13 files changed, 87 insertions, 54 deletions
diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
index f2eccd531746..17ff9fd7cdda 100644
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -257,7 +257,8 @@ static inline bool icmpv4_xrlim_allow(struct net *net, struct rtable *rt,
                struct inet_peer *peer = inet_getpeer_v4(net->ipv4.peers, fl4->daddr, 1);
                rc = inet_peer_xrlim_allow(peer,
                                           net->ipv4.sysctl_icmp_ratelimit);
-                inet_putpeer(peer);
+                if (peer)
+                        inet_putpeer(peer);
        }
 out:
        return rc;
diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c
index 535584c00f91..0c34bfabc11f 100644
--- a/net/ipv4/inet_diag.c
+++ b/net/ipv4/inet_diag.c
@@ -892,13 +892,16 @@ static int __inet_diag_dump(struct sk_buff *skb, struct netlink_callback *cb,
                struct inet_diag_req_v2 *r, struct nlattr *bc)
 {
        const struct inet_diag_handler *handler;
+        int err = 0;
        handler = inet_diag_lock_handler(r->sdiag_protocol);
        if (!IS_ERR(handler))
                handler->dump(skb, cb, r, bc);
+        else
+                err = PTR_ERR(handler);
        inet_diag_unlock_handler(handler);
-        return skb->len;
+        return err ? : skb->len;
 }
 static int inet_diag_dump(struct sk_buff *skb, struct netlink_callback *cb)
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index 5eea4a811042..14bbfcf717ac 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -457,19 +457,28 @@ static int do_ip_setsockopt(struct sock *sk, int level,
        struct inet_sock *inet = inet_sk(sk);
        int val = 0, err;
-        if (((1<<optname) & ((1<<IP_PKTINFO) | (1<<IP_RECVTTL) |
+        switch (optname) {
-                             (1<<IP_RECVOPTS) | (1<<IP_RECVTOS) |
+        case IP_PKTINFO:
-                             (1<<IP_RETOPTS) | (1<<IP_TOS) |
+        case IP_RECVTTL:
-                             (1<<IP_TTL) | (1<<IP_HDRINCL) |
+        case IP_RECVOPTS:
-                             (1<<IP_MTU_DISCOVER) | (1<<IP_RECVERR) |
+        case IP_RECVTOS:
-                             (1<<IP_ROUTER_ALERT) | (1<<IP_FREEBIND) |
+        case IP_RETOPTS:
-                             (1<<IP_PASSSEC) | (1<<IP_TRANSPARENT) |
+        case IP_TOS:
-                             (1<<IP_MINTTL) | (1<<IP_NODEFRAG))) ||
+        case IP_TTL:
-            optname == IP_UNICAST_IF ||
+        case IP_HDRINCL:
-            optname == IP_MULTICAST_TTL ||
+        case IP_MTU_DISCOVER:
-            optname == IP_MULTICAST_ALL ||
+        case IP_RECVERR:
-            optname == IP_MULTICAST_LOOP ||
+        case IP_ROUTER_ALERT:
-            optname == IP_RECVORIGDSTADDR) {
+        case IP_FREEBIND:
+        case IP_PASSSEC:
+        case IP_TRANSPARENT:
+        case IP_MINTTL:
+        case IP_NODEFRAG:
+        case IP_UNICAST_IF:
+        case IP_MULTICAST_TTL:
+        case IP_MULTICAST_ALL:
+        case IP_MULTICAST_LOOP:
+        case IP_RECVORIGDSTADDR:
                if (optlen >= sizeof(int)) {
                        if (get_user(val, (int __user *) optval))
                                return -EFAULT;
diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c
index 1831092f999f..858fddf6482a 100644
--- a/net/ipv4/ip_vti.c
+++ b/net/ipv4/ip_vti.c
@@ -338,12 +338,17 @@ static int vti_rcv(struct sk_buff *skb)
        if (tunnel != NULL) {
                struct pcpu_tstats *tstats;
+                if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb))
+                        return -1;
                tstats = this_cpu_ptr(tunnel->dev->tstats);
                u64_stats_update_begin(&tstats->syncp);
                tstats->rx_packets++;
                tstats->rx_bytes += skb->len;
                u64_stats_update_end(&tstats->syncp);
+                skb->mark = 0;
+                secpath_reset(skb);
                skb->dev = tunnel->dev;
                return 1;
        }
diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
