Merge branch 'mpi-master' into wip-k-fmlpwip-k-fmlp

Conflicts: litmus/sched_cedf.c
author: Glenn Elliott <gelliott@cs.unc.edu> 2012-03-04 19:47:13 -0500
committer: Glenn Elliott <gelliott@cs.unc.edu> 2012-03-04 19:47:13 -0500
commit: c71c03bda1e86c9d5198c5d83f712e695c4f2a1e (patch)
tree: ecb166cb3e2b7e2adb3b5e292245fefd23381ac8 /net/xfrm
parent: ea53c912f8a86a8567697115b6a0d8152beee5c8 (diff)
parent: 6a00f206debf8a5c8899055726ad127dbeeed098 (diff)
10 files changed, 1001 insertions, 363 deletions
diff --git a/net/xfrm/Makefile b/net/xfrm/Makefile
index c631047e1b27..aa429eefe919 100644
--- a/net/xfrm/Makefile
+++ b/net/xfrm/Makefile
@@ -4,7 +4,7 @@
 obj-$(CONFIG_XFRM) := xfrm_policy.o xfrm_state.o xfrm_hash.o \
                      xfrm_input.o xfrm_output.o xfrm_algo.o \
-                      xfrm_sysctl.o
+                      xfrm_sysctl.o xfrm_replay.o
 obj-$(CONFIG_XFRM_STATISTICS) += xfrm_proc.o
 obj-$(CONFIG_XFRM_USER) += xfrm_user.o
 obj-$(CONFIG_XFRM_IPCOMP) += xfrm_ipcomp.o
diff --git a/net/xfrm/xfrm_algo.c b/net/xfrm/xfrm_algo.c
index 8b4d6e3246e5..58064d9e565d 100644
--- a/net/xfrm/xfrm_algo.c
+++ b/net/xfrm/xfrm_algo.c
@@ -618,21 +618,21 @@ static int xfrm_alg_name_match(const struct xfrm_algo_desc *entry,
                        (entry->compat && !strcmp(name, entry->compat)));
 }
-struct xfrm_algo_desc *xfrm_aalg_get_byname(char *name, int probe)
+struct xfrm_algo_desc *xfrm_aalg_get_byname(const char *name, int probe)
 {
        return xfrm_find_algo(&xfrm_aalg_list, xfrm_alg_name_match, name,
                              probe);
 }
 EXPORT_SYMBOL_GPL(xfrm_aalg_get_byname);
-struct xfrm_algo_desc *xfrm_ealg_get_byname(char *name, int probe)
+struct xfrm_algo_desc *xfrm_ealg_get_byname(const char *name, int probe)
 {
        return xfrm_find_algo(&xfrm_ealg_list, xfrm_alg_name_match, name,
                              probe);
 }
 EXPORT_SYMBOL_GPL(xfrm_ealg_get_byname);
-struct xfrm_algo_desc *xfrm_calg_get_byname(char *name, int probe)
+struct xfrm_algo_desc *xfrm_calg_get_byname(const char *name, int probe)
 {
        return xfrm_find_algo(&xfrm_calg_list, xfrm_alg_name_match, name,
                              probe);
@@ -654,7 +654,7 @@ static int xfrm_aead_name_match(const struct xfrm_algo_desc *entry,
               !strcmp(name, entry->name);
 }
-struct xfrm_algo_desc *xfrm_aead_get_byname(char *name, int icv_len, int probe)
+struct xfrm_algo_desc *xfrm_aead_get_byname(const char *name, int icv_len, int probe)
 {
        struct xfrm_aead_name data = {
                .name = name,
diff --git a/net/xfrm/xfrm_hash.c b/net/xfrm/xfrm_hash.c
index a2023ec52329..1e98bc0fe0a5 100644
--- a/net/xfrm/xfrm_hash.c
+++ b/net/xfrm/xfrm_hash.c
@@ -19,7 +19,7 @@ struct hlist_head *xfrm_hash_alloc(unsigned int sz)
        if (sz <= PAGE_SIZE)
                n = kzalloc(sz, GFP_KERNEL);
        else if (hashdist)
-                n = __vmalloc(sz, GFP_KERNEL | __GFP_ZERO, PAGE_KERNEL);
+                n = vzalloc(sz);
        else
                n = (struct hlist_head *)
                        __get_free_pages(GFP_KERNEL | __GFP_NOWARN | __GFP_ZERO,
diff --git a/net/xfrm/xfrm_hash.h b/net/xfrm/xfrm_hash.h
index 8e69533d2313..7199d78b2aa1 100644
--- a/net/xfrm/xfrm_hash.h
+++ b/net/xfrm/xfrm_hash.h
@@ -4,29 +4,32 @@
 #include <linux/xfrm.h>
 #include <linux/socket.h>
-static inline unsigned int __xfrm4_addr_hash(xfrm_address_t *addr)
+static inline unsigned int __xfrm4_addr_hash(const xfrm_address_t *addr)
 {
        return ntohl(addr->a4);
 }
-static inline unsigned int __xfrm6_addr_hash(xfrm_address_t *addr)
+static inline unsigned int __xfrm6_addr_hash(const xfrm_address_t *addr)
 {
        return ntohl(addr->a6[2] ^ addr->a6[3]);
 }
-static inline unsigned int __xfrm4_daddr_saddr_hash(xfrm_address_t *daddr, xfrm_address_t *saddr)
+static inline unsigned int __xfrm4_daddr_saddr_hash(const xfrm_address_t *daddr,
+                                                    const xfrm_address_t *saddr)
 {
        u32 sum = (__force u32)daddr->a4 + (__force u32)saddr->a4;
        return ntohl((__force __be32)sum);
 }
-static inline unsigned int __xfrm6_daddr_saddr_hash(xfrm_address_t *daddr, xfrm_address_t *saddr)
+static inline unsigned int __xfrm6_daddr_saddr_hash(const xfrm_address_t *daddr,
+                                                    const xfrm_address_t *saddr)
 {
        return ntohl(daddr->a6[2] ^ daddr->a6[3] ^
                     saddr->a6[2] ^ saddr->a6[3]);
 }
-static inline unsigned int __xfrm_dst_hash(xfrm_address_t *daddr, xfrm_address_t *saddr,
+static inline unsigned int __xfrm_dst_hash(const xfrm_address_t *daddr,
+                                           const xfrm_address_t *saddr,
                                           u32 reqid, unsigned short family,
                                           unsigned int hmask)
 {
@@ -42,8 +45,8 @@ static inline unsigned int __xfrm_dst_hash(xfrm_address_t *daddr, xfrm_address_t
        return (h ^ (h >> 16)) & hmask;
 }
-static inline unsigned __xfrm_src_hash(xfrm_address_t *daddr,
+static inline unsigned __xfrm_src_hash(const xfrm_address_t *daddr,
-                                       xfrm_address_t *saddr,
+                                       const xfrm_address_t *saddr,
                                       unsigned short family,
                                       unsigned int hmask)
 {
@@ -60,8 +63,8 @@ static inline unsigned __xfrm_src_hash(xfrm_address_t *daddr,
 }
 static inline unsigned int
-__xfrm_spi_hash(xfrm_address_t *daddr, __be32 spi, u8 proto, unsigned short family,
+__xfrm_spi_hash(const xfrm_address_t *daddr, __be32 spi, u8 proto,
-                unsigned int hmask)
+                unsigned short family, unsigned int hmask)
 {
        unsigned int h = (__force u32)spi ^ proto;
        switch (family) {
@@ -80,10 +83,11 @@ static inline unsigned int __idx_hash(u32 index, unsigned int hmask)
        return (index ^ (index >> 8)) & hmask;
 }
-static inline unsigned int __sel_hash(struct xfrm_selector *sel, unsigned short family, unsigned int hmask)
+static inline unsigned int __sel_hash(const struct xfrm_selector *sel,
+                                      unsigned short family, unsigned int hmask)
 {
-        xfrm_address_t *daddr = &sel->daddr;
+        const xfrm_address_t *daddr = &sel->daddr;
-        xfrm_address_t *saddr = &sel->saddr;
+        const xfrm_address_t *saddr = &sel->saddr;
        unsigned int h = 0;
        switch (family) {
@@ -107,7 +111,9 @@ static inline unsigned int __sel_hash(struct xfrm_selector *sel, unsigned short
        return h & hmask;
 }
-static inline unsigned int __addr_hash(xfrm_address_t *daddr, xfrm_address_t *saddr, unsigned short family, unsigned int hmask)
+static inline unsigned int __addr_hash(const xfrm_address_t *daddr,
+                                       const xfrm_address_t *saddr,
+                                       unsigned short family, unsigned int hmask)
 {
        unsigned int h = 0;
diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
index 45f1c98d4fce..a026b0ef2443 100644
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -107,6 +107,7 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
        struct net *net = dev_net(skb->dev);
        int err;
        __be32 seq;
+        __be32 seq_hi;
        struct xfrm_state *x;
        xfrm_address_t *daddr;
        struct xfrm_mode *inner_mode;
@@ -118,7 +119,7 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
        if (encap_type < 0) {
                async = 1;
                x = xfrm_input_state(skb);
-                seq = XFRM_SKB_CB(skb)->seq.input;
+                seq = XFRM_SKB_CB(skb)->seq.input.low;
                goto resume;
        }
@@ -172,7 +173,7 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
                        goto drop_unlock;
                }
-                if (x->props.replay_window && xfrm_replay_check(x, skb, seq)) {
+                if (x->repl->check(x, skb, seq)) {
                        XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATESEQERROR);
                        goto drop_unlock;
                }
@@ -184,7 +185,12 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
                spin_unlock(&x->lock);
-                XFRM_SKB_CB(skb)->seq.input = seq;
+                seq_hi = htonl(xfrm_replay_seqhi(x, seq));
+                XFRM_SKB_CB(skb)->seq.input.low = seq;
+                XFRM_SKB_CB(skb)->seq.input.hi = seq_hi;
+                skb_dst_force(skb);
                nexthdr = x->type->input(x, skb);
@@ -206,8 +212,7 @@ resume:
                /* only the first xfrm gets the encap type */
                encap_type = 0;
-                if (x->props.replay_window)
+                x->repl->advance(x, seq);
-                        xfrm_replay_advance(x, seq);
                x->curlft.bytes += skb->len;
                x->curlft.packets++;
diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c
index 64f2ae1fdc15..47bacd8c0250 100644
--- a/net/xfrm/xfrm_output.c
+++ b/net/xfrm/xfrm_output.c
@@ -67,17 +67,10 @@ static int xfrm_output_one(struct sk_buff *skb, int err)
                        goto error;
                }
-                if (x->type->flags & XFRM_TYPE_REPLAY_PROT) {
+                err = x->repl->overflow(x, skb);
-                        XFRM_SKB_CB(skb)->seq.output = ++x->replay.oseq;
+                if (err) {
-                        if (unlikely(x->replay.oseq == 0)) {
+                        XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTSTATESEQERROR);
-                                XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTSTATESEQERROR);
+                        goto error;
-                                x->replay.oseq--;
-                                xfrm_audit_state_replay_overflow(x, skb);
-                                err = -EOVERFLOW;
-                                goto error;
-                        }
-                        if (xfrm_aevent_is_on(net))
-                                xfrm_replay_notify(x, XFRM_REPLAY_UPDATE);
                }
                x->curlft.bytes += skb->len;
@@ -85,6 +78,8 @@ static int xfrm_output_one(struct sk_buff *skb, int err)
                spin_unlock_bh(&x->lock);
+                skb_dst_force(skb);
                err = x->type->output(x, skb);
                if (err == -EINPROGRESS)
                        goto out_exit;
@@ -101,7 +96,7 @@ resume:
                        err = -EHOSTUNREACH;
                        goto error_nolock;
                }
-                skb_dst_set(skb, dst_clone(dst));
+                skb_dst_set(skb, dst);
                x = dst->xfrm;
        } while (x && !(x->outer_mode->flags & XFRM_MODE_FLAG_TUNNEL));
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index cbab6e1a8c9c..5ce74a385525 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -50,34 +50,40 @@ static struct xfrm_policy_afinfo *xfrm_policy_get_afinfo(unsigned short family);
 static void xfrm_policy_put_afinfo(struct xfrm_policy_afinfo *afinfo);
 static void xfrm_init_pmtu(struct dst_entry *dst);
 static int stale_bundle(struct dst_entry *dst);
+static int xfrm_bundle_ok(struct xfrm_dst *xdst);
 static struct xfrm_policy *__xfrm_policy_unlink(struct xfrm_policy *pol,
                                                int dir);
 static inline int
-__xfrm4_selector_match(struct xfrm_selector *sel, struct flowi *fl)
+__xfrm4_selector_match(const struct xfrm_selector *sel, const struct flowi *fl)
 {
-        return  addr_match(&fl->fl4_dst, &sel->daddr, sel->prefixlen_d) &&
+        const struct flowi4 *fl4 = &fl->u.ip4;
-                addr_match(&fl->fl4_src, &sel->saddr, sel->prefixlen_s) &&
-                !((xfrm_flowi_dport(fl) ^ sel->dport) & sel->dport_mask) &&
+        return  addr_match(&fl4->daddr, &sel->daddr, sel->prefixlen_d) &&
-                !((xfrm_flowi_sport(fl) ^ sel->sport) & sel->sport_mask) &&
+                addr_match(&fl4->saddr, &sel->saddr, sel->prefixlen_s) &&
-                (fl->proto == sel->proto || !sel->proto) &&
+                !((xfrm_flowi_dport(fl, &fl4->uli) ^ sel->dport) & sel->dport_mask) &&
-                (fl->oif == sel->ifindex || !sel->ifindex);
+                !((xfrm_flowi_sport(fl, &fl4->uli) ^ sel->sport) & sel->sport_mask) &&
+                (fl4->flowi4_proto == sel->proto || !sel->proto) &&
+                (fl4->flowi4_oif == sel->ifindex || !sel->ifindex);
 }
 static inline int
-__xfrm6_selector_match(struct xfrm_selector *sel, struct flowi *fl)
+__xfrm6_selector_match(const struct xfrm_selector *sel, const struct flowi *fl)
 {
-        return  addr_match(&fl->fl6_dst, &sel->daddr, sel->prefixlen_d) &&
+        const struct flowi6 *fl6 = &fl->u.ip6;
-                addr_match(&fl->fl6_src, &sel->saddr, sel->prefixlen_s) &&
-                !((xfrm_flowi_dport(fl) ^ sel->dport) & sel->dport_mask) &&
+        return  addr_match(&fl6->daddr, &sel->daddr, sel->prefixlen_d) &&
-                !((xfrm_flowi_sport(fl) ^ sel->sport) & sel->sport_mask) &&
+                addr_match(&fl6->saddr, &sel->saddr, sel->prefixlen_s) &&
-                (fl->proto == sel->proto || !sel->proto) &&
+                !((xfrm_flowi_dport(fl, &fl6->uli) ^ sel->dport) & sel->dport_mask) &&
-                (fl->oif == sel->ifindex || !sel->ifindex);
+                !((xfrm_flowi_sport(fl, &fl6->uli) ^ sel->sport) & sel->sport_mask) &&
+                (fl6->flowi6_proto == sel->proto || !sel->proto) &&
+                (fl6->flowi6_oif == sel->ifindex || !sel->ifindex);
 }
-int xfrm_selector_match(struct xfrm_selector *sel, struct flowi *fl,
+int xfrm_selector_match(const struct xfrm_selector *sel, const struct flowi *fl,
-                    unsigned short family)
+                        unsigned short family)
 {
        switch (family) {
        case AF_INET:
@@ -89,8 +95,8 @@ int xfrm_selector_match(struct xfrm_selector *sel, struct flowi *fl,
 }
 static inline struct dst_entry *__xfrm_dst_lookup(struct net *net, int tos,
-                                                  xfrm_address_t *saddr,
+                                                  const xfrm_address_t *saddr,
-                                                  xfrm_address_t *daddr,
+                                                  const xfrm_address_t *daddr,
                                                  int family)
 {
        struct xfrm_policy_afinfo *afinfo;
@@ -308,7 +314,9 @@ static inline unsigned int idx_hash(struct net *net, u32 index)
        return __idx_hash(index, net->xfrm.policy_idx_hmask);
 }
-static struct hlist_head *policy_hash_bysel(struct net *net, struct xfrm_selector *sel, unsigned short family, int dir)
+static struct hlist_head *policy_hash_bysel(struct net *net,
+                                            const struct xfrm_selector *sel,
+                                            unsigned short family, int dir)
 {
        unsigned int hmask = net->xfrm.policy_bydst[dir].hmask;
        unsigned int hash = __sel_hash(sel, family, hmask);
@@ -318,7 +326,10 @@ static struct hlist_head *policy_hash_bysel(struct net *net, struct xfrm_selecto
                net->xfrm.policy_bydst[dir].table + hash);
 }
-static struct hlist_head *policy_hash_direct(struct net *net, xfrm_address_t *daddr, xfrm_address_t *saddr, unsigned short family, int dir)
+static struct hlist_head *policy_hash_direct(struct net *net,
+                                             const xfrm_address_t *daddr,
+                                             const xfrm_address_t *saddr,
+                                             unsigned short family, int dir)
 {
        unsigned int hmask = net->xfrm.policy_bydst[dir].hmask;
        unsigned int hash = __addr_hash(daddr, saddr, family, hmask);
@@ -861,32 +872,33 @@ EXPORT_SYMBOL(xfrm_policy_walk_done);
 *
 * Returns 0 if policy found, else an -errno.
