20 files changed, 206 insertions, 158 deletions

diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index 8c54870db792..6d6dd345bc4d 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -1650,6 +1650,39 @@ static int __init init_ipv4_mibs(void)
         return register_pernet_subsys(&ipv4_mib_ops);
 }
 
+static __net_init int inet_init_net(struct net *net)
+{
+        /*
+         * Set defaults for local port range
+         */
+        seqlock_init(&net->ipv4.ip_local_ports.lock);
+        net->ipv4.ip_local_ports.range[0] =  32768;
+        net->ipv4.ip_local_ports.range[1] =  61000;
+
+        seqlock_init(&net->ipv4.ping_group_range.lock);
+        /*
+         * Sane defaults - nobody may create ping sockets.
+         * Boot scripts should set this to distro-specific group.
+         */
+        net->ipv4.ping_group_range.range[0] = make_kgid(&init_user_ns, 1);
+        net->ipv4.ping_group_range.range[1] = make_kgid(&init_user_ns, 0);
+        return 0;
+}
+
+static __net_exit void inet_exit_net(struct net *net)
+{
+}
+
+static __net_initdata struct pernet_operations af_inet_ops = {
+        .init = inet_init_net,
+        .exit = inet_exit_net,
+};
+
+static int __init init_inet_pernet_ops(void)
+{
+        return register_pernet_subsys(&af_inet_ops);
+}
+
 static int ipv4_proc_init(void);
 
 /*
@@ -1794,6 +1827,9 @@ static int __init inet_init(void)
         if (ip_mr_init())
                 pr_crit("%s: Cannot init ipv4 mroute\n", __func__);
 #endif
+
+        if (init_inet_pernet_ops())
+                pr_crit("%s: Cannot init ipv4 inet pernet ops\n", __func__);
         /*
          *      Initialise per-cpu ipv4 mibs
          */
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index 1a629f870274..255aa9946fe7 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -250,7 +250,7 @@ static int __fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst,
         bool dev_match;
 
         fl4.flowi4_oif = 0;
-        fl4.flowi4_iif = oif;
+        fl4.flowi4_iif = oif ? : LOOPBACK_IFINDEX;
         fl4.daddr = src;
         fl4.saddr = dst;
         fl4.flowi4_tos = tos;
diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
index b53f0bf84dca..b10cd43a4722 100644
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -631,6 +631,7 @@ static int fib_check_nh(struct fib_config *cfg, struct fib_info *fi,
                                 .daddr = nh->nh_gw,
                                 .flowi4_scope = cfg->fc_scope + 1,
                                 .flowi4_oif = nh->nh_oif,
+                                .flowi4_iif = LOOPBACK_IFINDEX,
                         };
 
                         /* It is not necessary, but requires a bit of thinking */
@@ -820,13 +821,13 @@ struct fib_info *fib_create_info(struct fib_config *cfg)
         fi = kzalloc(sizeof(*fi)+nhs*sizeof(struct fib_nh), GFP_KERNEL);
         if (fi == NULL)
                 goto failure;
+        fib_info_cnt++;
         if (cfg->fc_mx) {
                 fi->fib_metrics = kzalloc(sizeof(u32) * RTAX_MAX, GFP_KERNEL);
                 if (!fi->fib_metrics)
                         goto failure;
         } else
                 fi->fib_metrics = (u32 *) dst_default_metrics;
-        fib_info_cnt++;
 
         fi->fib_net = hold_net(net);
         fi->fib_protocol = cfg->fc_protocol;
diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
index 0d1e2cb877ec..a56b8e6e866a 100644
--- a/net/ipv4/inet_connection_sock.c
+++ b/net/ipv4/inet_connection_sock.c
@@ -37,11 +37,11 @@ void inet_get_local_port_range(struct net *net, int *low, int *high)
         unsigned int seq;
 
         do {
-                seq = read_seqbegin(&net->ipv4.sysctl_local_ports.lock);
+                seq = read_seqbegin(&net->ipv4.ip_local_ports.lock);
 
