ static int xfrm4_init_flags(struct xfrm_state *x)
 }
 
 static void
-__xfrm4_init_tempsel(struct xfrm_state *x, struct flowi *fl,
-                     struct xfrm_tmpl *tmpl,
-                     xfrm_address_t *daddr, xfrm_address_t *saddr)
+__xfrm4_init_tempsel(struct xfrm_selector *sel, struct flowi *fl)
+{
+        sel->daddr.a4 = fl->fl4_dst;
+        sel->saddr.a4 = fl->fl4_src;
+        sel->dport = xfrm_flowi_dport(fl);
+        sel->dport_mask = htons(0xffff);
+        sel->sport = xfrm_flowi_sport(fl);
+        sel->sport_mask = htons(0xffff);
+        sel->family = AF_INET;
+        sel->prefixlen_d = 32;
+        sel->prefixlen_s = 32;
+        sel->proto = fl->proto;
+        sel->ifindex = fl->oif;
+}
+
+static void
+xfrm4_init_temprop(struct xfrm_state *x, struct xfrm_tmpl *tmpl,
+                   xfrm_address_t *daddr, xfrm_address_t *saddr)
 {
-        x->sel.daddr.a4 = fl->fl4_dst;
-        x->sel.saddr.a4 = fl->fl4_src;
-        x->sel.dport = xfrm_flowi_dport(fl);
-        x->sel.dport_mask = htons(0xffff);
-        x->sel.sport = xfrm_flowi_sport(fl);
-        x->sel.sport_mask = htons(0xffff);
-        x->sel.family = AF_INET;
-        x->sel.prefixlen_d = 32;
-        x->sel.prefixlen_s = 32;
-        x->sel.proto = fl->proto;
-        x->sel.ifindex = fl->oif;
         x->id = tmpl->id;
         if (x->id.daddr.a4 == 0)
                 x->id.daddr.a4 = daddr->a4;
@@ -70,6 +74,7 @@ static struct xfrm_state_afinfo xfrm4_state_afinfo = {
         .owner                  = THIS_MODULE,
         .init_flags             = xfrm4_init_flags,
         .init_tempsel           = __xfrm4_init_tempsel,
+        .init_temprop           = xfrm4_init_temprop,
         .output                 = xfrm4_output,
         .extract_input          = xfrm4_extract_input,
         .extract_output         = xfrm4_extract_output,