 */
-static int xfrm_policy_match(struct xfrm_policy *pol, struct flowi *fl,
+static int xfrm_policy_match(const struct xfrm_policy *pol,
+                             const struct flowi *fl,
                             u8 type, u16 family, int dir)
 {
-        struct xfrm_selector *sel = &pol->selector;
+        const struct xfrm_selector *sel = &pol->selector;
        int match, ret = -ESRCH;
        if (pol->family != family ||
-            (fl->mark & pol->mark.m) != pol->mark.v ||
+            (fl->flowi_mark & pol->mark.m) != pol->mark.v ||
            pol->type != type)
                return ret;
        match = xfrm_selector_match(sel, fl, family);
        if (match)
-                ret = security_xfrm_policy_lookup(pol->security, fl->secid,
+                ret = security_xfrm_policy_lookup(pol->security, fl->flowi_secid,
                                                  dir);
        return ret;
 }
 static struct xfrm_policy *xfrm_policy_lookup_bytype(struct net *net, u8 type,
-                                                     struct flowi *fl,
+                                                     const struct flowi *fl,
                                                     u16 family, u8 dir)
 {
        int err;
        struct xfrm_policy *pol, *ret;
-        xfrm_address_t *daddr, *saddr;
+        const xfrm_address_t *daddr, *saddr;
        struct hlist_node *entry;
        struct hlist_head *chain;
        u32 priority = ~0U;
@@ -938,7 +950,7 @@ fail:
 }
 static struct xfrm_policy *
-__xfrm_policy_lookup(struct net *net, struct flowi *fl, u16 family, u8 dir)
+__xfrm_policy_lookup(struct net *net, const struct flowi *fl, u16 family, u8 dir)
 {
 #ifdef CONFIG_XFRM_SUB_POLICY
        struct xfrm_policy *pol;
@@ -951,7 +963,7 @@ __xfrm_policy_lookup(struct net *net, struct flowi *fl, u16 family, u8 dir)
 }
 static struct flow_cache_object *
-xfrm_policy_lookup(struct net *net, struct flowi *fl, u16 family,
+xfrm_policy_lookup(struct net *net, const struct flowi *fl, u16 family,
                   u8 dir, struct flow_cache_object *old_obj, void *ctx)
 {
        struct xfrm_policy *pol;
@@ -987,7 +999,8 @@ static inline int policy_to_flow_dir(int dir)
        }
 }
-static struct xfrm_policy *xfrm_sk_policy_lookup(struct sock *sk, int dir, struct flowi *fl)
+static struct xfrm_policy *xfrm_sk_policy_lookup(struct sock *sk, int dir,
+                                                 const struct flowi *fl)
 {
        struct xfrm_policy *pol;
@@ -1003,7 +1016,7 @@ static struct xfrm_policy *xfrm_sk_policy_lookup(struct sock *sk, int dir, struc
                                goto out;
                        }
                        err = security_xfrm_policy_lookup(pol->security,
-                                                      fl->secid,
+                                                      fl->flowi_secid,
                                                      policy_to_flow_dir(dir));
                        if (!err)
                                xfrm_pol_hold(pol);
@@ -1095,7 +1108,7 @@ int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol)
        return 0;
 }
-static struct xfrm_policy *clone_policy(struct xfrm_policy *old, int dir)
+static struct xfrm_policy *clone_policy(const struct xfrm_policy *old, int dir)
 {
        struct xfrm_policy *newp = xfrm_policy_alloc(xp_net(old), GFP_ATOMIC);
@@ -1154,9 +1167,8 @@ xfrm_get_saddr(struct net *net, xfrm_address_t *local, xfrm_address_t *remote,
 /* Resolve list of templates for the flow, given policy. */
 static int
-xfrm_tmpl_resolve_one(struct xfrm_policy *policy, struct flowi *fl,
+xfrm_tmpl_resolve_one(struct xfrm_policy *policy, const struct flowi *fl,
-                      struct xfrm_state **xfrm,
+                      struct xfrm_state **xfrm, unsigned short family)
-                      unsigned short family)
 {
        struct net *net = xp_net(policy);
        int nx;
@@ -1211,9 +1223,8 @@ fail:
 }
 static int
-xfrm_tmpl_resolve(struct xfrm_policy **pols, int npols, struct flowi *fl,
+xfrm_tmpl_resolve(struct xfrm_policy **pols, int npols, const struct flowi *fl,
-                  struct xfrm_state **xfrm,
+                  struct xfrm_state **xfrm, unsigned short family)
-                  unsigned short family)
 {
        struct xfrm_state *tp[XFRM_MAX_DEPTH];
        struct xfrm_state **tpp = (npols > 1) ? tp : xfrm;
@@ -1253,7 +1264,7 @@ xfrm_tmpl_resolve(struct xfrm_policy **pols, int npols, struct flowi *fl,
 * still valid.
 */
-static inline int xfrm_get_tos(struct flowi *fl, int family)
+static inline int xfrm_get_tos(const struct flowi *fl, int family)
 {
        struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
        int tos;
@@ -1337,10 +1348,14 @@ static inline struct xfrm_dst *xfrm_alloc_dst(struct net *net, int family)
        default:
                BUG();
        }
-        xdst = dst_alloc(dst_ops) ?: ERR_PTR(-ENOBUFS);
+        xdst = dst_alloc(dst_ops, NULL, 0, 0, 0);
+        memset(&xdst->u.rt6.rt6i_table, 0, sizeof(*xdst) - sizeof(struct dst_entry));
        xfrm_policy_put_afinfo(afinfo);
-        xdst->flo.ops = &xfrm_bundle_fc_ops;
+        if (likely(xdst))
+                xdst->flo.ops = &xfrm_bundle_fc_ops;
+        else
+                xdst = ERR_PTR(-ENOBUFS);
        return xdst;
 }
@@ -1363,7 +1378,7 @@ static inline int xfrm_init_path(struct xfrm_dst *path, struct dst_entry *dst,
 }
 static inline int xfrm_fill_dst(struct xfrm_dst *xdst, struct net_device *dev,
-                                struct flowi *fl)
+                                const struct flowi *fl)
 {
        struct xfrm_policy_afinfo *afinfo =
                xfrm_policy_get_afinfo(xdst->u.dst.ops->family);
@@ -1386,12 +1401,13 @@ static inline int xfrm_fill_dst(struct xfrm_dst *xdst, struct net_device *dev,
 static struct dst_entry *xfrm_bundle_create(struct xfrm_policy *policy,
                                            struct xfrm_state **xfrm, int nx,
-                                            struct flowi *fl,
+                                            const struct flowi *fl,
                                            struct dst_entry *dst)
 {
        struct net *net = xp_net(policy);
        unsigned long now = jiffies;
        struct net_device *dev;
+        struct xfrm_mode *inner_mode;
        struct dst_entry *dst_prev = NULL;
        struct dst_entry *dst0 = NULL;
        int i = 0;
@@ -1422,6 +1438,17 @@ static struct dst_entry *xfrm_bundle_create(struct xfrm_policy *policy,
                        goto put_states;
                }
+                if (xfrm[i]->sel.family == AF_UNSPEC) {
+                        inner_mode = xfrm_ip2inner_mode(xfrm[i],
+                                                        xfrm_af2proto(family));
+                        if (!inner_mode) {
+                                err = -EAFNOSUPPORT;
+                                dst_release(dst);
+                                goto put_states;
+                        }
+                } else
+                        inner_mode = xfrm[i]->inner_mode;
                if (!dst_prev)
                        dst0 = dst1;
                else {
@@ -1430,7 +1457,7 @@ static struct dst_entry *xfrm_bundle_create(struct xfrm_policy *policy,
                }
                xdst->route = dst;
-                memcpy(&dst1->metrics, &dst->metrics, sizeof(dst->metrics));
+                dst_copy_metrics(dst1, dst);
                if (xfrm[i]->props.mode != XFRM_MODE_TRANSPORT) {
                        family = xfrm[i]->props.family;
@@ -1450,7 +1477,7 @@ static struct dst_entry *xfrm_bundle_create(struct xfrm_policy *policy,
                dst1->lastuse = now;
                dst1->input = dst_discard;
-                dst1->output = xfrm[i]->outer_mode->afinfo->output;
+                dst1->output = inner_mode->afinfo->output;
                dst1->next = dst_prev;
                dst_prev = dst1;
@@ -1502,7 +1529,7 @@ free_dst:
 }
 static int inline
-xfrm_dst_alloc_copy(void **target, void *src, int size)
+xfrm_dst_alloc_copy(void **target, const void *src, int size)
 {
        if (!*target) {
                *target = kmalloc(size, GFP_ATOMIC);
@@ -1514,7 +1541,7 @@ xfrm_dst_alloc_copy(void **target, void *src, int size)
 }
 static int inline
-xfrm_dst_update_parent(struct dst_entry *dst, struct xfrm_selector *sel)
+xfrm_dst_update_parent(struct dst_entry *dst, const struct xfrm_selector *sel)
 {
 #ifdef CONFIG_XFRM_SUB_POLICY
        struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
@@ -1526,7 +1553,7 @@ xfrm_dst_update_parent(struct dst_entry *dst, struct xfrm_selector *sel)
 }
 static int inline
-xfrm_dst_update_origin(struct dst_entry *dst, struct flowi *fl)
+xfrm_dst_update_origin(struct dst_entry *dst, const struct flowi *fl)
 {
 #ifdef CONFIG_XFRM_SUB_POLICY
        struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
@@ -1536,7 +1563,7 @@ xfrm_dst_update_origin(struct dst_entry *dst, struct flowi *fl)
 #endif
 }
-static int xfrm_expand_policies(struct flowi *fl, u16 family,
+static int xfrm_expand_policies(const struct flowi *fl, u16 family,
                                struct xfrm_policy **pols,
                                int *num_pols, int *num_xfrms)
 {
@@ -1582,7 +1609,7 @@ static int xfrm_expand_policies(struct flowi *fl, u16 family,
 static struct xfrm_dst *
 xfrm_resolve_and_create_bundle(struct xfrm_policy **pols, int num_pols,
-                               struct flowi *fl, u16 family,
+                               const struct flowi *fl, u16 family,
                               struct dst_entry *dst_orig)
 {
        struct net *net = xp_net(pols[0]);
@@ -1625,7 +1652,7 @@ xfrm_resolve_and_create_bundle(struct xfrm_policy **pols, int num_pols,
 }
 static struct flow_cache_object *
-xfrm_bundle_lookup(struct net *net, struct flowi *fl, u16 family, u8 dir,
+xfrm_bundle_lookup(struct net *net, const struct flowi *fl, u16 family, u8 dir,
                   struct flow_cache_object *oldflo, void *ctx)
 {
        struct dst_entry *dst_orig = (struct dst_entry *)ctx;
@@ -1724,18 +1751,36 @@ error:
        return ERR_PTR(err);
 }
+static struct dst_entry *make_blackhole(struct net *net, u16 family,
+                                        struct dst_entry *dst_orig)
+{
+        struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
+        struct dst_entry *ret;
+        if (!afinfo) {
+                dst_release(dst_orig);
+                ret = ERR_PTR(-EINVAL);
+        } else {
+                ret = afinfo->blackhole_route(net, dst_orig);
+        }
+        xfrm_policy_put_afinfo(afinfo);
+        return ret;
+}
 /* Main function: finds/creates a bundle for given flow.