-                *low = net->ipv4.sysctl_local_ports.range[0];
-                *high = net->ipv4.sysctl_local_ports.range[1];
-        } while (read_seqretry(&net->ipv4.sysctl_local_ports.lock, seq));
+                *low = net->ipv4.ip_local_ports.range[0];
+                *high = net->ipv4.ip_local_ports.range[1];
+        } while (read_seqretry(&net->ipv4.ip_local_ports.lock, seq));
 }
 EXPORT_SYMBOL(inet_get_local_port_range);
 
diff --git a/net/ipv4/ip_forward.c b/net/ipv4/ip_forward.c
index be8abe73bb9f..6f111e48e11c 100644
--- a/net/ipv4/ip_forward.c
+++ b/net/ipv4/ip_forward.c
@@ -42,12 +42,12 @@
 static bool ip_may_fragment(const struct sk_buff *skb)
 {
         return unlikely((ip_hdr(skb)->frag_off & htons(IP_DF)) == 0) ||
-               !skb->local_df;
+                skb->local_df;
 }
 
 static bool ip_exceeds_mtu(const struct sk_buff *skb, unsigned int mtu)
 {
-        if (skb->len <= mtu || skb->local_df)
+        if (skb->len <= mtu)
                 return false;
 
         if (skb_is_gso(skb) && skb_gso_network_seglen(skb) <= mtu)
@@ -56,53 +56,6 @@ static bool ip_exceeds_mtu(const struct sk_buff *skb, unsigned int mtu)
         return true;
 }
 
-static bool ip_gso_exceeds_dst_mtu(const struct sk_buff *skb)
-{
-        unsigned int mtu;
-
-        if (skb->local_df || !skb_is_gso(skb))
-                return false;
-
-        mtu = ip_dst_mtu_maybe_forward(skb_dst(skb), true);
-
-        /* if seglen > mtu, do software segmentation for IP fragmentation on
-         * output.  DF bit cannot be set since ip_forward would have sent
-         * icmp error.
-         */
-        return skb_gso_network_seglen(skb) > mtu;
-}
-
-/* called if GSO skb needs to be fragmented on forward */
-static int ip_forward_finish_gso(struct sk_buff *skb)
-{
-        struct dst_entry *dst = skb_dst(skb);
-        netdev_features_t features;
-        struct sk_buff *segs;
-        int ret = 0;
-
-        features = netif_skb_dev_features(skb, dst->dev);
-        segs = skb_gso_segment(skb, features & ~NETIF_F_GSO_MASK);
-        if (IS_ERR(segs)) {
-                kfree_skb(skb);
-                return -ENOMEM;
-        }
-
-        consume_skb(skb);
-
-        do {
-                struct sk_buff *nskb = segs->next;
-                int err;
-
-                segs->next = NULL;
-                err = dst_output(segs);
-
-                if (err && ret == 0)
-                        ret = err;
-                segs = nskb;
-        } while (segs);
-
-        return ret;
-}
 
 static int ip_forward_finish(struct sk_buff *skb)
 {
@@ -114,9 +67,6 @@ static int ip_forward_finish(struct sk_buff *skb)
         if (unlikely(opt->optlen))
                 ip_forward_options(skb);
 
-        if (ip_gso_exceeds_dst_mtu(skb))
-                return ip_forward_finish_gso(skb);
-
         return dst_output(skb);
 }
 
diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
index c10a3ce5cbff..ed32313e307c 100644
--- a/net/ipv4/ip_fragment.c
+++ b/net/ipv4/ip_fragment.c
@@ -232,8 +232,9 @@ static void ip_expire(unsigned long arg)
                  * "Fragment Reassembly Timeout" message, per RFC792.
                  */
                 if (qp->user == IP_DEFRAG_AF_PACKET ||
-                    (qp->user == IP_DEFRAG_CONNTRACK_IN &&
-                     skb_rtable(head)->rt_type != RTN_LOCAL))
+                    ((qp->user >= IP_DEFRAG_CONNTRACK_IN) &&
+                     (qp->user <= __IP_DEFRAG_CONNTRACK_IN_END) &&
+                     (skb_rtable(head)->rt_type != RTN_LOCAL)))
                         goto out_rcu_unlock;
 
 
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index 1a0755fea491..a52f50187b54 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -101,17 +101,17 @@ int __ip_local_out(struct sk_buff *skb)
                        skb_dst(skb)->dev, dst_output);
 }
 
