15 files changed, 134 insertions, 105 deletions
diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index 92db7a69f2b9..8b7fe5b03906 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -1246,7 +1246,7 @@ static struct sk_buff *inet_gso_segment(struct sk_buff *skb,
        encap = SKB_GSO_CB(skb)->encap_level > 0;
        if (encap)
-                features = skb->dev->hw_enc_features & netif_skb_features(skb);
+                features &= skb->dev->hw_enc_features;
        SKB_GSO_CB(skb)->encap_level += ihl;
        skb_reset_transport_header(skb);
diff --git a/net/ipv4/fou.c b/net/ipv4/fou.c
index 32e78924e246..606c520ffd5a 100644
--- a/net/ipv4/fou.c
+++ b/net/ipv4/fou.c
@@ -133,6 +133,8 @@ static int fou_gro_complete(struct sk_buff *skb, int nhoff)
        int err = -ENOSYS;
        const struct net_offload **offloads;
+        udp_tunnel_gro_complete(skb, nhoff);
        rcu_read_lock();
        offloads = NAPI_GRO_CB(skb)->is_ipv6 ? inet6_offloads : inet_offloads;
        ops = rcu_dereference(offloads[proto]);
diff --git a/net/ipv4/geneve.c b/net/ipv4/geneve.c
index 065cd94c640c..dedb21e99914 100644
--- a/net/ipv4/geneve.c
+++ b/net/ipv4/geneve.c
@@ -144,6 +144,8 @@ int geneve_xmit_skb(struct geneve_sock *gs, struct rtable *rt,
        gnvh = (struct genevehdr *)__skb_push(skb, sizeof(*gnvh) + opt_len);
        geneve_build_header(gnvh, tun_flags, vni, opt_len, opt);
+        skb_set_inner_protocol(skb, htons(ETH_P_TEB));
        return udp_tunnel_xmit_skb(gs->sock, rt, skb, src, dst,
                                   tos, ttl, df, src_port, dst_port, xnet);
 }
@@ -364,6 +366,7 @@ late_initcall(geneve_init_module);
 static void __exit geneve_cleanup_module(void)
 {
        destroy_workqueue(geneve_wq);
+        unregister_pernet_subsys(&geneve_net_ops);
 }
 module_exit(geneve_cleanup_module);
diff --git a/net/ipv4/gre_offload.c b/net/ipv4/gre_offload.c
index ccda09628de7..bb5947b0ce2d 100644
--- a/net/ipv4/gre_offload.c
+++ b/net/ipv4/gre_offload.c
@@ -47,7 +47,7 @@ static struct sk_buff *gre_gso_segment(struct sk_buff *skb,
        greh = (struct gre_base_hdr *)skb_transport_header(skb);
-        ghl = skb_inner_network_header(skb) - skb_transport_header(skb);
+        ghl = skb_inner_mac_header(skb) - skb_transport_header(skb);
        if (unlikely(ghl < sizeof(*greh)))
                goto out;
@@ -68,7 +68,7 @@ static struct sk_buff *gre_gso_segment(struct sk_buff *skb,
        skb->mac_len = skb_inner_network_offset(skb);
        /* segment inner packet. */
-        enc_features = skb->dev->hw_enc_features & netif_skb_features(skb);
+        enc_features = skb->dev->hw_enc_features & features;
        segs = skb_mac_gso_segment(skb, enc_features);
        if (IS_ERR_OR_NULL(segs)) {
                skb_gso_error_unwind(skb, protocol, ghl, mac_offset, mac_len);
diff --git a/net/ipv4/inet_fragment.c b/net/ipv4/inet_fragment.c
index 9eb89f3f0ee4..19419b60cb37 100644
--- a/net/ipv4/inet_fragment.c
+++ b/net/ipv4/inet_fragment.c
@@ -146,7 +146,6 @@ evict_again:
                        atomic_inc(&fq->refcnt);
                        spin_unlock(&hb->chain_lock);
                        del_timer_sync(&fq->timer);
-                        WARN_ON(atomic_read(&fq->refcnt) != 1);
                        inet_frag_put(fq, f);
                        goto evict_again;
                }
@@ -285,7 +284,8 @@ static inline void fq_unlink(struct inet_frag_queue *fq, struct inet_frags *f)
        struct inet_frag_bucket *hb;
        hb = get_frag_bucket_locked(fq, f);
-        hlist_del(&fq->list);
+        if (!(fq->flags & INET_FRAG_EVICTED))
+                hlist_del(&fq->list);
        spin_unlock(&hb->chain_lock);
 }