 *
 * At the moment we eat a raw IP route. Mostly to speed up lookups
 * on interfaces with disabled IPsec.
 */
-int __xfrm_lookup(struct net *net, struct dst_entry **dst_p, struct flowi *fl,
+struct dst_entry *xfrm_lookup(struct net *net, struct dst_entry *dst_orig,
-                  struct sock *sk, int flags)
+                              const struct flowi *fl,
+                              struct sock *sk, int flags)
 {
        struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX];
        struct flow_cache_object *flo;
        struct xfrm_dst *xdst;
-        struct dst_entry *dst, *dst_orig = *dst_p, *route;
+        struct dst_entry *dst, *route;
        u16 family = dst_orig->ops->family;
        u8 dir = policy_to_flow_dir(XFRM_POLICY_OUT);
        int i, err, num_pols, num_xfrms = 0, drop_pols = 0;
@@ -1772,6 +1817,8 @@ restart:
                                goto no_transform;
                        }
+                        dst_hold(&xdst->u.dst);
                        spin_lock_bh(&xfrm_policy_sk_bundle_lock);
                        xdst->u.dst.next = xfrm_policy_sk_bundles;
                        xfrm_policy_sk_bundles = &xdst->u.dst;
@@ -1817,9 +1864,10 @@ restart:
                        dst_release(dst);
                        xfrm_pols_put(pols, drop_pols);
                        XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTNOSTATES);
-                        return -EREMOTE;
+                        return make_blackhole(net, family, dst_orig);
                }
-                if (flags & XFRM_LOOKUP_WAIT) {
+                if (fl->flowi_flags & FLOWI_FLAG_CAN_SLEEP) {
                        DECLARE_WAITQUEUE(wait, current);
                        add_wait_queue(&net->xfrm.km_waitq, &wait);
@@ -1861,47 +1909,33 @@ no_transform:
                goto error;
        } else if (num_xfrms > 0) {
                /* Flow transformed */
-                *dst_p = dst;
                dst_release(dst_orig);
        } else {
                /* Flow passes untransformed */
                dst_release(dst);
+                dst = dst_orig;
        }
 ok:
        xfrm_pols_put(pols, drop_pols);
-        return 0;
+        return dst;
 nopol:
-        if (!(flags & XFRM_LOOKUP_ICMP))
+        if (!(flags & XFRM_LOOKUP_ICMP)) {
+                dst = dst_orig;
                goto ok;
+        }
        err = -ENOENT;
 error:
        dst_release(dst);
 dropdst:
        dst_release(dst_orig);
-        *dst_p = NULL;
        xfrm_pols_put(pols, drop_pols);
-        return err;
+        return ERR_PTR(err);
-}
-EXPORT_SYMBOL(__xfrm_lookup);
-int xfrm_lookup(struct net *net, struct dst_entry **dst_p, struct flowi *fl,
-                struct sock *sk, int flags)
-{
-        int err = __xfrm_lookup(net, dst_p, fl, sk, flags);
-        if (err == -EREMOTE) {
-                dst_release(*dst_p);
-                *dst_p = NULL;
-                err = -EAGAIN;
-        }
-        return err;
 }
 EXPORT_SYMBOL(xfrm_lookup);
 static inline int
-xfrm_secpath_reject(int idx, struct sk_buff *skb, struct flowi *fl)
+xfrm_secpath_reject(int idx, struct sk_buff *skb, const struct flowi *fl)
 {
        struct xfrm_state *x;
@@ -1920,7 +1954,7 @@ xfrm_secpath_reject(int idx, struct sk_buff *skb, struct flowi *fl)
 */
 static inline int
-xfrm_state_ok(struct xfrm_tmpl *tmpl, struct xfrm_state *x,
+xfrm_state_ok(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x,
              unsigned short family)
 {
        if (xfrm_state_kern(x))
@@ -1943,7 +1977,7 @@ xfrm_state_ok(struct xfrm_tmpl *tmpl, struct xfrm_state *x,
 * Otherwise "-2 - errored_index" is returned.
 */
 static inline int
-xfrm_policy_ok(struct xfrm_tmpl *tmpl, struct sec_path *sp, int start,
+xfrm_policy_ok(const struct xfrm_tmpl *tmpl, const struct sec_path *sp, int start,
               unsigned short family)
 {
        int idx = start;
@@ -1975,13 +2009,13 @@ int __xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
                return -EAFNOSUPPORT;
        afinfo->decode_session(skb, fl, reverse);
-        err = security_xfrm_decode_session(skb, &fl->secid);
+        err = security_xfrm_decode_session(skb, &fl->flowi_secid);
        xfrm_policy_put_afinfo(afinfo);
        return err;
 }
 EXPORT_SYMBOL(__xfrm_decode_session);
-static inline int secpath_has_nontransport(struct sec_path *sp, int k, int *idxp)
+static inline int secpath_has_nontransport(const struct sec_path *sp, int k, int *idxp)
 {
        for (; k < sp->len; k++) {
                if (sp->xvec[k]->props.mode != XFRM_MODE_TRANSPORT) {
@@ -2156,7 +2190,7 @@ int __xfrm_route_forward(struct sk_buff *skb, unsigned short family)
        struct net *net = dev_net(skb->dev);
        struct flowi fl;
        struct dst_entry *dst;
-        int res;
+        int res = 1;
        if (xfrm_decode_session(skb, &fl, family) < 0) {
                XFRM_INC_STATS(net, LINUX_MIB_XFRMFWDHDRERROR);
@@ -2164,9 +2198,12 @@ int __xfrm_route_forward(struct sk_buff *skb, unsigned short family)
        }
        skb_dst_force(skb);
-        dst = skb_dst(skb);
-        res = xfrm_lookup(net, &dst, &fl, NULL, 0) == 0;
+        dst = xfrm_lookup(net, skb_dst(skb), &fl, NULL, 0);
+        if (IS_ERR(dst)) {
+                res = 0;
+                dst = NULL;
+        }
        skb_dst_set(skb, dst);
        return res;
 }
@@ -2204,7 +2241,7 @@ static struct dst_entry *xfrm_dst_check(struct dst_entry *dst, u32 cookie)
 static int stale_bundle(struct dst_entry *dst)
 {
-        return !xfrm_bundle_ok(NULL, (struct xfrm_dst *)dst, NULL, AF_UNSPEC, 0);
+        return !xfrm_bundle_ok((struct xfrm_dst *)dst);
 }
 void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev)
@@ -2268,7 +2305,7 @@ static void xfrm_init_pmtu(struct dst_entry *dst)
                if (pmtu > route_mtu_cached)
                        pmtu = route_mtu_cached;
-                dst->metrics[RTAX_MTU-1] = pmtu;
+                dst_metric_set(dst, RTAX_MTU, pmtu);
        } while ((dst = dst->next));
 }
@@ -2276,8 +2313,7 @@ static void xfrm_init_pmtu(struct dst_entry *dst)
 * still valid.
 */
-int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *first,
+static int xfrm_bundle_ok(struct xfrm_dst *first)
-                struct flowi *fl, int family, int strict)
 {
        struct dst_entry *dst = &first->u.dst;
        struct xfrm_dst *last;
@@ -2286,26 +2322,12 @@ int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *first,
        if (!dst_check(dst->path, ((struct xfrm_dst *)dst)->path_cookie) ||
            (dst->dev && !netif_running(dst->dev)))
                return 0;
-#ifdef CONFIG_XFRM_SUB_POLICY
-        if (fl) {
-                if (first->origin && !flow_cache_uli_match(first->origin, fl))
-                        return 0;
-                if (first->partner &&
-                    !xfrm_selector_match(first->partner, fl, family))
-                        return 0;
-        }
-#endif
        last = NULL;
        do {
                struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
-                if (fl && !xfrm_selector_match(&dst->xfrm->sel, fl, family))
-                        return 0;
-                if (fl && pol &&
-                    !security_xfrm_state_pol_flow_match(dst->xfrm, pol, fl))
-                        return 0;
                if (dst->xfrm->km.state != XFRM_STATE_VALID)
                        return 0;
                if (xdst->xfrm_genid != dst->xfrm->genid)
@@ -2314,11 +2336,6 @@ int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *first,
                    xdst->policy_genid != atomic_read(&xdst->pols[0]->genid))
                        return 0;
-                if (strict && fl &&
-                    !(dst->xfrm->outer_mode->flags & XFRM_MODE_FLAG_TUNNEL) &&
-                    !xfrm_state_addr_flow_check(dst->xfrm, fl, family))
-                        return 0;
                mtu = dst_mtu(dst->child);
                if (xdst->child_mtu_cached != mtu) {
                        last = xdst;
@@ -2346,7 +2363,7 @@ int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *first,
                mtu = xfrm_state_mtu(dst->xfrm, mtu);
                if (mtu > last->route_mtu_cached)
                        mtu = last->route_mtu_cached;
-                dst->metrics[RTAX_MTU-1] = mtu;
+                dst_metric_set(dst, RTAX_MTU, mtu);
                if (last == first)
                        break;
@@ -2358,7 +2375,15 @@ int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *first,
        return 1;
 }
-EXPORT_SYMBOL(xfrm_bundle_ok);
+static unsigned int xfrm_default_advmss(const struct dst_entry *dst)
+{
+        return dst_metric_advmss(dst->path);
+}
+static unsigned int xfrm_default_mtu(const struct dst_entry *dst)
+{
+        return dst_mtu(dst->path);
+}
 int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo)
 {
@@ -2377,6 +2402,10 @@ int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo)
                        dst_ops->kmem_cachep = xfrm_dst_cache;
                if (likely(dst_ops->check == NULL))
                        dst_ops->check = xfrm_dst_check;
+                if (likely(dst_ops->default_advmss == NULL))
+                        dst_ops->default_advmss = xfrm_default_advmss;
+                if (likely(dst_ops->default_mtu == NULL))
+                        dst_ops->default_mtu = xfrm_default_mtu;
                if (likely(dst_ops->negative_advice == NULL))
                        dst_ops->negative_advice = xfrm_negative_advice;
                if (likely(dst_ops->link_failure == NULL))
@@ -2717,8 +2746,8 @@ EXPORT_SYMBOL_GPL(xfrm_audit_policy_delete);
 #endif
 #ifdef CONFIG_XFRM_MIGRATE
-static int xfrm_migrate_selector_match(struct xfrm_selector *sel_cmp,
+static int xfrm_migrate_selector_match(const struct xfrm_selector *sel_cmp,
-                                       struct xfrm_selector *sel_tgt)
+                                       const struct xfrm_selector *sel_tgt)
 {
        if (sel_cmp->proto == IPSEC_ULPROTO_ANY) {
                if (sel_tgt->family == sel_cmp->family &&
@@ -2738,7 +2767,7 @@ static int xfrm_migrate_selector_match(struct xfrm_selector *sel_cmp,
        return 0;
 }
-static struct xfrm_policy * xfrm_migrate_policy_find(struct xfrm_selector *sel,
+static struct xfrm_policy * xfrm_migrate_policy_find(const struct xfrm_selector *sel,
                                                     u8 dir, u8 type)
 {
        struct xfrm_policy *pol, *ret = NULL;
@@ -2774,7 +2803,7 @@ static struct xfrm_policy * xfrm_migrate_policy_find(struct xfrm_selector *sel,
        return ret;
 }
-static int migrate_tmpl_match(struct xfrm_migrate *m, struct xfrm_tmpl *t)
+static int migrate_tmpl_match(const struct xfrm_migrate *m, const struct xfrm_tmpl *t)
 {
        int match = 0;
@@ -2844,7 +2873,7 @@ static int xfrm_policy_migrate(struct xfrm_policy *pol,
        return 0;
 }
-static int xfrm_migrate_check(struct xfrm_migrate *m, int num_migrate)
+static int xfrm_migrate_check(const struct xfrm_migrate *m, int num_migrate)
 {
        int i, j;
@@ -2878,7 +2907,7 @@ static int xfrm_migrate_check(struct xfrm_migrate *m, int num_migrate)
        return 0;
 }
-int xfrm_migrate(struct xfrm_selector *sel, u8 dir, u8 type,
+int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
                 struct xfrm_migrate *m, int num_migrate,
                 struct xfrm_kmaddress *k)
 {
diff --git a/net/xfrm/xfrm_replay.c b/net/xfrm/xfrm_replay.c
new file mode 100644
index 000000000000..b11ea692bd7d
--- /dev/null
+++ b/net/xfrm/xfrm_replay.c
@@ -0,0 +1,550 @@
+/*
+ * xfrm_replay.c - xfrm replay detection, derived from xfrm_state.c.