-int ip_local_out(struct sk_buff *skb)
+int ip_local_out_sk(struct sock *sk, struct sk_buff *skb)
 {
         int err;
 
         err = __ip_local_out(skb);
         if (likely(err == 1))
-                err = dst_output(skb);
+                err = dst_output_sk(sk, skb);
 
         return err;
 }
-EXPORT_SYMBOL_GPL(ip_local_out);
+EXPORT_SYMBOL_GPL(ip_local_out_sk);
 
 static inline int ip_select_ttl(struct inet_sock *inet, struct dst_entry *dst)
 {
@@ -211,6 +211,48 @@ static inline int ip_finish_output2(struct sk_buff *skb)
         return -EINVAL;
 }
 
+static int ip_finish_output_gso(struct sk_buff *skb)
+{
+        netdev_features_t features;
+        struct sk_buff *segs;
+        int ret = 0;
+
+        /* common case: locally created skb or seglen is <= mtu */
+        if (((IPCB(skb)->flags & IPSKB_FORWARDED) == 0) ||
+              skb_gso_network_seglen(skb) <= ip_skb_dst_mtu(skb))
+                return ip_finish_output2(skb);
+
+        /* Slowpath -  GSO segment length is exceeding the dst MTU.
+         *
+         * This can happen in two cases:
+         * 1) TCP GRO packet, DF bit not set
+         * 2) skb arrived via virtio-net, we thus get TSO/GSO skbs directly
+         * from host network stack.
+         */
+        features = netif_skb_features(skb);
+        segs = skb_gso_segment(skb, features & ~NETIF_F_GSO_MASK);
+        if (IS_ERR(segs)) {
+                kfree_skb(skb);
+                return -ENOMEM;
+        }
+
+        consume_skb(skb);
+
+        do {
+                struct sk_buff *nskb = segs->next;
+                int err;
+
+                segs->next = NULL;
+                err = ip_fragment(segs, ip_finish_output2);
+
+                if (err && ret == 0)
+                        ret = err;
+                segs = nskb;
+        } while (segs);
+
+        return ret;
+}
+
 static int ip_finish_output(struct sk_buff *skb)
 {
 #if defined(CONFIG_NETFILTER) && defined(CONFIG_XFRM)
@@ -220,15 +262,17 @@ static int ip_finish_output(struct sk_buff *skb)
                 return dst_output(skb);
         }
 #endif
-        if (skb->len > ip_skb_dst_mtu(skb) && !skb_is_gso(skb))
+        if (skb_is_gso(skb))
+                return ip_finish_output_gso(skb);
+
+        if (skb->len > ip_skb_dst_mtu(skb))
                 return ip_fragment(skb, ip_finish_output2);
-        else
-                return ip_finish_output2(skb);
+
+        return ip_finish_output2(skb);
 }
 
-int ip_mc_output(struct sk_buff *skb)
+int ip_mc_output(struct sock *sk, struct sk_buff *skb)
 {
-        struct sock *sk = skb->sk;
         struct rtable *rt = skb_rtable(skb);
         struct net_device *dev = rt->dst.dev;
 
@@ -287,7 +331,7 @@ int ip_mc_output(struct sk_buff *skb)
                             !(IPCB(skb)->flags & IPSKB_REROUTED));
 }
 
-int ip_output(struct sk_buff *skb)
+int ip_output(struct sock *sk, struct sk_buff *skb)
 {
         struct net_device *dev = skb_dst(skb)->dev;
 
@@ -315,9 +359,9 @@ static void ip_copy_addrs(struct iphdr *iph, const struct flowi4 *fl4)
                sizeof(fl4->saddr) + sizeof(fl4->daddr));
 }
 
-int ip_queue_xmit(struct sk_buff *skb, struct flowi *fl)
+/* Note: skb->sk can be different from sk, in case of tunnels */
+int ip_queue_xmit(struct sock *sk, struct sk_buff *skb, struct flowi *fl)
 {
-        struct sock *sk = skb->sk;
         struct inet_sock *inet = inet_sk(sk);
         struct ip_options_rcu *inet_opt;
         struct flowi4 *fl4;
@@ -389,6 +433,7 @@ packet_routed:
         ip_select_ident_more(skb, &rt->dst, sk,
                              (skb_shinfo(skb)->gso_segs ?: 1) - 1);
 