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index 88e5ef2c7f51..bc6471d4abcd 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -231,7 +231,7 @@ static int ip_finish_output_gso(struct sk_buff *skb)
         */
        features = netif_skb_features(skb);
        segs = skb_gso_segment(skb, features & ~NETIF_F_GSO_MASK);
-        if (IS_ERR(segs)) {
+        if (IS_ERR_OR_NULL(segs)) {
                kfree_skb(skb);
                return -ENOMEM;
        }
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index c373a9ad4555..9daf2177dc00 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -195,7 +195,7 @@ int ip_cmsg_send(struct net *net, struct msghdr *msg, struct ipcm_cookie *ipc,
        for (cmsg = CMSG_FIRSTHDR(msg); cmsg; cmsg = CMSG_NXTHDR(msg, cmsg)) {
                if (!CMSG_OK(msg, cmsg))
                        return -EINVAL;
-#if defined(CONFIG_IPV6)
+#if IS_ENABLED(CONFIG_IPV6)
                if (allow_ipv6 &&
                    cmsg->cmsg_level == SOL_IPV6 &&
                    cmsg->cmsg_type == IPV6_PKTINFO) {
diff --git a/net/ipv4/netfilter/nf_reject_ipv4.c b/net/ipv4/netfilter/nf_reject_ipv4.c
index b023b4eb1a96..1baaa83dfe5c 100644
--- a/net/ipv4/netfilter/nf_reject_ipv4.c
+++ b/net/ipv4/netfilter/nf_reject_ipv4.c
@@ -6,48 +6,45 @@
 * published by the Free Software Foundation.
 */
+#include <linux/module.h>
 #include <net/ip.h>
 #include <net/tcp.h>
 #include <net/route.h>
 #include <net/dst.h>
 #include <linux/netfilter_ipv4.h>
+#include <net/netfilter/ipv4/nf_reject.h>
-/* Send RST reply */
+const struct tcphdr *nf_reject_ip_tcphdr_get(struct sk_buff *oldskb,
-void nf_send_reset(struct sk_buff *oldskb, int hook)
+                                             struct tcphdr *_oth, int hook)
 {
-        struct sk_buff *nskb;
-        const struct iphdr *oiph;
-        struct iphdr *niph;
        const struct tcphdr *oth;
-        struct tcphdr _otcph, *tcph;
        /* IP header checks: fragment. */
        if (ip_hdr(oldskb)->frag_off & htons(IP_OFFSET))
-                return;
+                return NULL;
        oth = skb_header_pointer(oldskb, ip_hdrlen(oldskb),
-                                 sizeof(_otcph), &_otcph);
+                                 sizeof(struct tcphdr), _oth);
        if (oth == NULL)
-                return;
+                return NULL;
        /* No RST for RST. */
        if (oth->rst)
-                return;
+                return NULL;
-        if (skb_rtable(oldskb)->rt_flags & (RTCF_BROADCAST | RTCF_MULTICAST))
-                return;
        /* Check checksum */
        if (nf_ip_checksum(oldskb, hook, ip_hdrlen(oldskb), IPPROTO_TCP))
-                return;
+                return NULL;
-        oiph = ip_hdr(oldskb);
-        nskb = alloc_skb(sizeof(struct iphdr) + sizeof(struct tcphdr) +
+        return oth;
-                         LL_MAX_HEADER, GFP_ATOMIC);
+}
-        if (!nskb)
+EXPORT_SYMBOL_GPL(nf_reject_ip_tcphdr_get);
-                return;
-        skb_reserve(nskb, LL_MAX_HEADER);
+struct iphdr *nf_reject_iphdr_put(struct sk_buff *nskb,
+                                  const struct sk_buff *oldskb,
+                                  __be16 protocol, int ttl)
+{
+        struct iphdr *niph, *oiph = ip_hdr(oldskb);
        skb_reset_network_header(nskb);
        niph = (struct iphdr *)skb_put(nskb, sizeof(struct iphdr));
@@ -56,10 +53,23 @@ void nf_send_reset(struct sk_buff *oldskb, int hook)
        niph->tos       = 0;
        niph->id        = 0;
        niph->frag_off  = htons(IP_DF);
-        niph->protocol  = IPPROTO_TCP;
+        niph->protocol  = protocol;
        niph->check     = 0;
        niph->saddr     = oiph->daddr;
        niph->daddr     = oiph->saddr;
+        niph->ttl       = ttl;
+        nskb->protocol = htons(ETH_P_IP);
+        return niph;
+}
+EXPORT_SYMBOL_GPL(nf_reject_iphdr_put);