index 6168c4dc58b1..3eab2b2ffd34 100644
--- a/net/ipv4/ipmr.c
+++ b/net/ipv4/ipmr.c
@@ -1318,6 +1318,10 @@ int ip_mroute_setsockopt(struct sock *sk, int optname, char __user *optval, unsi
                if (get_user(v, (u32 __user *)optval))
                        return -EFAULT;
+                /* "pimreg%u" should not exceed 16 bytes (IFNAMSIZ) */
+                if (v != RT_TABLE_DEFAULT && v >= 1000000000)
+                        return -EINVAL;
                rtnl_lock();
                ret = 0;
                if (sk == rtnl_dereference(mrt->mroute_sk)) {
diff --git a/net/ipv4/netfilter/iptable_nat.c b/net/ipv4/netfilter/iptable_nat.c
index 9e0ffaf1d942..a82047282dbb 100644
--- a/net/ipv4/netfilter/iptable_nat.c
+++ b/net/ipv4/netfilter/iptable_nat.c
@@ -184,7 +184,8 @@ nf_nat_ipv4_out(unsigned int hooknum,
                if ((ct->tuplehash[dir].tuple.src.u3.ip !=
                     ct->tuplehash[!dir].tuple.dst.u3.ip) ||
-                    (ct->tuplehash[dir].tuple.src.u.all !=
+                    (ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMP &&
+                     ct->tuplehash[dir].tuple.src.u.all !=
                     ct->tuplehash[!dir].tuple.dst.u.all))
                        if (nf_xfrm_me_harder(skb, AF_INET) < 0)
                                ret = NF_DROP;
@@ -221,6 +222,7 @@ nf_nat_ipv4_local_fn(unsigned int hooknum,
                }
 #ifdef CONFIG_XFRM
                else if (!(IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED) &&
+                         ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMP &&
                         ct->tuplehash[dir].tuple.dst.u.all !=
                         ct->tuplehash[!dir].tuple.src.u.all)
                        if (nf_xfrm_me_harder(skb, AF_INET) < 0)
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index a8c651216fa6..df251424d816 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -1785,6 +1785,7 @@ static struct rtable *__mkroute_output(const struct fib_result *res,
        if (dev_out->flags & IFF_LOOPBACK)
                flags |= RTCF_LOCAL;
+        do_cache = true;
        if (type == RTN_BROADCAST) {
                flags |= RTCF_BROADCAST | RTCF_LOCAL;
                fi = NULL;
@@ -1793,6 +1794,8 @@ static struct rtable *__mkroute_output(const struct fib_result *res,
                if (!ip_check_mc_rcu(in_dev, fl4->daddr, fl4->saddr,
                                     fl4->flowi4_proto))
                        flags &= ~RTCF_LOCAL;
+                else
+                        do_cache = false;
                /* If multicast route do not exist use
                 * default one, but do not gateway in this case.
                 * Yes, it is hack.
@@ -1802,8 +1805,8 @@ static struct rtable *__mkroute_output(const struct fib_result *res,
        }
        fnhe = NULL;
-        do_cache = fi != NULL;
+        do_cache &= fi != NULL;
-        if (fi) {
+        if (do_cache) {
                struct rtable __rcu **prth;
                struct fib_nh *nh = &FIB_RES_NH(*res);
@@ -2597,7 +2600,7 @@ int __init ip_rt_init(void)
                pr_err("Unable to create route proc files\n");
 #ifdef CONFIG_XFRM
        xfrm_init();
-        xfrm4_init(ip_rt_max_size);
+        xfrm4_init();
 #endif
        rtnl_register(PF_INET, RTM_GETROUTE, inet_rtm_getroute, NULL, NULL);
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 197c0008503c..e457c7ab2e28 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -830,8 +830,8 @@ static int tcp_send_mss(struct sock *sk, int *size_goal, int flags)
        return mss_now;
 }
-static ssize_t do_tcp_sendpages(struct sock *sk, struct page **pages, int poffset,
+static ssize_t do_tcp_sendpages(struct sock *sk, struct page *page, int offset,
-                         size_t psize, int flags)
+                                size_t size, int flags)
 {
        struct tcp_sock *tp = tcp_sk(sk);
        int mss_now, size_goal;
@@ -858,12 +858,9 @@ static ssize_t do_tcp_sendpages(struct sock *sk, struct page **pages, int poffse