+        /* TODO : should we use skb->sk here instead of sk ? */
         skb->priority = sk->sk_priority;
         skb->mark = sk->sk_mark;
 
diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c
index e77381d1df9a..2acc2337d38b 100644
--- a/net/ipv4/ip_tunnel.c
+++ b/net/ipv4/ip_tunnel.c
@@ -442,6 +442,8 @@ int ip_tunnel_rcv(struct ip_tunnel *tunnel, struct sk_buff *skb,
                 tunnel->i_seqno = ntohl(tpi->seq) + 1;
         }
 
+        skb_reset_network_header(skb);
+
         err = IP_ECN_decapsulate(iph, skb);
         if (unlikely(err)) {
                 if (log_ecn_error)
@@ -538,9 +540,10 @@ void ip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev,
         unsigned int max_headroom;      /* The extra header space needed */
         __be32 dst;
         int err;
-        bool connected = true;
+        bool connected;
 
         inner_iph = (const struct iphdr *)skb_inner_network_header(skb);
+        connected = (tunnel->parms.iph.daddr != 0);
 
         dst = tnl_params->daddr;
         if (dst == 0) {
@@ -670,7 +673,7 @@ void ip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev,
                 return;
         }
 
-        err = iptunnel_xmit(rt, skb, fl4.saddr, fl4.daddr, protocol,
+        err = iptunnel_xmit(skb->sk, rt, skb, fl4.saddr, fl4.daddr, protocol,
                             tos, ttl, df, !net_eq(tunnel->net, dev_net(dev)));
         iptunnel_xmit_stats(err, &dev->stats, dev->tstats);
 
@@ -722,19 +725,18 @@ static void ip_tunnel_update(struct ip_tunnel_net *itn,
 int ip_tunnel_ioctl(struct net_device *dev, struct ip_tunnel_parm *p, int cmd)
 {
         int err = 0;
-        struct ip_tunnel *t;
-        struct net *net = dev_net(dev);
-        struct ip_tunnel *tunnel = netdev_priv(dev);
-        struct ip_tunnel_net *itn = net_generic(net, tunnel->ip_tnl_net_id);
+        struct ip_tunnel *t = netdev_priv(dev);
+        struct net *net = t->net;
+        struct ip_tunnel_net *itn = net_generic(net, t->ip_tnl_net_id);
 
         BUG_ON(!itn->fb_tunnel_dev);
         switch (cmd) {
         case SIOCGETTUNNEL:
-                t = NULL;
-                if (dev == itn->fb_tunnel_dev)
+                if (dev == itn->fb_tunnel_dev) {
                         t = ip_tunnel_find(itn, p, itn->fb_tunnel_dev->type);
-                if (t == NULL)
-                        t = netdev_priv(dev);
+                        if (t == NULL)
+                                t = netdev_priv(dev);
+                }
                 memcpy(p, &t->parms, sizeof(*p));
                 break;
 
@@ -881,6 +883,7 @@ int ip_tunnel_init_net(struct net *net, int ip_tnl_net_id,
          */
         if (!IS_ERR(itn->fb_tunnel_dev)) {
                 itn->fb_tunnel_dev->features |= NETIF_F_NETNS_LOCAL;
+                itn->fb_tunnel_dev->mtu = ip_tunnel_bind_dev(itn->fb_tunnel_dev);
                 ip_tunnel_add(itn, netdev_priv(itn->fb_tunnel_dev));
         }
         rtnl_unlock();
diff --git a/net/ipv4/ip_tunnel_core.c b/net/ipv4/ip_tunnel_core.c
index e0c2b1d2ea4e..bcf206c79005 100644
--- a/net/ipv4/ip_tunnel_core.c
+++ b/net/ipv4/ip_tunnel_core.c
@@ -46,7 +46,7 @@
 #include <net/netns/generic.h>
 #include <net/rtnetlink.h>
 