+void nf_reject_ip_tcphdr_put(struct sk_buff *nskb, const struct sk_buff *oldskb,
+                          const struct tcphdr *oth)
+{
+        struct iphdr *niph = ip_hdr(nskb);
+        struct tcphdr *tcph;
        skb_reset_transport_header(nskb);
        tcph = (struct tcphdr *)skb_put(nskb, sizeof(struct tcphdr));
@@ -68,9 +78,9 @@ void nf_send_reset(struct sk_buff *oldskb, int hook)
        tcph->dest      = oth->source;
        tcph->doff      = sizeof(struct tcphdr) / 4;
-        if (oth->ack)
+        if (oth->ack) {
                tcph->seq = oth->ack_seq;
-        else {
+        } else {
                tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin +
                                      oldskb->len - ip_hdrlen(oldskb) -
                                      (oth->doff << 2));
@@ -83,16 +93,43 @@ void nf_send_reset(struct sk_buff *oldskb, int hook)
        nskb->ip_summed = CHECKSUM_PARTIAL;
        nskb->csum_start = (unsigned char *)tcph - nskb->head;
        nskb->csum_offset = offsetof(struct tcphdr, check);
+}
+EXPORT_SYMBOL_GPL(nf_reject_ip_tcphdr_put);
+/* Send RST reply */
+void nf_send_reset(struct sk_buff *oldskb, int hook)
+{
+        struct sk_buff *nskb;
+        const struct iphdr *oiph;
+        struct iphdr *niph;
+        const struct tcphdr *oth;
+        struct tcphdr _oth;
+        oth = nf_reject_ip_tcphdr_get(oldskb, &_oth, hook);
+        if (!oth)
+                return;
+        if (skb_rtable(oldskb)->rt_flags & (RTCF_BROADCAST | RTCF_MULTICAST))
+                return;
+        oiph = ip_hdr(oldskb);
+        nskb = alloc_skb(sizeof(struct iphdr) + sizeof(struct tcphdr) +
+                         LL_MAX_HEADER, GFP_ATOMIC);
+        if (!nskb)
+                return;
        /* ip_route_me_harder expects skb->dst to be set */
        skb_dst_set_noref(nskb, skb_dst(oldskb));
-        nskb->protocol = htons(ETH_P_IP);
+        skb_reserve(nskb, LL_MAX_HEADER);
+        niph = nf_reject_iphdr_put(nskb, oldskb, IPPROTO_TCP,
+                                   ip4_dst_hoplimit(skb_dst(nskb)));
+        nf_reject_ip_tcphdr_put(nskb, oldskb, oth);
        if (ip_route_me_harder(nskb, RTN_UNSPEC))
                goto free_nskb;
-        niph->ttl       = ip4_dst_hoplimit(skb_dst(nskb));
        /* "Never happens" */
        if (nskb->len > dst_mtu(skb_dst(nskb)))
                goto free_nskb;
@@ -125,3 +162,5 @@ void nf_send_reset(struct sk_buff *oldskb, int hook)
        kfree_skb(nskb);
 }
 EXPORT_SYMBOL_GPL(nf_send_reset);
+MODULE_LICENSE("GPL");
diff --git a/net/ipv4/netfilter/nft_masq_ipv4.c b/net/ipv4/netfilter/nft_masq_ipv4.c
index 1c636d6b5b50..c1023c445920 100644
--- a/net/ipv4/netfilter/nft_masq_ipv4.c
+++ b/net/ipv4/netfilter/nft_masq_ipv4.c
@@ -39,6 +39,7 @@ static const struct nft_expr_ops nft_masq_ipv4_ops = {
        .eval           = nft_masq_ipv4_eval,
        .init           = nft_masq_init,
        .dump           = nft_masq_dump,
+        .validate       = nft_masq_validate,
 };
 static struct nft_expr_type nft_masq_ipv4_type __read_mostly = {
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 2d4ae469b471..6a2155b02602 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -1798,6 +1798,7 @@ local_input:
 no_route:
        RT_CACHE_STAT_INC(in_no_route);
        res.type = RTN_UNREACHABLE;
+        res.fi = NULL;
        goto local_input;
        /*
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 1bec4e76d88c..39ec0c379545 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -2868,61 +2868,42 @@ EXPORT_SYMBOL(compat_tcp_getsockopt);
 #endif
 #ifdef CONFIG_TCP_MD5SIG
-static struct tcp_md5sig_pool __percpu *tcp_md5sig_pool __read_mostly;
+static DEFINE_PER_CPU(struct tcp_md5sig_pool, tcp_md5sig_pool);
 static DEFINE_MUTEX(tcp_md5sig_mutex);
+static bool tcp_md5sig_pool_populated = false;