        if (sk->sk_err || (sk->sk_shutdown & SEND_SHUTDOWN))
                goto out_err;
-        while (psize > 0) {
+        while (size > 0) {
                struct sk_buff *skb = tcp_write_queue_tail(sk);
-                struct page *page = pages[poffset / PAGE_SIZE];
                int copy, i;
-                int offset = poffset % PAGE_SIZE;
-                int size = min_t(size_t, psize, PAGE_SIZE - offset);
                bool can_coalesce;
                if (!tcp_send_head(sk) || (copy = size_goal - skb->len) <= 0) {
@@ -912,8 +909,8 @@ new_segment:
                        TCP_SKB_CB(skb)->tcp_flags &= ~TCPHDR_PSH;
                copied += copy;
-                poffset += copy;
+                offset += copy;
-                if (!(psize -= copy))
+                if (!(size -= copy))
                        goto out;
                if (skb->len < size_goal || (flags & MSG_OOB))
@@ -960,7 +957,7 @@ int tcp_sendpage(struct sock *sk, struct page *page, int offset,
                                        flags);
        lock_sock(sk);
-        res = do_tcp_sendpages(sk, &page, offset, size, flags);
+        res = do_tcp_sendpages(sk, page, offset, size, flags);
        release_sock(sk);
        return res;
 }
@@ -1212,7 +1209,7 @@ new_segment:
 wait_for_sndbuf:
                        set_bit(SOCK_NOSPACE, &sk->sk_socket->flags);
 wait_for_memory:
-                        if (copied && likely(!tp->repair))
+                        if (copied)
                                tcp_push(sk, flags & ~MSG_MORE, mss_now, TCP_NAGLE_PUSH);
                        if ((err = sk_stream_wait_memory(sk, &timeo)) != 0)
@@ -1223,7 +1220,7 @@ wait_for_memory:
        }
 out:
-        if (copied && likely(!tp->repair))
+        if (copied)
                tcp_push(sk, flags, mss_now, tp->nonagle);
        release_sock(sk);
        return copied + copied_syn;
diff --git a/net/ipv4/tcp_illinois.c b/net/ipv4/tcp_illinois.c
index 813b43a76fec..834857f3c871 100644
--- a/net/ipv4/tcp_illinois.c
+++ b/net/ipv4/tcp_illinois.c
@@ -313,11 +313,13 @@ static void tcp_illinois_info(struct sock *sk, u32 ext,
                        .tcpv_rttcnt = ca->cnt_rtt,
                        .tcpv_minrtt = ca->base_rtt,
                };
-                u64 t = ca->sum_rtt;
-                do_div(t, ca->cnt_rtt);
+                if (info.tcpv_rttcnt > 0) {
-                info.tcpv_rtt = t;
+                        u64 t = ca->sum_rtt;
+                        do_div(t, info.tcpv_rttcnt);
+                        info.tcpv_rtt = t;
+                }
                nla_put(skb, INET_DIAG_VEGASINFO, sizeof(info), &info);
        }
 }
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 1db663983587..609ff98aeb47 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -4529,6 +4529,9 @@ int tcp_send_rcvq(struct sock *sk, struct msghdr *msg, size_t size)
        struct tcphdr *th;
        bool fragstolen;
+        if (size == 0)
+                return 0;
        skb = alloc_skb(size + sizeof(*th), sk->sk_allocation);
        if (!skb)
                goto err;
@@ -5310,11 +5313,6 @@ static bool tcp_validate_incoming(struct sock *sk, struct sk_buff *skb,
                goto discard;
        }
-        /* ts_recent update must be made after we are sure that the packet
-         * is in window.
-         */
-        tcp_replace_ts_recent(tp, TCP_SKB_CB(skb)->seq);
        /* step 3: check security and precedence [ignored] */
        /* step 4: Check for a SYN
@@ -5549,6 +5547,11 @@ step5:
        if (th->ack && tcp_ack(sk, skb, FLAG_SLOWPATH) < 0)
                goto discard;
+        /* ts_recent update must be made after we are sure that the packet
+         * is in window.
+         */
+        tcp_replace_ts_recent(tp, TCP_SKB_CB(skb)->seq);
        tcp_rcv_rtt_measure_ts(sk, skb);
        /* Process urgent data. */
@@ -6127,6 +6130,11 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
        } else
                goto discard;
+        /* ts_recent update must be made after we are sure that the packet
+         * is in window.