-int iptunnel_xmit(struct rtable *rt, struct sk_buff *skb,
+int iptunnel_xmit(struct sock *sk, struct rtable *rt, struct sk_buff *skb,
                   __be32 src, __be32 dst, __u8 proto,
                   __u8 tos, __u8 ttl, __be16 df, bool xnet)
 {
@@ -76,7 +76,7 @@ int iptunnel_xmit(struct rtable *rt, struct sk_buff *skb,
         iph->ttl        =       ttl;
         __ip_select_ident(iph, &rt->dst, (skb_shinfo(skb)->gso_segs ?: 1) - 1);
 
-        err = ip_local_out(skb);
+        err = ip_local_out_sk(sk, skb);
         if (unlikely(net_xmit_eval(err)))
                 pkt_len = 0;
         return pkt_len;
diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c
index afcee51b90ed..13ef00f1e17b 100644
--- a/net/ipv4/ip_vti.c
+++ b/net/ipv4/ip_vti.c
@@ -239,6 +239,7 @@ static netdev_tx_t vti_tunnel_xmit(struct sk_buff *skb, struct net_device *dev)
 static int vti4_err(struct sk_buff *skb, u32 info)
 {
         __be32 spi;
+        __u32 mark;
         struct xfrm_state *x;
         struct ip_tunnel *tunnel;
         struct ip_esp_hdr *esph;
@@ -254,6 +255,8 @@ static int vti4_err(struct sk_buff *skb, u32 info)
         if (!tunnel)
                 return -1;
 
+        mark = be32_to_cpu(tunnel->parms.o_key);
+
         switch (protocol) {
         case IPPROTO_ESP:
                 esph = (struct ip_esp_hdr *)(skb->data+(iph->ihl<<2));
@@ -281,7 +284,7 @@ static int vti4_err(struct sk_buff *skb, u32 info)
                 return 0;
         }
 
-        x = xfrm_state_lookup(net, skb->mark, (const xfrm_address_t *)&iph->daddr,
+        x = xfrm_state_lookup(net, mark, (const xfrm_address_t *)&iph->daddr,
                               spi, protocol, AF_INET);
         if (!x)
                 return 0;
diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
index 28863570dd60..d84dc8d4c916 100644
--- a/net/ipv4/ipmr.c
+++ b/net/ipv4/ipmr.c
@@ -455,7 +455,7 @@ static netdev_tx_t reg_vif_xmit(struct sk_buff *skb, struct net_device *dev)
         struct mr_table *mrt;
         struct flowi4 fl4 = {
                 .flowi4_oif     = dev->ifindex,
-                .flowi4_iif     = skb->skb_iif,
+                .flowi4_iif     = skb->skb_iif ? : LOOPBACK_IFINDEX,
                 .flowi4_mark    = skb->mark,
         };
         int err;
diff --git a/net/ipv4/netfilter/ipt_rpfilter.c b/net/ipv4/netfilter/ipt_rpfilter.c
index c49dcd0284a0..4bfaedf9b34e 100644
--- a/net/ipv4/netfilter/ipt_rpfilter.c
+++ b/net/ipv4/netfilter/ipt_rpfilter.c
@@ -89,11 +89,8 @@ static bool rpfilter_mt(const struct sk_buff *skb, struct xt_action_param *par)
         if (ipv4_is_multicast(iph->daddr)) {
                 if (ipv4_is_zeronet(iph->saddr))
                         return ipv4_is_local_multicast(iph->daddr) ^ invert;
-                flow.flowi4_iif = 0;
-        } else {
-                flow.flowi4_iif = LOOPBACK_IFINDEX;
         }
-
+        flow.flowi4_iif = LOOPBACK_IFINDEX;
         flow.daddr = iph->saddr;
         flow.saddr = rpfilter_get_saddr(iph->daddr);
         flow.flowi4_oif = 0;
diff --git a/net/ipv4/netfilter/nf_defrag_ipv4.c b/net/ipv4/netfilter/nf_defrag_ipv4.c
index 12e13bd82b5b..f40f321b41fc 100644
--- a/net/ipv4/netfilter/nf_defrag_ipv4.c
+++ b/net/ipv4/netfilter/nf_defrag_ipv4.c
@@ -22,7 +22,6 @@
 #endif
 #include <net/netfilter/nf_conntrack_zones.h>
 