-static void __tcp_free_md5sig_pool(struct tcp_md5sig_pool __percpu *pool)
-{
-        int cpu;
-        for_each_possible_cpu(cpu) {
-                struct tcp_md5sig_pool *p = per_cpu_ptr(pool, cpu);
-                if (p->md5_desc.tfm)
-                        crypto_free_hash(p->md5_desc.tfm);
-        }
-        free_percpu(pool);
-}
 static void __tcp_alloc_md5sig_pool(void)
 {
        int cpu;
-        struct tcp_md5sig_pool __percpu *pool;
-        pool = alloc_percpu(struct tcp_md5sig_pool);
-        if (!pool)
-                return;
        for_each_possible_cpu(cpu) {
-                struct crypto_hash *hash;
+                if (!per_cpu(tcp_md5sig_pool, cpu).md5_desc.tfm) {
+                        struct crypto_hash *hash;
-                hash = crypto_alloc_hash("md5", 0, CRYPTO_ALG_ASYNC);
-                if (IS_ERR_OR_NULL(hash))
-                        goto out_free;
-                per_cpu_ptr(pool, cpu)->md5_desc.tfm = hash;
+                        hash = crypto_alloc_hash("md5", 0, CRYPTO_ALG_ASYNC);
+                        if (IS_ERR_OR_NULL(hash))
+                                return;
+                        per_cpu(tcp_md5sig_pool, cpu).md5_desc.tfm = hash;
+                }
        }
-        /* before setting tcp_md5sig_pool, we must commit all writes
+        /* before setting tcp_md5sig_pool_populated, we must commit all writes
-         * to memory. See ACCESS_ONCE() in tcp_get_md5sig_pool()
+         * to memory. See smp_rmb() in tcp_get_md5sig_pool()
         */
        smp_wmb();
-        tcp_md5sig_pool = pool;
+        tcp_md5sig_pool_populated = true;
-        return;
-out_free:
-        __tcp_free_md5sig_pool(pool);
 }
 bool tcp_alloc_md5sig_pool(void)
 {
-        if (unlikely(!tcp_md5sig_pool)) {
+        if (unlikely(!tcp_md5sig_pool_populated)) {
                mutex_lock(&tcp_md5sig_mutex);
-                if (!tcp_md5sig_pool)
+                if (!tcp_md5sig_pool_populated)
                        __tcp_alloc_md5sig_pool();
                mutex_unlock(&tcp_md5sig_mutex);
        }
-        return tcp_md5sig_pool != NULL;
+        return tcp_md5sig_pool_populated;
 }
 EXPORT_SYMBOL(tcp_alloc_md5sig_pool);
@@ -2936,13 +2917,13 @@ EXPORT_SYMBOL(tcp_alloc_md5sig_pool);
 */
 struct tcp_md5sig_pool *tcp_get_md5sig_pool(void)
 {
-        struct tcp_md5sig_pool __percpu *p;
        local_bh_disable();
-        p = ACCESS_ONCE(tcp_md5sig_pool);
-        if (p)
-                return raw_cpu_ptr(p);
+        if (tcp_md5sig_pool_populated) {
+                /* coupled with smp_wmb() in __tcp_alloc_md5sig_pool() */
+                smp_rmb();
+                return this_cpu_ptr(&tcp_md5sig_pool);
+        }
        local_bh_enable();
        return NULL;
 }
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index a12b455928e5..88fa2d160685 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -2315,6 +2315,35 @@ static inline bool tcp_packet_delayed(const struct tcp_sock *tp)
 /* Undo procedures. */
+/* We can clear retrans_stamp when there are no retransmissions in the
+ * window. It would seem that it is trivially available for us in
+ * tp->retrans_out, however, that kind of assumptions doesn't consider
+ * what will happen if errors occur when sending retransmission for the
+ * second time. ...It could the that such segment has only
+ * TCPCB_EVER_RETRANS set at the present time. It seems that checking
+ * the head skb is enough except for some reneging corner cases that
+ * are not worth the effort.
+ *
+ * Main reason for all this complexity is the fact that connection dying
+ * time now depends on the validity of the retrans_stamp, in particular,
+ * that successive retransmissions of a segment must not advance
+ * retrans_stamp under any conditions.