+ *
+ * Copyright (C) 2010 secunet Security Networks AG
+ * Copyright (C) 2010 Steffen Klassert <steffen.klassert@secunet.com>
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin St - Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+#include <net/xfrm.h>
+u32 xfrm_replay_seqhi(struct xfrm_state *x, __be32 net_seq)
+{
+        u32 seq, seq_hi, bottom;
+        struct xfrm_replay_state_esn *replay_esn = x->replay_esn;
+        if (!(x->props.flags & XFRM_STATE_ESN))
+                return 0;
+        seq = ntohl(net_seq);
+        seq_hi = replay_esn->seq_hi;
+        bottom = replay_esn->seq - replay_esn->replay_window + 1;
+        if (likely(replay_esn->seq >= replay_esn->replay_window - 1)) {
+                /* A. same subspace */
+                if (unlikely(seq < bottom))
+                        seq_hi++;
+        } else {
+                /* B. window spans two subspaces */
+                if (unlikely(seq >= bottom))
+                        seq_hi--;
+        }
+        return seq_hi;
+}
+static void xfrm_replay_notify(struct xfrm_state *x, int event)
+{
+        struct km_event c;
+        /* we send notify messages in case
+         *  1. we updated on of the sequence numbers, and the seqno difference
+         *     is at least x->replay_maxdiff, in this case we also update the
+         *     timeout of our timer function
+         *  2. if x->replay_maxage has elapsed since last update,
+         *     and there were changes
+         *
+         *  The state structure must be locked!
+         */
+        switch (event) {
+        case XFRM_REPLAY_UPDATE:
+                if (x->replay_maxdiff &&
+                    (x->replay.seq - x->preplay.seq < x->replay_maxdiff) &&
+                    (x->replay.oseq - x->preplay.oseq < x->replay_maxdiff)) {
+                        if (x->xflags & XFRM_TIME_DEFER)
+                                event = XFRM_REPLAY_TIMEOUT;
+                        else
+                                return;
+                }
+                break;
+        case XFRM_REPLAY_TIMEOUT:
+                if (memcmp(&x->replay, &x->preplay,
+                           sizeof(struct xfrm_replay_state)) == 0) {
+                        x->xflags |= XFRM_TIME_DEFER;
+                        return;
+                }
+                break;
+        }
+        memcpy(&x->preplay, &x->replay, sizeof(struct xfrm_replay_state));
+        c.event = XFRM_MSG_NEWAE;
+        c.data.aevent = event;
+        km_state_notify(x, &c);
+        if (x->replay_maxage &&
+            !mod_timer(&x->rtimer, jiffies + x->replay_maxage))
+                x->xflags &= ~XFRM_TIME_DEFER;
+}
+static int xfrm_replay_overflow(struct xfrm_state *x, struct sk_buff *skb)
+{
+        int err = 0;
+        struct net *net = xs_net(x);
+        if (x->type->flags & XFRM_TYPE_REPLAY_PROT) {
+                XFRM_SKB_CB(skb)->seq.output.low = ++x->replay.oseq;
+                if (unlikely(x->replay.oseq == 0)) {
+                        x->replay.oseq--;
+                        xfrm_audit_state_replay_overflow(x, skb);
+                        err = -EOVERFLOW;
+                        return err;
+                }
+                if (xfrm_aevent_is_on(net))
+                        x->repl->notify(x, XFRM_REPLAY_UPDATE);
+        }
+        return err;
+}
+static int xfrm_replay_check(struct xfrm_state *x,
+                      struct sk_buff *skb, __be32 net_seq)
+{
+        u32 diff;
+        u32 seq = ntohl(net_seq);
+        if (!x->props.replay_window)
+                return 0;
+        if (unlikely(seq == 0))
+                goto err;
+        if (likely(seq > x->replay.seq))
+                return 0;
+        diff = x->replay.seq - seq;
+        if (diff >= min_t(unsigned int, x->props.replay_window,
+                          sizeof(x->replay.bitmap) * 8)) {
+                x->stats.replay_window++;
+                goto err;
+        }
+        if (x->replay.bitmap & (1U << diff)) {
+                x->stats.replay++;
+                goto err;
+        }
+        return 0;
+err:
+        xfrm_audit_state_replay(x, skb, net_seq);
+        return -EINVAL;
+}
+static void xfrm_replay_advance(struct xfrm_state *x, __be32 net_seq)
+{
+        u32 diff;
+        u32 seq = ntohl(net_seq);
+        if (!x->props.replay_window)
+                return;
+        if (seq > x->replay.seq) {
+                diff = seq - x->replay.seq;
+                if (diff < x->props.replay_window)
+                        x->replay.bitmap = ((x->replay.bitmap) << diff) | 1;
+                else
+                        x->replay.bitmap = 1;
+                x->replay.seq = seq;
+        } else {
+                diff = x->replay.seq - seq;
+                x->replay.bitmap |= (1U << diff);
+        }
+        if (xfrm_aevent_is_on(xs_net(x)))
+                xfrm_replay_notify(x, XFRM_REPLAY_UPDATE);
+}
+static int xfrm_replay_overflow_bmp(struct xfrm_state *x, struct sk_buff *skb)
+{
+        int err = 0;
+        struct xfrm_replay_state_esn *replay_esn = x->replay_esn;
+        struct net *net = xs_net(x);
+        if (x->type->flags & XFRM_TYPE_REPLAY_PROT) {
+                XFRM_SKB_CB(skb)->seq.output.low = ++replay_esn->oseq;
+                if (unlikely(replay_esn->oseq == 0)) {
+                        replay_esn->oseq--;
+                        xfrm_audit_state_replay_overflow(x, skb);
+                        err = -EOVERFLOW;
+                        return err;
+                }
+                if (xfrm_aevent_is_on(net))
+                        x->repl->notify(x, XFRM_REPLAY_UPDATE);
+        }
+        return err;
+}
+static int xfrm_replay_check_bmp(struct xfrm_state *x,
+                                 struct sk_buff *skb, __be32 net_seq)
+{
+        unsigned int bitnr, nr;
+        struct xfrm_replay_state_esn *replay_esn = x->replay_esn;
+        u32 pos;
+        u32 seq = ntohl(net_seq);
+        u32 diff =  replay_esn->seq - seq;
+        if (!replay_esn->replay_window)
+                return 0;
+        pos = (replay_esn->seq - 1) % replay_esn->replay_window;
+        if (unlikely(seq == 0))
+                goto err;
+        if (likely(seq > replay_esn->seq))
+                return 0;
+        if (diff >= replay_esn->replay_window) {
+                x->stats.replay_window++;
+                goto err;
+        }
+        if (pos >= diff) {
+                bitnr = (pos - diff) % replay_esn->replay_window;
+                nr = bitnr >> 5;
+                bitnr = bitnr & 0x1F;
+                if (replay_esn->bmp[nr] & (1U << bitnr))
+                        goto err_replay;
+        } else {
+                bitnr = replay_esn->replay_window - (diff - pos);
+                nr = bitnr >> 5;
+                bitnr = bitnr & 0x1F;
+                if (replay_esn->bmp[nr] & (1U << bitnr))
+                        goto err_replay;
+        }
+        return 0;
+err_replay:
+        x->stats.replay++;
+err:
+        xfrm_audit_state_replay(x, skb, net_seq);
+        return -EINVAL;
+}
+static void xfrm_replay_advance_bmp(struct xfrm_state *x, __be32 net_seq)
+{
+        unsigned int bitnr, nr, i;
+        u32 diff;
+        struct xfrm_replay_state_esn *replay_esn = x->replay_esn;
+        u32 seq = ntohl(net_seq);
+        u32 pos = (replay_esn->seq - 1) % replay_esn->replay_window;
+        if (!replay_esn->replay_window)
+                return;
+        if (seq > replay_esn->seq) {
+                diff = seq - replay_esn->seq;
+                if (diff < replay_esn->replay_window) {
+                        for (i = 1; i < diff; i++) {
+                                bitnr = (pos + i) % replay_esn->replay_window;
+                                nr = bitnr >> 5;
+                                bitnr = bitnr & 0x1F;
+                                replay_esn->bmp[nr] &=  ~(1U << bitnr);
+                        }
+                        bitnr = (pos + diff) % replay_esn->replay_window;
+                        nr = bitnr >> 5;
+                        bitnr = bitnr & 0x1F;
+                        replay_esn->bmp[nr] |= (1U << bitnr);
+                } else {
+                        nr = (replay_esn->replay_window - 1) >> 5;
+                        for (i = 0; i <= nr; i++)
+                                replay_esn->bmp[i] = 0;
+                        bitnr = (pos + diff) % replay_esn->replay_window;
+                        nr = bitnr >> 5;
+                        bitnr = bitnr & 0x1F;
+                        replay_esn->bmp[nr] |= (1U << bitnr);
+                }
+                replay_esn->seq = seq;
+        } else {
+                diff = replay_esn->seq - seq;
+                if (pos >= diff) {
+                        bitnr = (pos - diff) % replay_esn->replay_window;
+                        nr = bitnr >> 5;
+                        bitnr = bitnr & 0x1F;
+                        replay_esn->bmp[nr] |= (1U << bitnr);
+                } else {
+                        bitnr = replay_esn->replay_window - (diff - pos);
+                        nr = bitnr >> 5;
+                        bitnr = bitnr & 0x1F;
+                        replay_esn->bmp[nr] |= (1U << bitnr);
+                }
+        }
+        if (xfrm_aevent_is_on(xs_net(x)))
+                xfrm_replay_notify(x, XFRM_REPLAY_UPDATE);
+}
+static void xfrm_replay_notify_bmp(struct xfrm_state *x, int event)
+{
+        struct km_event c;
+        struct xfrm_replay_state_esn *replay_esn = x->replay_esn;
+        struct xfrm_replay_state_esn *preplay_esn = x->preplay_esn;
+        /* we send notify messages in case
+         *  1. we updated on of the sequence numbers, and the seqno difference
+         *     is at least x->replay_maxdiff, in this case we also update the
+         *     timeout of our timer function
+         *  2. if x->replay_maxage has elapsed since last update,
+         *     and there were changes
+         *
+         *  The state structure must be locked!