-/* Returns new sk_buff, or NULL */
 static int nf_ct_ipv4_gather_frags(struct sk_buff *skb, u_int32_t user)
 {
         int err;
@@ -33,8 +32,10 @@ static int nf_ct_ipv4_gather_frags(struct sk_buff *skb, u_int32_t user)
         err = ip_defrag(skb, user);
         local_bh_enable();
 
-        if (!err)
+        if (!err) {
                 ip_send_check(ip_hdr(skb));
+                skb->local_df = 1;
+        }
 
         return err;
 }
diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
index f4b19e5dde54..044a0ddf6a79 100644
--- a/net/ipv4/ping.c
+++ b/net/ipv4/ping.c
@@ -236,15 +236,15 @@ exit:
 static void inet_get_ping_group_range_net(struct net *net, kgid_t *low,
                                           kgid_t *high)
 {
-        kgid_t *data = net->ipv4.sysctl_ping_group_range;
+        kgid_t *data = net->ipv4.ping_group_range.range;
         unsigned int seq;
 
         do {
-                seq = read_seqbegin(&net->ipv4.sysctl_local_ports.lock);
+                seq = read_seqbegin(&net->ipv4.ping_group_range.lock);
 
                 *low = data[0];
                 *high = data[1];
-        } while (read_seqretry(&net->ipv4.sysctl_local_ports.lock, seq));
+        } while (read_seqretry(&net->ipv4.ping_group_range.lock, seq));
 }
 
 
@@ -252,26 +252,33 @@ int ping_init_sock(struct sock *sk)
 {
         struct net *net = sock_net(sk);
         kgid_t group = current_egid();
-        struct group_info *group_info = get_current_groups();
-        int i, j, count = group_info->ngroups;
+        struct group_info *group_info;
+        int i, j, count;
         kgid_t low, high;
+        int ret = 0;
 
         inet_get_ping_group_range_net(net, &low, &high);
         if (gid_lte(low, group) && gid_lte(group, high))
                 return 0;
 
+        group_info = get_current_groups();
+        count = group_info->ngroups;
         for (i = 0; i < group_info->nblocks; i++) {
                 int cp_count = min_t(int, NGROUPS_PER_BLOCK, count);
                 for (j = 0; j < cp_count; j++) {
                         kgid_t gid = group_info->blocks[i][j];
                         if (gid_lte(low, gid) && gid_lte(gid, high))
-                                return 0;
+                                goto out_release_group;
                 }
 
                 count -= cp_count;
         }
 
-        return -EACCES;
+        ret = -EACCES;
+
+out_release_group:
+        put_group_info(group_info);
+        return ret;
 }
 EXPORT_SYMBOL_GPL(ping_init_sock);
 
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 34d094cadb11..5e676be3daeb 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -1129,7 +1129,7 @@ static void ipv4_link_failure(struct sk_buff *skb)
                 dst_set_expires(&rt->dst, 0);
 }
 
-static int ip_rt_bug(struct sk_buff *skb)
+static int ip_rt_bug(struct sock *sk, struct sk_buff *skb)
 {
         pr_debug("%s: %pI4 -> %pI4, %s\n",
                  __func__, &ip_hdr(skb)->saddr, &ip_hdr(skb)->daddr,
@@ -1519,7 +1519,7 @@ static int __mkroute_input(struct sk_buff *skb,
         struct in_device *out_dev;
         unsigned int flags = 0;
         bool do_cache;
-        u32 itag;
+        u32 itag = 0;
 
         /* get a working reference to the output device */
         out_dev = __in_dev_get_rcu(FIB_RES_DEV(*res));
@@ -1700,8 +1700,7 @@ static int ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr,
 
         if (res.type == RTN_LOCAL) {
                 err = fib_validate_source(skb, saddr, daddr, tos,
-                                          LOOPBACK_IFINDEX,
-                                          dev, in_dev, &itag);
+                                          0, dev, in_dev, &itag);
                 if (err < 0)
                         goto martian_source_keep_err;
                 goto local_input;
@@ -2218,7 +2217,7 @@ struct dst_entry *ipv4_blackhole_route(struct net *net, struct dst_entry *dst_or
 