+ */
+static bool tcp_any_retrans_done(const struct sock *sk)
+{
+        const struct tcp_sock *tp = tcp_sk(sk);
+        struct sk_buff *skb;
+        if (tp->retrans_out)
+                return true;
+        skb = tcp_write_queue_head(sk);
+        if (unlikely(skb && TCP_SKB_CB(skb)->sacked & TCPCB_EVER_RETRANS))
+                return true;
+        return false;
+}
 #if FASTRETRANS_DEBUG > 1
 static void DBGUNDO(struct sock *sk, const char *msg)
 {
@@ -2410,6 +2439,8 @@ static bool tcp_try_undo_recovery(struct sock *sk)
                 * is ACKed. For Reno it is MUST to prevent false
                 * fast retransmits (RFC2582). SACK TCP is safe. */
                tcp_moderate_cwnd(tp);
+                if (!tcp_any_retrans_done(sk))
+                        tp->retrans_stamp = 0;
                return true;
        }
        tcp_set_ca_state(sk, TCP_CA_Open);
@@ -2430,35 +2461,6 @@ static bool tcp_try_undo_dsack(struct sock *sk)
        return false;
 }
-/* We can clear retrans_stamp when there are no retransmissions in the
- * window. It would seem that it is trivially available for us in
- * tp->retrans_out, however, that kind of assumptions doesn't consider
- * what will happen if errors occur when sending retransmission for the
- * second time. ...It could the that such segment has only
- * TCPCB_EVER_RETRANS set at the present time. It seems that checking
- * the head skb is enough except for some reneging corner cases that
- * are not worth the effort.
- *
- * Main reason for all this complexity is the fact that connection dying
- * time now depends on the validity of the retrans_stamp, in particular,
- * that successive retransmissions of a segment must not advance
- * retrans_stamp under any conditions.
- */
-static bool tcp_any_retrans_done(const struct sock *sk)
-{
-        const struct tcp_sock *tp = tcp_sk(sk);
-        struct sk_buff *skb;
-        if (tp->retrans_out)
-                return true;
-        skb = tcp_write_queue_head(sk);
-        if (unlikely(skb && TCP_SKB_CB(skb)->sacked & TCPCB_EVER_RETRANS))
-                return true;
-        return false;
-}
 /* Undo during loss recovery after partial ACK or using F-RTO. */
 static bool tcp_try_undo_loss(struct sock *sk, bool frto_undo)
 {
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 94d1a7757ff7..9c7d7621466b 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -206,8 +206,6 @@ int tcp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
        inet->inet_dport = usin->sin_port;
        inet->inet_daddr = daddr;
-        inet_set_txhash(sk);
        inet_csk(sk)->icsk_ext_hdr_len = 0;
        if (inet_opt)
                inet_csk(sk)->icsk_ext_hdr_len = inet_opt->opt.optlen;
@@ -224,6 +222,8 @@ int tcp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
        if (err)
                goto failure;
+        inet_set_txhash(sk);
        rt = ip_route_newports(fl4, rt, orig_sport, orig_dport,
                               inet->inet_sport, inet->inet_dport, sk);
        if (IS_ERR(rt)) {
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 3af21296d967..a3d453b94747 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -2126,7 +2126,7 @@ bool tcp_schedule_loss_probe(struct sock *sk)
 static bool skb_still_in_host_queue(const struct sock *sk,
                                    const struct sk_buff *skb)
 {
-        if (unlikely(skb_fclone_busy(skb))) {
+        if (unlikely(skb_fclone_busy(sk, skb))) {
                NET_INC_STATS_BH(sock_net(sk),
                                 LINUX_MIB_TCPSPURIOUS_RTX_HOSTQUEUES);
                return true;
diff --git a/net/ipv4/udp_offload.c b/net/ipv4/udp_offload.c
index 507310ef4b56..6480cea7aa53 100644
--- a/net/ipv4/udp_offload.c
+++ b/net/ipv4/udp_offload.c
@@ -58,7 +58,7 @@ static struct sk_buff *__skb_udp_tunnel_segment(struct sk_buff *skb,
                skb->encap_hdr_csum = 1;
        /* segment inner packet. */
-        enc_features = skb->dev->hw_enc_features & netif_skb_features(skb);
+        enc_features = skb->dev->hw_enc_features & features;
        segs = gso_inner_segment(skb, enc_features);
        if (IS_ERR_OR_NULL(segs)) {
                skb_gso_error_unwind(skb, protocol, tnl_hlen, mac_offset,