+         */
+        switch (event) {
+        case XFRM_REPLAY_UPDATE:
+                if (x->replay_maxdiff &&
+                    (replay_esn->seq - preplay_esn->seq < x->replay_maxdiff) &&
+                    (replay_esn->oseq - preplay_esn->oseq < x->replay_maxdiff)) {
+                        if (x->xflags & XFRM_TIME_DEFER)
+                                event = XFRM_REPLAY_TIMEOUT;
+                        else
+                                return;
+                }
+                break;
+        case XFRM_REPLAY_TIMEOUT:
+                if (memcmp(x->replay_esn, x->preplay_esn,
+                           xfrm_replay_state_esn_len(replay_esn)) == 0) {
+                        x->xflags |= XFRM_TIME_DEFER;
+                        return;
+                }
+                break;
+        }
+        memcpy(x->preplay_esn, x->replay_esn,
+               xfrm_replay_state_esn_len(replay_esn));
+        c.event = XFRM_MSG_NEWAE;
+        c.data.aevent = event;
+        km_state_notify(x, &c);
+        if (x->replay_maxage &&
+            !mod_timer(&x->rtimer, jiffies + x->replay_maxage))
+                x->xflags &= ~XFRM_TIME_DEFER;
+}
+static int xfrm_replay_overflow_esn(struct xfrm_state *x, struct sk_buff *skb)
+{
+        int err = 0;
+        struct xfrm_replay_state_esn *replay_esn = x->replay_esn;
+        struct net *net = xs_net(x);
+        if (x->type->flags & XFRM_TYPE_REPLAY_PROT) {
+                XFRM_SKB_CB(skb)->seq.output.low = ++replay_esn->oseq;
+                XFRM_SKB_CB(skb)->seq.output.hi = replay_esn->oseq_hi;
+                if (unlikely(replay_esn->oseq == 0)) {
+                        XFRM_SKB_CB(skb)->seq.output.hi = ++replay_esn->oseq_hi;
+                        if (replay_esn->oseq_hi == 0) {
+                                replay_esn->oseq--;
+                                replay_esn->oseq_hi--;
+                                xfrm_audit_state_replay_overflow(x, skb);
+                                err = -EOVERFLOW;
+                                return err;
+                        }
+                }
+                if (xfrm_aevent_is_on(net))
+                        x->repl->notify(x, XFRM_REPLAY_UPDATE);
+        }
+        return err;
+}
+static int xfrm_replay_check_esn(struct xfrm_state *x,
+                                 struct sk_buff *skb, __be32 net_seq)
+{
+        unsigned int bitnr, nr;
+        u32 diff;
+        struct xfrm_replay_state_esn *replay_esn = x->replay_esn;
+        u32 pos;
+        u32 seq = ntohl(net_seq);
+        u32 wsize = replay_esn->replay_window;
+        u32 top = replay_esn->seq;
+        u32 bottom = top - wsize + 1;
+        if (!wsize)
+                return 0;
+        pos = (replay_esn->seq - 1) % replay_esn->replay_window;
+        if (unlikely(seq == 0 && replay_esn->seq_hi == 0 &&
+                     (replay_esn->seq < replay_esn->replay_window - 1)))
+                goto err;
+        diff = top - seq;
+        if (likely(top >= wsize - 1)) {
+                /* A. same subspace */
+                if (likely(seq > top) || seq < bottom)
+                        return 0;
+        } else {
+                /* B. window spans two subspaces */
+                if (likely(seq > top && seq < bottom))
+                        return 0;
+                if (seq >= bottom)
+                        diff = ~seq + top + 1;
+        }
+        if (diff >= replay_esn->replay_window) {
+                x->stats.replay_window++;
+                goto err;
+        }
+        if (pos >= diff) {
+                bitnr = (pos - diff) % replay_esn->replay_window;
+                nr = bitnr >> 5;
+                bitnr = bitnr & 0x1F;
+                if (replay_esn->bmp[nr] & (1U << bitnr))
+                        goto err_replay;
+        } else {
+                bitnr = replay_esn->replay_window - (diff - pos);
+                nr = bitnr >> 5;
+                bitnr = bitnr & 0x1F;
+                if (replay_esn->bmp[nr] & (1U << bitnr))
+                        goto err_replay;
+        }
+        return 0;
+err_replay:
+        x->stats.replay++;
+err:
+        xfrm_audit_state_replay(x, skb, net_seq);
+        return -EINVAL;
+}
+static void xfrm_replay_advance_esn(struct xfrm_state *x, __be32 net_seq)
+{
+        unsigned int bitnr, nr, i;
+        int wrap;
+        u32 diff, pos, seq, seq_hi;
+        struct xfrm_replay_state_esn *replay_esn = x->replay_esn;
+        if (!replay_esn->replay_window)
+                return;
+        seq = ntohl(net_seq);
+        pos = (replay_esn->seq - 1) % replay_esn->replay_window;
+        seq_hi = xfrm_replay_seqhi(x, net_seq);
+        wrap = seq_hi - replay_esn->seq_hi;
+        if ((!wrap && seq > replay_esn->seq) || wrap > 0) {
+                if (likely(!wrap))
+                        diff = seq - replay_esn->seq;
+                else
+                        diff = ~replay_esn->seq + seq + 1;
+                if (diff < replay_esn->replay_window) {
+                        for (i = 1; i < diff; i++) {
+                                bitnr = (pos + i) % replay_esn->replay_window;
+                                nr = bitnr >> 5;
+                                bitnr = bitnr & 0x1F;
+                                replay_esn->bmp[nr] &=  ~(1U << bitnr);
+                        }
+                        bitnr = (pos + diff) % replay_esn->replay_window;
+                        nr = bitnr >> 5;
+                        bitnr = bitnr & 0x1F;
+                        replay_esn->bmp[nr] |= (1U << bitnr);
+                } else {
+                        nr = (replay_esn->replay_window - 1) >> 5;
+                        for (i = 0; i <= nr; i++)
+                                replay_esn->bmp[i] = 0;
+                        bitnr = (pos + diff) % replay_esn->replay_window;
+                        nr = bitnr >> 5;
+                        bitnr = bitnr & 0x1F;
+                        replay_esn->bmp[nr] |= (1U << bitnr);
+                }
+                replay_esn->seq = seq;
+                if (unlikely(wrap > 0))
+                        replay_esn->seq_hi++;
+        } else {
+                diff = replay_esn->seq - seq;
+                if (pos >= diff) {
+                        bitnr = (pos - diff) % replay_esn->replay_window;
+                        nr = bitnr >> 5;
+                        bitnr = bitnr & 0x1F;
+                        replay_esn->bmp[nr] |= (1U << bitnr);
+                } else {
+                        bitnr = replay_esn->replay_window - (diff - pos);
+                        nr = bitnr >> 5;
+                        bitnr = bitnr & 0x1F;
+                        replay_esn->bmp[nr] |= (1U << bitnr);
+                }
+        }
+        if (xfrm_aevent_is_on(xs_net(x)))
+                xfrm_replay_notify(x, XFRM_REPLAY_UPDATE);
+}
+static struct xfrm_replay xfrm_replay_legacy = {
+        .advance        = xfrm_replay_advance,
+        .check          = xfrm_replay_check,
+        .notify         = xfrm_replay_notify,
+        .overflow       = xfrm_replay_overflow,
+};
+static struct xfrm_replay xfrm_replay_bmp = {
+        .advance        = xfrm_replay_advance_bmp,
+        .check          = xfrm_replay_check_bmp,
+        .notify         = xfrm_replay_notify_bmp,
+        .overflow       = xfrm_replay_overflow_bmp,
+};
+static struct xfrm_replay xfrm_replay_esn = {
+        .advance        = xfrm_replay_advance_esn,
+        .check          = xfrm_replay_check_esn,
+        .notify         = xfrm_replay_notify_bmp,
+        .overflow       = xfrm_replay_overflow_esn,
+};
+int xfrm_init_replay(struct xfrm_state *x)
+{
+        struct xfrm_replay_state_esn *replay_esn = x->replay_esn;
+        if (replay_esn) {
+                if (replay_esn->replay_window >
+                    replay_esn->bmp_len * sizeof(__u32) * 8)
+                        return -EINVAL;
+        if ((x->props.flags & XFRM_STATE_ESN) && replay_esn->replay_window == 0)
+                return -EINVAL;
+        if ((x->props.flags & XFRM_STATE_ESN) && x->replay_esn)
+                x->repl = &xfrm_replay_esn;
+        else
+                x->repl = &xfrm_replay_bmp;
+        } else
+                x->repl = &xfrm_replay_legacy;
+        return 0;
+}
+EXPORT_SYMBOL(xfrm_init_replay);
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index eb96ce52f178..9414b9c5b1e4 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -42,16 +42,9 @@ static unsigned int xfrm_state_hashmax __read_mostly = 1 * 1024 * 1024;
 static struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family);
 static void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo);
-#ifdef CONFIG_AUDITSYSCALL
-static void xfrm_audit_state_replay(struct xfrm_state *x,
-                                    struct sk_buff *skb, __be32 net_seq);
-#else
-#define xfrm_audit_state_replay(x, s, sq)       do { ; } while (0)
-#endif /* CONFIG_AUDITSYSCALL */
 static inline unsigned int xfrm_dst_hash(struct net *net,
-                                         xfrm_address_t *daddr,
+                                         const xfrm_address_t *daddr,
-                                         xfrm_address_t *saddr,
+                                         const xfrm_address_t *saddr,
                                         u32 reqid,
                                         unsigned short family)
 {
@@ -59,15 +52,16 @@ static inline unsigned int xfrm_dst_hash(struct net *net,
 }
 static inline unsigned int xfrm_src_hash(struct net *net,
-                                         xfrm_address_t *daddr,
+                                         const xfrm_address_t *daddr,
-                                         xfrm_address_t *saddr,
+                                         const xfrm_address_t *saddr,
                                         unsigned short family)
 {
        return __xfrm_src_hash(daddr, saddr, family, net->xfrm.state_hmask);
 }
 static inline unsigned int
-xfrm_spi_hash(struct net *net, xfrm_address_t *daddr, __be32 spi, u8 proto, unsigned short family)
+xfrm_spi_hash(struct net *net, const xfrm_address_t *daddr,
+              __be32 spi, u8 proto, unsigned short family)
 {
        return __xfrm_spi_hash(daddr, spi, proto, family, net->xfrm.state_hmask);
 }
@@ -362,6 +356,8 @@ static void xfrm_state_gc_destroy(struct xfrm_state *x)
        kfree(x->calg);
        kfree(x->encap);
        kfree(x->coaddr);
+        kfree(x->replay_esn);
+        kfree(x->preplay_esn);
        if (x->inner_mode)
                xfrm_put_mode(x->inner_mode);
        if (x->inner_mode_iaf)
@@ -656,9 +652,9 @@ void xfrm_sad_getinfo(struct net *net, struct xfrmk_sadinfo *si)
 EXPORT_SYMBOL(xfrm_sad_getinfo);
 static int
-xfrm_init_tempstate(struct xfrm_state *x, struct flowi *fl,
+xfrm_init_tempstate(struct xfrm_state *x, const struct flowi *fl,
-                    struct xfrm_tmpl *tmpl,
+                    const struct xfrm_tmpl *tmpl,
-                    xfrm_address_t *daddr, xfrm_address_t *saddr,
+                    const xfrm_address_t *daddr, const xfrm_address_t *saddr,
                    unsigned short family)
 {
        struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
@@ -677,7 +673,10 @@ xfrm_init_tempstate(struct xfrm_state *x, struct flowi *fl,
        return 0;
 }
-static struct xfrm_state *__xfrm_state_lookup(struct net *net, u32 mark, xfrm_address_t *daddr, __be32 spi, u8 proto, unsigned short family)
+static struct xfrm_state *__xfrm_state_lookup(struct net *net, u32 mark,
+                                              const xfrm_address_t *daddr,
+                                              __be32 spi, u8 proto,
+                                              unsigned short family)
 {
        unsigned int h = xfrm_spi_hash(net, daddr, spi, proto, family);
        struct xfrm_state *x;
@@ -699,7 +698,10 @@ static struct xfrm_state *__xfrm_state_lookup(struct net *net, u32 mark, xfrm_ad
        return NULL;
 }
-static struct xfrm_state *__xfrm_state_lookup_byaddr(struct net *net, u32 mark, xfrm_address_t *daddr, xfrm_address_t *saddr, u8 proto, unsigned short family)
+static struct xfrm_state *__xfrm_state_lookup_byaddr(struct net *net, u32 mark,
+                                                     const xfrm_address_t *daddr,
+                                                     const xfrm_address_t *saddr,
+                                                     u8 proto, unsigned short family)
 {
        unsigned int h = xfrm_src_hash(net, daddr, saddr, family);
        struct xfrm_state *x;
@@ -746,8 +748,7 @@ static void xfrm_hash_grow_check(struct net *net, int have_hash_collision)
 }
 static void xfrm_state_look_at(struct xfrm_policy *pol, struct xfrm_state *x,
-                               struct flowi *fl, unsigned short family,
+                               const struct flowi *fl, unsigned short family,
-                               xfrm_address_t *daddr, xfrm_address_t *saddr,
                               struct xfrm_state **best, int *acq_in_progress,
                               int *error)
 {
@@ -784,8 +785,8 @@ static void xfrm_state_look_at(struct xfrm_policy *pol, struct xfrm_state *x,
 }
 struct xfrm_state *
-xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t *saddr,
+xfrm_state_find(const xfrm_address_t *daddr, const xfrm_address_t *saddr,
-                struct flowi *fl, struct xfrm_tmpl *tmpl,
+                const struct flowi *fl, struct xfrm_tmpl *tmpl,
                struct xfrm_policy *pol, int *err,
                unsigned short family)
 {
@@ -813,7 +814,7 @@ xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t *saddr,
                    tmpl->mode == x->props.mode &&
                    tmpl->id.proto == x->id.proto &&
                    (tmpl->id.spi == x->id.spi || !tmpl->id.spi))
-                        xfrm_state_look_at(pol, x, fl, encap_family, daddr, saddr,
+                        xfrm_state_look_at(pol, x, fl, encap_family,
                                           &best, &acquire_in_progress, &error);
        }
        if (best)
@@ -829,7 +830,7 @@ xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t *saddr,
                    tmpl->mode == x->props.mode &&
                    tmpl->id.proto == x->id.proto &&
                    (tmpl->id.spi == x->id.spi || !tmpl->id.spi))
-                        xfrm_state_look_at(pol, x, fl, encap_family, daddr, saddr,
+                        xfrm_state_look_at(pol, x, fl, encap_family,
                                           &best, &acquire_in_progress, &error);
        }
@@ -853,7 +854,7 @@ found:
                xfrm_init_tempstate(x, fl, tmpl, daddr, saddr, family);
                memcpy(&x->mark, &pol->mark, sizeof(x->mark));
-                error = security_xfrm_state_alloc_acquire(x, pol->security, fl->secid);
+                error = security_xfrm_state_alloc_acquire(x, pol->security, fl->flowi_secid);
                if (error) {
                        x->km.state = XFRM_STATE_DEAD;
                        to_put = x;
@@ -991,7 +992,11 @@ void xfrm_state_insert(struct xfrm_state *x)
 EXPORT_SYMBOL(xfrm_state_insert);
 /* xfrm_state_lock is held */
-static struct xfrm_state *__find_acq_core(struct net *net, struct xfrm_mark *m, unsigned short family, u8 mode, u32 reqid, u8 proto, xfrm_address_t *daddr, xfrm_address_t *saddr, int create)
+static struct xfrm_state *__find_acq_core(struct net *net, struct xfrm_mark *m,
+                                          unsigned short family, u8 mode,
+                                          u32 reqid, u8 proto,
+                                          const xfrm_address_t *daddr,
+                                          const xfrm_address_t *saddr, int create)
 {
        unsigned int h = xfrm_dst_hash(net, daddr, saddr, reqid, family);
        struct hlist_node *entry;
@@ -1031,15 +1036,15 @@ static struct xfrm_state *__find_acq_core(struct net *net, struct xfrm_mark *m,
                case AF_INET6:
                        ipv6_addr_copy((struct in6_addr *)x->sel.daddr.a6,
-                                       (struct in6_addr *)daddr);
+                                       (const struct in6_addr *)daddr);
                        ipv6_addr_copy((struct in6_addr *)x->sel.saddr.a6,
-                                       (struct in6_addr *)saddr);
+                                       (const struct in6_addr *)saddr);
                        x->sel.prefixlen_d = 128;
                        x->sel.prefixlen_s = 128;
                        ipv6_addr_copy((struct in6_addr *)x->props.saddr.a6,
-                                       (struct in6_addr *)saddr);
+                                       (const struct in6_addr *)saddr);
                        ipv6_addr_copy((struct in6_addr *)x->id.daddr.a6,
-                                       (struct in6_addr *)daddr);
+                                       (const struct in6_addr *)daddr);
                        break;
                }
@@ -1176,6 +1181,12 @@ static struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig, int *errp)
                        goto error;
        }
+        if (orig->replay_esn) {
+                err = xfrm_replay_clone(x, orig);
+                if (err)
+                        goto error;
+        }
        memcpy(&x->mark, &orig->mark, sizeof(x->mark));
        err = xfrm_init_state(x);
@@ -1268,7 +1279,7 @@ struct xfrm_state * xfrm_state_migrate(struct xfrm_state *x,
        return xc;
 error:
-        kfree(xc);
+        xfrm_state_put(xc);
        return NULL;
 }
 EXPORT_SYMBOL(xfrm_state_migrate);
@@ -1334,6 +1345,8 @@ out:
                        xfrm_state_check_expire(x1);
                err = 0;
+                x->km.state = XFRM_STATE_DEAD;
+                __xfrm_state_put(x);
        }
        spin_unlock_bh(&x1->lock);
@@ -1369,7 +1382,7 @@ int xfrm_state_check_expire(struct xfrm_state *x)
 EXPORT_SYMBOL(xfrm_state_check_expire);
 struct xfrm_state *
-xfrm_state_lookup(struct net *net, u32 mark, xfrm_address_t *daddr, __be32 spi,
+xfrm_state_lookup(struct net *net, u32 mark, const xfrm_address_t *daddr, __be32 spi,
                  u8 proto, unsigned short family)
 {
        struct xfrm_state *x;
@@ -1383,7 +1396,7 @@ EXPORT_SYMBOL(xfrm_state_lookup);
 struct xfrm_state *
 xfrm_state_lookup_byaddr(struct net *net, u32 mark,
-                         xfrm_address_t *daddr, xfrm_address_t *saddr,
+                         const xfrm_address_t *daddr, const xfrm_address_t *saddr,
                         u8 proto, unsigned short family)
 {
        struct xfrm_state *x;
@@ -1397,7 +1410,7 @@ EXPORT_SYMBOL(xfrm_state_lookup_byaddr);
 struct xfrm_state *
 xfrm_find_acq(struct net *net, struct xfrm_mark *mark, u8 mode, u32 reqid, u8 proto,
-              xfrm_address_t *daddr, xfrm_address_t *saddr,
+              const xfrm_address_t *daddr, const xfrm_address_t *saddr,
              int create, unsigned short family)
 {
        struct xfrm_state *x;
@@ -1609,54 +1622,6 @@ void xfrm_state_walk_done(struct xfrm_state_walk *walk)
 }
 EXPORT_SYMBOL(xfrm_state_walk_done);
-void xfrm_replay_notify(struct xfrm_state *x, int event)
-{
-        struct km_event c;
-        /* we send notify messages in case
-         *  1. we updated on of the sequence numbers, and the seqno difference
-         *     is at least x->replay_maxdiff, in this case we also update the
-         *     timeout of our timer function
-         *  2. if x->replay_maxage has elapsed since last update,
-         *     and there were changes
-         *
-         *  The state structure must be locked!