+         */
+        tcp_replace_ts_recent(tp, TCP_SKB_CB(skb)->seq);
        /* step 6: check the URG bit */
        tcp_urg(sk, skb, th);
diff --git a/net/ipv4/tcp_metrics.c b/net/ipv4/tcp_metrics.c
index 4c752a6e0bcd..f696d7c2e9fa 100644
--- a/net/ipv4/tcp_metrics.c
+++ b/net/ipv4/tcp_metrics.c
@@ -1,7 +1,6 @@
 #include <linux/rcupdate.h>
 #include <linux/spinlock.h>
 #include <linux/jiffies.h>
-#include <linux/bootmem.h>
 #include <linux/module.h>
 #include <linux/cache.h>
 #include <linux/slab.h>
@@ -9,6 +8,7 @@
 #include <linux/tcp.h>
 #include <linux/hash.h>
 #include <linux/tcp_metrics.h>
+#include <linux/vmalloc.h>
 #include <net/inet_connection_sock.h>
 #include <net/net_namespace.h>
@@ -864,7 +864,7 @@ static int parse_nl_addr(struct genl_info *info, struct inetpeer_addr *addr,
        }
        a = info->attrs[TCP_METRICS_ATTR_ADDR_IPV6];
        if (a) {
-                if (nla_len(a) != sizeof(sizeof(struct in6_addr)))
+                if (nla_len(a) != sizeof(struct in6_addr))
                        return -EINVAL;
                addr->family = AF_INET6;
                memcpy(addr->addr.a6, nla_data(a), sizeof(addr->addr.a6));
@@ -1034,7 +1034,10 @@ static int __net_init tcp_net_metrics_init(struct net *net)
        net->ipv4.tcp_metrics_hash_log = order_base_2(slots);
        size = sizeof(struct tcpm_hash_bucket) << net->ipv4.tcp_metrics_hash_log;
-        net->ipv4.tcp_metrics_hash = kzalloc(size, GFP_KERNEL);
+        net->ipv4.tcp_metrics_hash = kzalloc(size, GFP_KERNEL | __GFP_NOWARN);
+        if (!net->ipv4.tcp_metrics_hash)
+                net->ipv4.tcp_metrics_hash = vzalloc(size);
        if (!net->ipv4.tcp_metrics_hash)
                return -ENOMEM;
@@ -1055,7 +1058,10 @@ static void __net_exit tcp_net_metrics_exit(struct net *net)
                        tm = next;
                }
        }
-        kfree(net->ipv4.tcp_metrics_hash);
+        if (is_vmalloc_addr(net->ipv4.tcp_metrics_hash))
+                vfree(net->ipv4.tcp_metrics_hash);
+        else
+                kfree(net->ipv4.tcp_metrics_hash);
 }
 static __net_initdata struct pernet_operations tcp_net_metrics_ops = {
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index cfe6ffe1c177..2798706cb063 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -1986,6 +1986,9 @@ static bool tcp_write_xmit(struct sock *sk, unsigned int mss_now, int nonagle,
                tso_segs = tcp_init_tso_segs(sk, skb, mss_now);
                BUG_ON(!tso_segs);
+                if (unlikely(tp->repair) && tp->repair_queue == TCP_SEND_QUEUE)
+                        goto repair; /* Skip network transmission */
                cwnd_quota = tcp_cwnd_test(tp, skb);
                if (!cwnd_quota)
                        break;
@@ -2026,6 +2029,7 @@ static bool tcp_write_xmit(struct sock *sk, unsigned int mss_now, int nonagle,
                if (unlikely(tcp_transmit_skb(sk, skb, 1, gfp)))
                        break;
+repair:
                /* Advance the send_head.  This one is sent out.
                 * This call will increment packets_out.
                 */
diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c
index 05c5ab8d983c..3be0ac2c1920 100644
--- a/net/ipv4/xfrm4_policy.c
+++ b/net/ipv4/xfrm4_policy.c
@@ -279,19 +279,8 @@ static void __exit xfrm4_policy_fini(void)
        xfrm_policy_unregister_afinfo(&xfrm4_policy_afinfo);
 }
-void __init xfrm4_init(int rt_max_size)
+void __init xfrm4_init(void)
 {
-        /*
-         * Select a default value for the gc_thresh based on the main route
-         * table hash size.  It seems to me the worst case scenario is when
-         * we have ipsec operating in transport mode, in which we create a
-         * dst_entry per socket.  The xfrm gc algorithm starts trying to remove
-         * entries at gc_thresh, and prevents new allocations as 2*gc_thresh
-         * so lets set an initial xfrm gc_thresh value at the rt_max_size/2.
-         * That will let us store an ipsec connection per route table entry,
-         * and start cleaning when were 1/2 full
-         */
-        xfrm4_dst_ops.gc_thresh = rt_max_size/2;
        dst_entries_init(&xfrm4_dst_ops);
        xfrm4_state_init();