-         */
-        switch (event) {
-        case XFRM_REPLAY_UPDATE:
-                if (x->replay_maxdiff &&
-                    (x->replay.seq - x->preplay.seq < x->replay_maxdiff) &&
-                    (x->replay.oseq - x->preplay.oseq < x->replay_maxdiff)) {
-                        if (x->xflags & XFRM_TIME_DEFER)
-                                event = XFRM_REPLAY_TIMEOUT;
-                        else
-                                return;
-                }
-                break;
-        case XFRM_REPLAY_TIMEOUT:
-                if ((x->replay.seq == x->preplay.seq) &&
-                    (x->replay.bitmap == x->preplay.bitmap) &&
-                    (x->replay.oseq == x->preplay.oseq)) {
-                        x->xflags |= XFRM_TIME_DEFER;
-                        return;
-                }
-                break;
-        }
-        memcpy(&x->preplay, &x->replay, sizeof(struct xfrm_replay_state));
-        c.event = XFRM_MSG_NEWAE;
-        c.data.aevent = event;
-        km_state_notify(x, &c);
-        if (x->replay_maxage &&
-            !mod_timer(&x->rtimer, jiffies + x->replay_maxage))
-                x->xflags &= ~XFRM_TIME_DEFER;
-}
 static void xfrm_replay_timer_handler(unsigned long data)
 {
        struct xfrm_state *x = (struct xfrm_state*)data;
@@ -1665,7 +1630,7 @@ static void xfrm_replay_timer_handler(unsigned long data)
        if (x->km.state == XFRM_STATE_VALID) {
                if (xfrm_aevent_is_on(xs_net(x)))
-                        xfrm_replay_notify(x, XFRM_REPLAY_TIMEOUT);
+                        x->repl->notify(x, XFRM_REPLAY_TIMEOUT);
                else
                        x->xflags |= XFRM_TIME_DEFER;
        }
@@ -1673,61 +1638,10 @@ static void xfrm_replay_timer_handler(unsigned long data)
        spin_unlock(&x->lock);
 }
-int xfrm_replay_check(struct xfrm_state *x,
-                      struct sk_buff *skb, __be32 net_seq)
-{
-        u32 diff;
-        u32 seq = ntohl(net_seq);
-        if (unlikely(seq == 0))
-                goto err;
-        if (likely(seq > x->replay.seq))
-                return 0;
-        diff = x->replay.seq - seq;
-        if (diff >= min_t(unsigned int, x->props.replay_window,
-                          sizeof(x->replay.bitmap) * 8)) {
-                x->stats.replay_window++;
-                goto err;
-        }
-        if (x->replay.bitmap & (1U << diff)) {
-                x->stats.replay++;
-                goto err;
-        }
-        return 0;
-err:
-        xfrm_audit_state_replay(x, skb, net_seq);
-        return -EINVAL;
-}
-void xfrm_replay_advance(struct xfrm_state *x, __be32 net_seq)
-{
-        u32 diff;
-        u32 seq = ntohl(net_seq);
-        if (seq > x->replay.seq) {
-                diff = seq - x->replay.seq;
-                if (diff < x->props.replay_window)
-                        x->replay.bitmap = ((x->replay.bitmap) << diff) | 1;
-                else
-                        x->replay.bitmap = 1;
-                x->replay.seq = seq;
-        } else {
-                diff = x->replay.seq - seq;
-                x->replay.bitmap |= (1U << diff);
-        }
-        if (xfrm_aevent_is_on(xs_net(x)))
-                xfrm_replay_notify(x, XFRM_REPLAY_UPDATE);
-}
 static LIST_HEAD(xfrm_km_list);
 static DEFINE_RWLOCK(xfrm_km_lock);
-void km_policy_notify(struct xfrm_policy *xp, int dir, struct km_event *c)
+void km_policy_notify(struct xfrm_policy *xp, int dir, const struct km_event *c)
 {
        struct xfrm_mgr *km;
@@ -1738,7 +1652,7 @@ void km_policy_notify(struct xfrm_policy *xp, int dir, struct km_event *c)
        read_unlock(&xfrm_km_lock);
 }
-void km_state_notify(struct xfrm_state *x, struct km_event *c)
+void km_state_notify(struct xfrm_state *x, const struct km_event *c)
 {
        struct xfrm_mgr *km;
        read_lock(&xfrm_km_lock);
@@ -1819,9 +1733,9 @@ void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 pid)
 EXPORT_SYMBOL(km_policy_expired);
 #ifdef CONFIG_XFRM_MIGRATE
-int km_migrate(struct xfrm_selector *sel, u8 dir, u8 type,
+int km_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
-               struct xfrm_migrate *m, int num_migrate,
+               const struct xfrm_migrate *m, int num_migrate,
-               struct xfrm_kmaddress *k)
+               const struct xfrm_kmaddress *k)
 {
        int err = -EINVAL;
        int ret;
@@ -2001,7 +1915,7 @@ int xfrm_state_mtu(struct xfrm_state *x, int mtu)
        return res;
 }
-int xfrm_init_state(struct xfrm_state *x)
+int __xfrm_init_state(struct xfrm_state *x, bool init_replay)
 {
        struct xfrm_state_afinfo *afinfo;
        struct xfrm_mode *inner_mode;
@@ -2074,12 +1988,25 @@ int xfrm_init_state(struct xfrm_state *x)
        if (x->outer_mode == NULL)
                goto error;
+        if (init_replay) {
+                err = xfrm_init_replay(x);
+                if (err)
+                        goto error;
+        }
        x->km.state = XFRM_STATE_VALID;
 error:
        return err;
 }
+EXPORT_SYMBOL(__xfrm_init_state);
+int xfrm_init_state(struct xfrm_state *x)
+{
+        return __xfrm_init_state(x, true);
+}
 EXPORT_SYMBOL(xfrm_init_state);
 int __net_init xfrm_state_init(struct net *net)
@@ -2167,8 +2094,8 @@ static void xfrm_audit_helper_sainfo(struct xfrm_state *x,
 static void xfrm_audit_helper_pktinfo(struct sk_buff *skb, u16 family,
                                      struct audit_buffer *audit_buf)
 {
-        struct iphdr *iph4;
+        const struct iphdr *iph4;
-        struct ipv6hdr *iph6;
+        const struct ipv6hdr *iph6;
        switch (family) {
        case AF_INET:
@@ -2236,7 +2163,7 @@ void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
 }
 EXPORT_SYMBOL_GPL(xfrm_audit_state_replay_overflow);
-static void xfrm_audit_state_replay(struct xfrm_state *x,
+void xfrm_audit_state_replay(struct xfrm_state *x,
                             struct sk_buff *skb, __be32 net_seq)
 {
        struct audit_buffer *audit_buf;
@@ -2251,6 +2178,7 @@ static void xfrm_audit_state_replay(struct xfrm_state *x,
                         spi, spi, ntohl(net_seq));
        audit_log_end(audit_buf);
 }
+EXPORT_SYMBOL_GPL(xfrm_audit_state_replay);
 void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family)
 {
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 8bae6b22c846..c658cb3bc7c3 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -26,6 +26,7 @@
 #include <net/sock.h>
 #include <net/xfrm.h>
 #include <net/netlink.h>
+#include <net/ah.h>
 #include <asm/uaccess.h>
 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
 #include <linux/in6.h>
@@ -118,6 +119,25 @@ static inline int verify_sec_ctx_len(struct nlattr **attrs)
        return 0;
 }
+static inline int verify_replay(struct xfrm_usersa_info *p,
+                                struct nlattr **attrs)
+{
+        struct nlattr *rt = attrs[XFRMA_REPLAY_ESN_VAL];
+        if ((p->flags & XFRM_STATE_ESN) && !rt)
+                return -EINVAL;
+        if (!rt)
+                return 0;
+        if (p->id.proto != IPPROTO_ESP)
+                return -EINVAL;
+        if (p->replay_window != 0)
+                return -EINVAL;
+        return 0;
+}
 static int verify_newsa_info(struct xfrm_usersa_info *p,
                             struct nlattr **attrs)
@@ -148,7 +168,8 @@ static int verify_newsa_info(struct xfrm_usersa_info *p,
                     !attrs[XFRMA_ALG_AUTH_TRUNC]) ||
                    attrs[XFRMA_ALG_AEAD]       ||
                    attrs[XFRMA_ALG_CRYPT]      ||
-                    attrs[XFRMA_ALG_COMP])
+                    attrs[XFRMA_ALG_COMP]       ||
+                    attrs[XFRMA_TFCPAD])
                        goto out;
                break;
@@ -165,6 +186,9 @@ static int verify_newsa_info(struct xfrm_usersa_info *p,
                     attrs[XFRMA_ALG_CRYPT]) &&
                    attrs[XFRMA_ALG_AEAD])
                        goto out;
+                if (attrs[XFRMA_TFCPAD] &&
+                    p->mode != XFRM_MODE_TUNNEL)
+                        goto out;
                break;
        case IPPROTO_COMP:
@@ -172,7 +196,8 @@ static int verify_newsa_info(struct xfrm_usersa_info *p,
                    attrs[XFRMA_ALG_AEAD]       ||
                    attrs[XFRMA_ALG_AUTH]       ||
                    attrs[XFRMA_ALG_AUTH_TRUNC] ||
-                    attrs[XFRMA_ALG_CRYPT])
+                    attrs[XFRMA_ALG_CRYPT]      ||
+                    attrs[XFRMA_TFCPAD])
                        goto out;
                break;
@@ -186,6 +211,7 @@ static int verify_newsa_info(struct xfrm_usersa_info *p,
                    attrs[XFRMA_ALG_CRYPT]      ||
                    attrs[XFRMA_ENCAP]          ||
                    attrs[XFRMA_SEC_CTX]        ||
+                    attrs[XFRMA_TFCPAD]         ||
                    !attrs[XFRMA_COADDR])
                        goto out;
                break;
@@ -207,6 +233,8 @@ static int verify_newsa_info(struct xfrm_usersa_info *p,
                goto out;
        if ((err = verify_sec_ctx_len(attrs)))
                goto out;
+        if ((err = verify_replay(p, attrs)))
+                goto out;
        err = -EINVAL;
        switch (p->mode) {
@@ -227,7 +255,7 @@ out:
 }
 static int attach_one_algo(struct xfrm_algo **algpp, u8 *props,
-                           struct xfrm_algo_desc *(*get_byname)(char *, int),
+                           struct xfrm_algo_desc *(*get_byname)(const char *, int),
                           struct nlattr *rta)
 {
        struct xfrm_algo *p, *ualg;
@@ -296,7 +324,8 @@ static int attach_auth_trunc(struct xfrm_algo_auth **algpp, u8 *props,
        algo = xfrm_aalg_get_byname(ualg->alg_name, 1);
        if (!algo)
                return -ENOSYS;
-        if (ualg->alg_trunc_len > algo->uinfo.auth.icv_fullbits)
+        if ((ualg->alg_trunc_len / 8) > MAX_AH_AUTH_LEN ||
+            ualg->alg_trunc_len > algo->uinfo.auth.icv_fullbits)
                return -EINVAL;
        *props = algo->desc.sadb_alg_id;
@@ -337,6 +366,50 @@ static int attach_aead(struct xfrm_algo_aead **algpp, u8 *props,
        return 0;
 }
+static inline int xfrm_replay_verify_len(struct xfrm_replay_state_esn *replay_esn,
+                                         struct nlattr *rp)
+{
+        struct xfrm_replay_state_esn *up;
+        if (!replay_esn || !rp)
+                return 0;
+        up = nla_data(rp);
+        if (xfrm_replay_state_esn_len(replay_esn) !=
+                        xfrm_replay_state_esn_len(up))
+                return -EINVAL;
+        return 0;
+}
+static int xfrm_alloc_replay_state_esn(struct xfrm_replay_state_esn **replay_esn,
+                                       struct xfrm_replay_state_esn **preplay_esn,
+                                       struct nlattr *rta)
+{
+        struct xfrm_replay_state_esn *p, *pp, *up;
+        if (!rta)
+                return 0;
+        up = nla_data(rta);
+        p = kmemdup(up, xfrm_replay_state_esn_len(up), GFP_KERNEL);
+        if (!p)
+                return -ENOMEM;
+        pp = kmemdup(up, xfrm_replay_state_esn_len(up), GFP_KERNEL);
+        if (!pp) {
+                kfree(p);
+                return -ENOMEM;
+        }
+        *replay_esn = p;
+        *preplay_esn = pp;
+        return 0;
+}
 static inline int xfrm_user_sec_ctx_size(struct xfrm_sec_ctx *xfrm_ctx)
 {
        int len = 0;
@@ -372,10 +445,20 @@ static void copy_from_user_state(struct xfrm_state *x, struct xfrm_usersa_info *
 static void xfrm_update_ae_params(struct xfrm_state *x, struct nlattr **attrs)
 {
        struct nlattr *rp = attrs[XFRMA_REPLAY_VAL];
+        struct nlattr *re = attrs[XFRMA_REPLAY_ESN_VAL];
        struct nlattr *lt = attrs[XFRMA_LTIME_VAL];
        struct nlattr *et = attrs[XFRMA_ETIMER_THRESH];
        struct nlattr *rt = attrs[XFRMA_REPLAY_THRESH];
+        if (re) {
+                struct xfrm_replay_state_esn *replay_esn;
+                replay_esn = nla_data(re);
+                memcpy(x->replay_esn, replay_esn,
+                       xfrm_replay_state_esn_len(replay_esn));
+                memcpy(x->preplay_esn, replay_esn,
+                       xfrm_replay_state_esn_len(replay_esn));
+        }
        if (rp) {
                struct xfrm_replay_state *replay;
                replay = nla_data(rp);
@@ -439,6 +522,9 @@ static struct xfrm_state *xfrm_state_construct(struct net *net,
                        goto error;
        }
+        if (attrs[XFRMA_TFCPAD])
+                x->tfcpad = nla_get_u32(attrs[XFRMA_TFCPAD]);
        if (attrs[XFRMA_COADDR]) {
                x->coaddr = kmemdup(nla_data(attrs[XFRMA_COADDR]),
                                    sizeof(*x->coaddr), GFP_KERNEL);
@@ -448,7 +534,7 @@ static struct xfrm_state *xfrm_state_construct(struct net *net,
        xfrm_mark_get(attrs, &x->mark);
-        err = xfrm_init_state(x);
+        err = __xfrm_init_state(x, false);
        if (err)
                goto error;
@@ -456,16 +542,19 @@ static struct xfrm_state *xfrm_state_construct(struct net *net,
            security_xfrm_state_alloc(x, nla_data(attrs[XFRMA_SEC_CTX])))
                goto error;
+        if ((err = xfrm_alloc_replay_state_esn(&x->replay_esn, &x->preplay_esn,
+                                               attrs[XFRMA_REPLAY_ESN_VAL])))
+                goto error;
        x->km.seq = p->seq;
        x->replay_maxdiff = net->xfrm.sysctl_aevent_rseqth;
        /* sysctl_xfrm_aevent_etime is in 100ms units */
        x->replay_maxage = (net->xfrm.sysctl_aevent_etime*HZ)/XFRM_AE_ETH_M;
-        x->preplay.bitmap = 0;
-        x->preplay.seq = x->replay.seq+x->replay_maxdiff;
-        x->preplay.oseq = x->replay.oseq +x->replay_maxdiff;
-        /* override default values from above */
+        if ((err = xfrm_init_replay(x)))
+                goto error;
+        /* override default values from above */
        xfrm_update_ae_params(x, attrs);
        return x;
@@ -486,9 +575,9 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
        struct xfrm_state *x;
        int err;
        struct km_event c;
-        uid_t loginuid = NETLINK_CB(skb).loginuid;
+        uid_t loginuid = audit_get_loginuid(current);
-        u32 sessionid = NETLINK_CB(skb).sessionid;
+        u32 sessionid = audit_get_sessionid(current);
-        u32 sid = NETLINK_CB(skb).sid;
+        u32 sid;
        err = verify_newsa_info(p, attrs);
        if (err)
@@ -504,6 +593,7 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
        else
                err = xfrm_state_update(x);
+        security_task_getsecid(current, &sid);
        xfrm_audit_state_add(x, err ? 0 : 1, loginuid, sessionid, sid);
        if (err < 0) {
@@ -564,9 +654,9 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
        int err = -ESRCH;
        struct km_event c;
        struct xfrm_usersa_id *p = nlmsg_data(nlh);
-        uid_t loginuid = NETLINK_CB(skb).loginuid;
+        uid_t loginuid = audit_get_loginuid(current);
-        u32 sessionid = NETLINK_CB(skb).sessionid;
+        u32 sessionid = audit_get_sessionid(current);
-        u32 sid = NETLINK_CB(skb).sid;
+        u32 sid;
        x = xfrm_user_state_lookup(net, p, attrs, &err);
        if (x == NULL)
@@ -591,6 +681,7 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
        km_state_notify(x, &c);
 out:
+        security_task_getsecid(current, &sid);
        xfrm_audit_state_delete(x, err ? 0 : 1, loginuid, sessionid, sid);
        xfrm_state_put(x);
        return err;
@@ -688,9 +779,16 @@ static int copy_to_user_state_extra(struct xfrm_state *x,
        if (x->encap)
                NLA_PUT(skb, XFRMA_ENCAP, sizeof(*x->encap), x->encap);
+        if (x->tfcpad)
+                NLA_PUT_U32(skb, XFRMA_TFCPAD, x->tfcpad);
        if (xfrm_mark_put(skb, &x->mark))
                goto nla_put_failure;
+        if (x->replay_esn)
+                NLA_PUT(skb, XFRMA_REPLAY_ESN_VAL,
+                        xfrm_replay_state_esn_len(x->replay_esn), x->replay_esn);
        if (x->security && copy_sec_ctx(x->security, skb) < 0)
                goto nla_put_failure;
@@ -799,7 +897,7 @@ static int build_spdinfo(struct sk_buff *skb, struct net *net,
        u32 *f;
        nlh = nlmsg_put(skb, pid, seq, XFRM_MSG_NEWSPDINFO, sizeof(u32), 0);
-        if (nlh == NULL) /* shouldnt really happen ... */
+        if (nlh == NULL) /* shouldn't really happen ... */
                return -EMSGSIZE;
        f = nlmsg_data(nlh);
@@ -859,7 +957,7 @@ static int build_sadinfo(struct sk_buff *skb, struct net *net,
        u32 *f;
        nlh = nlmsg_put(skb, pid, seq, XFRM_MSG_NEWSADINFO, sizeof(u32), 0);
-        if (nlh == NULL) /* shouldnt really happen ... */
+        if (nlh == NULL) /* shouldn't really happen ... */
                return -EMSGSIZE;
        f = nlmsg_data(nlh);
@@ -1251,9 +1349,9 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
        struct km_event c;
        int err;
        int excl;
-        uid_t loginuid = NETLINK_CB(skb).loginuid;
+        uid_t loginuid = audit_get_loginuid(current);
-        u32 sessionid = NETLINK_CB(skb).sessionid;
+        u32 sessionid = audit_get_sessionid(current);
-        u32 sid = NETLINK_CB(skb).sid;
+        u32 sid;
        err = verify_newpolicy_info(p);
        if (err)
@@ -1266,12 +1364,13 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
        if (!xp)
                return err;
-        /* shouldnt excl be based on nlh flags??
+        /* shouldn't excl be based on nlh flags??
         * Aha! this is anti-netlink really i.e  more pfkey derived
         * in netlink excl is a flag and you wouldnt need
         * a type XFRM_MSG_UPDPOLICY - JHS */
        excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY;
        err = xfrm_policy_insert(p->dir, xp, excl);
+        security_task_getsecid(current, &sid);
        xfrm_audit_policy_add(xp, err ? 0 : 1, loginuid, sessionid, sid);
        if (err) {
@@ -1508,10 +1607,11 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
                                            NETLINK_CB(skb).pid);
                }
        } else {
-                uid_t loginuid = NETLINK_CB(skb).loginuid;
+                uid_t loginuid = audit_get_loginuid(current);
-                u32 sessionid = NETLINK_CB(skb).sessionid;
+                u32 sessionid = audit_get_sessionid(current);
-                u32 sid = NETLINK_CB(skb).sid;
+                u32 sid;
+                security_task_getsecid(current, &sid);
                xfrm_audit_policy_delete(xp, err ? 0 : 1, loginuid, sessionid,
                                         sid);
@@ -1539,9 +1639,9 @@ static int xfrm_flush_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
        struct xfrm_audit audit_info;
        int err;
-        audit_info.loginuid = NETLINK_CB(skb).loginuid;
+        audit_info.loginuid = audit_get_loginuid(current);
-        audit_info.sessionid = NETLINK_CB(skb).sessionid;
+        audit_info.sessionid = audit_get_sessionid(current);
-        audit_info.secid = NETLINK_CB(skb).sid;
+        security_task_getsecid(current, &audit_info.secid);
        err = xfrm_state_flush(net, p->proto, &audit_info);
        if (err) {
                if (err == -ESRCH) /* empty table */
@@ -1558,17 +1658,21 @@ static int xfrm_flush_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
        return 0;
 }
-static inline size_t xfrm_aevent_msgsize(void)
+static inline size_t xfrm_aevent_msgsize(struct xfrm_state *x)
 {
+        size_t replay_size = x->replay_esn ?
+                              xfrm_replay_state_esn_len(x->replay_esn) :
+                              sizeof(struct xfrm_replay_state);
        return NLMSG_ALIGN(sizeof(struct xfrm_aevent_id))
-               + nla_total_size(sizeof(struct xfrm_replay_state))
+               + nla_total_size(replay_size)
               + nla_total_size(sizeof(struct xfrm_lifetime_cur))
               + nla_total_size(sizeof(struct xfrm_mark))
               + nla_total_size(4) /* XFRM_AE_RTHR */
               + nla_total_size(4); /* XFRM_AE_ETHR */
 }
-static int build_aevent(struct sk_buff *skb, struct xfrm_state *x, struct km_event *c)
+static int build_aevent(struct sk_buff *skb, struct xfrm_state *x, const struct km_event *c)
 {
        struct xfrm_aevent_id *id;
        struct nlmsghdr *nlh;
@@ -1586,7 +1690,13 @@ static int build_aevent(struct sk_buff *skb, struct xfrm_state *x, struct km_eve
        id->reqid = x->props.reqid;
        id->flags = c->data.aevent;
-        NLA_PUT(skb, XFRMA_REPLAY_VAL, sizeof(x->replay), &x->replay);
+        if (x->replay_esn)
+                NLA_PUT(skb, XFRMA_REPLAY_ESN_VAL,
+                        xfrm_replay_state_esn_len(x->replay_esn),
+                        x->replay_esn);
+        else
+                NLA_PUT(skb, XFRMA_REPLAY_VAL, sizeof(x->replay), &x->replay);
        NLA_PUT(skb, XFRMA_LTIME_VAL, sizeof(x->curlft), &x->curlft);
        if (id->flags & XFRM_AE_RTHR)
@@ -1619,16 +1729,16 @@ static int xfrm_get_ae(struct sk_buff *skb, struct nlmsghdr *nlh,
        struct xfrm_aevent_id *p = nlmsg_data(nlh);
        struct xfrm_usersa_id *id = &p->sa_id;
-        r_skb = nlmsg_new(xfrm_aevent_msgsize(), GFP_ATOMIC);
-        if (r_skb == NULL)
-                return -ENOMEM;
        mark = xfrm_mark_get(attrs, &m);
        x = xfrm_state_lookup(net, mark, &id->daddr, id->spi, id->proto, id->family);
-        if (x == NULL) {
+        if (x == NULL)
-                kfree_skb(r_skb);
                return -ESRCH;
+        r_skb = nlmsg_new(xfrm_aevent_msgsize(x), GFP_ATOMIC);
+        if (r_skb == NULL) {
+                xfrm_state_put(x);
+                return -ENOMEM;
        }
        /*
@@ -1660,9 +1770,10 @@ static int xfrm_new_ae(struct sk_buff *skb, struct nlmsghdr *nlh,
        struct xfrm_mark m;
        struct xfrm_aevent_id *p = nlmsg_data(nlh);
        struct nlattr *rp = attrs[XFRMA_REPLAY_VAL];
+        struct nlattr *re = attrs[XFRMA_REPLAY_ESN_VAL];
        struct nlattr *lt = attrs[XFRMA_LTIME_VAL];
-        if (!lt && !rp)
+        if (!lt && !rp && !re)
                return err;
        /* pedantic mode - thou shalt sayeth replaceth */
@@ -1678,6 +1789,10 @@ static int xfrm_new_ae(struct sk_buff *skb, struct nlmsghdr *nlh,
        if (x->km.state != XFRM_STATE_VALID)
                goto out;
+        err = xfrm_replay_verify_len(x->replay_esn, rp);
+        if (err)
+                goto out;
        spin_lock_bh(&x->lock);
        xfrm_update_ae_params(x, attrs);
        spin_unlock_bh(&x->lock);
@@ -1706,9 +1821,9 @@ static int xfrm_flush_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
        if (err)
                return err;
-        audit_info.loginuid = NETLINK_CB(skb).loginuid;
+        audit_info.loginuid = audit_get_loginuid(current);
-        audit_info.sessionid = NETLINK_CB(skb).sessionid;
+        audit_info.sessionid = audit_get_sessionid(current);
-        audit_info.secid = NETLINK_CB(skb).sid;
+        security_task_getsecid(current, &audit_info.secid);
        err = xfrm_policy_flush(net, type, &audit_info);
        if (err) {
                if (err == -ESRCH) /* empty table */
@@ -1775,9 +1890,11 @@ static int xfrm_add_pol_expire(struct sk_buff *skb, struct nlmsghdr *nlh,
        err = 0;
        if (up->hard) {
-                uid_t loginuid = NETLINK_CB(skb).loginuid;
+                uid_t loginuid = audit_get_loginuid(current);
-                uid_t sessionid = NETLINK_CB(skb).sessionid;
+                u32 sessionid = audit_get_sessionid(current);
-                u32 sid = NETLINK_CB(skb).sid;
+                u32 sid;
+                security_task_getsecid(current, &sid);
                xfrm_policy_delete(xp, p->dir);
                xfrm_audit_policy_delete(xp, 1, loginuid, sessionid, sid);
@@ -1816,9 +1933,11 @@ static int xfrm_add_sa_expire(struct sk_buff *skb, struct nlmsghdr *nlh,
        km_state_expired(x, ue->hard, current->pid);
        if (ue->hard) {
-                uid_t loginuid = NETLINK_CB(skb).loginuid;
+                uid_t loginuid = audit_get_loginuid(current);
-                uid_t sessionid = NETLINK_CB(skb).sessionid;
+                u32 sessionid = audit_get_sessionid(current);
-                u32 sid = NETLINK_CB(skb).sid;
+                u32 sid;
+                security_task_getsecid(current, &sid);
                __xfrm_state_delete(x);
                xfrm_audit_state_delete(x, 1, loginuid, sessionid, sid);
        }
@@ -1972,7 +2091,7 @@ static int xfrm_do_migrate(struct sk_buff *skb, struct nlmsghdr *nlh,
 #endif
 #ifdef CONFIG_XFRM_MIGRATE
-static int copy_to_user_migrate(struct xfrm_migrate *m, struct sk_buff *skb)
+static int copy_to_user_migrate(const struct xfrm_migrate *m, struct sk_buff *skb)
 {
        struct xfrm_user_migrate um;
@@ -1990,7 +2109,7 @@ static int copy_to_user_migrate(struct xfrm_migrate *m, struct sk_buff *skb)
        return nla_put(skb, XFRMA_MIGRATE, sizeof(um), &um);
 }
-static int copy_to_user_kmaddress(struct xfrm_kmaddress *k, struct sk_buff *skb)
+static int copy_to_user_kmaddress(const struct xfrm_kmaddress *k, struct sk_buff *skb)
 {
        struct xfrm_user_kmaddress uk;
@@ -2011,11 +2130,11 @@ static inline size_t xfrm_migrate_msgsize(int num_migrate, int with_kma)
              + userpolicy_type_attrsize();
 }
-static int build_migrate(struct sk_buff *skb, struct xfrm_migrate *m,
+static int build_migrate(struct sk_buff *skb, const struct xfrm_migrate *m,
-                         int num_migrate, struct xfrm_kmaddress *k,
+                         int num_migrate, const struct xfrm_kmaddress *k,
-                         struct xfrm_selector *sel, u8 dir, u8 type)
+                         const struct xfrm_selector *sel, u8 dir, u8 type)
 {
-        struct xfrm_migrate *mp;
+        const struct xfrm_migrate *mp;
        struct xfrm_userpolicy_id *pol_id;
        struct nlmsghdr *nlh;
        int i;
@@ -2047,9 +2166,9 @@ nlmsg_failure:
        return -EMSGSIZE;
 }
-static int xfrm_send_migrate(struct xfrm_selector *sel, u8 dir, u8 type,
+static int xfrm_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
-                             struct xfrm_migrate *m, int num_migrate,
+                             const struct xfrm_migrate *m, int num_migrate,
-                             struct xfrm_kmaddress *k)
+                             const struct xfrm_kmaddress *k)
 {
        struct net *net = &init_net;
        struct sk_buff *skb;
@@ -2065,9 +2184,9 @@ static int xfrm_send_migrate(struct xfrm_selector *sel, u8 dir, u8 type,
        return nlmsg_multicast(net->xfrm.nlsk, skb, 0, XFRMNLGRP_MIGRATE, GFP_ATOMIC);
 }
 #else
-static int xfrm_send_migrate(struct xfrm_selector *sel, u8 dir, u8 type,
+static int xfrm_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
-                             struct xfrm_migrate *m, int num_migrate,
+                             const struct xfrm_migrate *m, int num_migrate,
-                             struct xfrm_kmaddress *k)
+                             const struct xfrm_kmaddress *k)
 {
        return -ENOPROTOOPT;
 }
@@ -2122,6 +2241,8 @@ static const struct nla_policy xfrma_policy[XFRMA_MAX+1] = {
        [XFRMA_MIGRATE]         = { .len = sizeof(struct xfrm_user_migrate) },
        [XFRMA_KMADDRESS]       = { .len = sizeof(struct xfrm_user_kmaddress) },
        [XFRMA_MARK]            = { .len = sizeof(struct xfrm_mark) },
+        [XFRMA_TFCPAD]          = { .type = NLA_U32 },
+        [XFRMA_REPLAY_ESN_VAL]  = { .len = sizeof(struct xfrm_replay_state_esn) },
 };
 static struct xfrm_link {
@@ -2205,7 +2326,7 @@ static inline size_t xfrm_expire_msgsize(void)
               + nla_total_size(sizeof(struct xfrm_mark));
 }
-static int build_expire(struct sk_buff *skb, struct xfrm_state *x, struct km_event *c)
+static int build_expire(struct sk_buff *skb, struct xfrm_state *x, const struct km_event *c)
 {
        struct xfrm_user_expire *ue;
        struct nlmsghdr *nlh;
@@ -2227,7 +2348,7 @@ nla_put_failure:
        return -EMSGSIZE;
 }
-static int xfrm_exp_state_notify(struct xfrm_state *x, struct km_event *c)
+static int xfrm_exp_state_notify(struct xfrm_state *x, const struct km_event *c)
 {
        struct net *net = xs_net(x);
        struct sk_buff *skb;
@@ -2244,12 +2365,12 @@ static int xfrm_exp_state_notify(struct xfrm_state *x, struct km_event *c)
        return nlmsg_multicast(net->xfrm.nlsk, skb, 0, XFRMNLGRP_EXPIRE, GFP_ATOMIC);
 }
-static int xfrm_aevent_state_notify(struct xfrm_state *x, struct km_event *c)
+static int xfrm_aevent_state_notify(struct xfrm_state *x, const struct km_event *c)
 {
        struct net *net = xs_net(x);
        struct sk_buff *skb;
-        skb = nlmsg_new(xfrm_aevent_msgsize(), GFP_ATOMIC);
+        skb = nlmsg_new(xfrm_aevent_msgsize(x), GFP_ATOMIC);
        if (skb == NULL)
                return -ENOMEM;
@@ -2259,7 +2380,7 @@ static int xfrm_aevent_state_notify(struct xfrm_state *x, struct km_event *c)
        return nlmsg_multicast(net->xfrm.nlsk, skb, 0, XFRMNLGRP_AEVENTS, GFP_ATOMIC);
 }
-static int xfrm_notify_sa_flush(struct km_event *c)
+static int xfrm_notify_sa_flush(const struct km_event *c)
 {
        struct net *net = c->net;
        struct xfrm_usersa_flush *p;
@@ -2301,6 +2422,10 @@ static inline size_t xfrm_sa_len(struct xfrm_state *x)
                l += nla_total_size(sizeof(*x->calg));
        if (x->encap)
                l += nla_total_size(sizeof(*x->encap));
+        if (x->tfcpad)
+                l += nla_total_size(sizeof(x->tfcpad));
+        if (x->replay_esn)
+                l += nla_total_size(xfrm_replay_state_esn_len(x->replay_esn));
        if (x->security)
                l += nla_total_size(sizeof(struct xfrm_user_sec_ctx) +
                                    x->security->ctx_len);
@@ -2313,7 +2438,7 @@ static inline size_t xfrm_sa_len(struct xfrm_state *x)
        return l;
 }
-static int xfrm_notify_sa(struct xfrm_state *x, struct km_event *c)
+static int xfrm_notify_sa(struct xfrm_state *x, const struct km_event *c)
 {
        struct net *net = xs_net(x);
        struct xfrm_usersa_info *p;
@@ -2370,7 +2495,7 @@ nla_put_failure:
        return -1;
 }
-static int xfrm_send_state_notify(struct xfrm_state *x, struct km_event *c)
+static int xfrm_send_state_notify(struct xfrm_state *x, const struct km_event *c)
 {
        switch (c->event) {
@@ -2529,7 +2654,7 @@ static inline size_t xfrm_polexpire_msgsize(struct xfrm_policy *xp)
 }
 static int build_polexpire(struct sk_buff *skb, struct xfrm_policy *xp,
-                           int dir, struct km_event *c)
+                           int dir, const struct km_event *c)
 {
        struct xfrm_user_polexpire *upe;
        struct nlmsghdr *nlh;
@@ -2559,7 +2684,7 @@ nlmsg_failure:
        return -EMSGSIZE;
 }
-static int xfrm_exp_policy_notify(struct xfrm_policy *xp, int dir, struct km_event *c)
+static int xfrm_exp_policy_notify(struct xfrm_policy *xp, int dir, const struct km_event *c)
 {
        struct net *net = xp_net(xp);
        struct sk_buff *skb;
@@ -2574,7 +2699,7 @@ static int xfrm_exp_policy_notify(struct xfrm_policy *xp, int dir, struct km_eve
        return nlmsg_multicast(net->xfrm.nlsk, skb, 0, XFRMNLGRP_EXPIRE, GFP_ATOMIC);
 }
-static int xfrm_notify_policy(struct xfrm_policy *xp, int dir, struct km_event *c)
+static int xfrm_notify_policy(struct xfrm_policy *xp, int dir, const struct km_event *c)
 {
        struct net *net = xp_net(xp);
        struct xfrm_userpolicy_info *p;
@@ -2639,7 +2764,7 @@ nlmsg_failure:
        return -1;
 }
-static int xfrm_notify_policy_flush(struct km_event *c)
+static int xfrm_notify_policy_flush(const struct km_event *c)
 {
        struct net *net = c->net;
        struct nlmsghdr *nlh;
@@ -2664,7 +2789,7 @@ nlmsg_failure:
        return -1;
 }
-static int xfrm_send_policy_notify(struct xfrm_policy *xp, int dir, struct km_event *c)
+static int xfrm_send_policy_notify(struct xfrm_policy *xp, int dir, const struct km_event *c)
 {
        switch (c->event) {
author	Glenn Elliott <gelliott@cs.unc.edu>	2012-03-04 19:47:13 -0500
committer	Glenn Elliott <gelliott@cs.unc.edu>	2012-03-04 19:47:13 -0500
commit	c71c03bda1e86c9d5198c5d83f712e695c4f2a1e (patch)
tree	ecb166cb3e2b7e2adb3b5e292245fefd23381ac8 /net/xfrm
parent	ea53c912f8a86a8567697115b6a0d8152beee5c8 (diff)
parent	6a00f206debf8a5c8899055726ad127dbeeed098 (diff)