                 new->__use = 1;
                 new->input = dst_discard;
-                new->output = dst_discard;
+                new->output = dst_discard_sk;
 
                 new->dev = ort->dst.dev;
                 if (new->dev)
@@ -2357,7 +2356,7 @@ static int rt_fill_info(struct net *net,  __be32 dst, __be32 src,
                         }
                 } else
 #endif
-                        if (nla_put_u32(skb, RTA_IIF, rt->rt_iif))
+                        if (nla_put_u32(skb, RTA_IIF, skb->dev->ifindex))
                                 goto nla_put_failure;
         }
 
diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
index 44eba052b43d..5cde8f263d40 100644
--- a/net/ipv4/sysctl_net_ipv4.c
+++ b/net/ipv4/sysctl_net_ipv4.c
@@ -45,10 +45,10 @@ static int ip_ping_group_range_max[] = { GID_T_MAX, GID_T_MAX };
 /* Update system visible IP port range */
 static void set_local_port_range(struct net *net, int range[2])
 {
-        write_seqlock(&net->ipv4.sysctl_local_ports.lock);
-        net->ipv4.sysctl_local_ports.range[0] = range[0];
-        net->ipv4.sysctl_local_ports.range[1] = range[1];
-        write_sequnlock(&net->ipv4.sysctl_local_ports.lock);
+        write_seqlock(&net->ipv4.ip_local_ports.lock);
+        net->ipv4.ip_local_ports.range[0] = range[0];
+        net->ipv4.ip_local_ports.range[1] = range[1];
+        write_sequnlock(&net->ipv4.ip_local_ports.lock);
 }
 
 /* Validate changes from /proc interface. */
@@ -57,7 +57,7 @@ static int ipv4_local_port_range(struct ctl_table *table, int write,
                                  size_t *lenp, loff_t *ppos)
 {
         struct net *net =
-                container_of(table->data, struct net, ipv4.sysctl_local_ports.range);
+                container_of(table->data, struct net, ipv4.ip_local_ports.range);
         int ret;
         int range[2];
         struct ctl_table tmp = {
@@ -87,14 +87,14 @@ static void inet_get_ping_group_range_table(struct ctl_table *table, kgid_t *low
 {
         kgid_t *data = table->data;
         struct net *net =
-                container_of(table->data, struct net, ipv4.sysctl_ping_group_range);
+                container_of(table->data, struct net, ipv4.ping_group_range.range);
         unsigned int seq;
         do {
-                seq = read_seqbegin(&net->ipv4.sysctl_local_ports.lock);
+                seq = read_seqbegin(&net->ipv4.ip_local_ports.lock);
 
                 *low = data[0];
                 *high = data[1];
-        } while (read_seqretry(&net->ipv4.sysctl_local_ports.lock, seq));
+        } while (read_seqretry(&net->ipv4.ip_local_ports.lock, seq));
 }
 
 /* Update system visible IP port range */
@@ -102,11 +102,11 @@ static void set_ping_group_range(struct ctl_table *table, kgid_t low, kgid_t hig
 {
         kgid_t *data = table->data;
         struct net *net =
-                container_of(table->data, struct net, ipv4.sysctl_ping_group_range);
-        write_seqlock(&net->ipv4.sysctl_local_ports.lock);
+                container_of(table->data, struct net, ipv4.ping_group_range.range);
+        write_seqlock(&net->ipv4.ip_local_ports.lock);
         data[0] = low;
         data[1] = high;
-        write_sequnlock(&net->ipv4.sysctl_local_ports.lock);
+        write_sequnlock(&net->ipv4.ip_local_ports.lock);
 }
 
 /* Validate changes from /proc interface. */
@@ -805,7 +805,7 @@ static struct ctl_table ipv4_net_table[] = {
         },
         {
                 .procname       = "ping_group_range",
-                .data           = &init_net.ipv4.sysctl_ping_group_range,
+                .data           = &init_net.ipv4.ping_group_range.range,
                 .maxlen         = sizeof(gid_t)*2,
                 .mode           = 0644,
                 .proc_handler   = ipv4_ping_group_range,
@@ -819,8 +819,8 @@ static struct ctl_table ipv4_net_table[] = {
         },
         {
                 .procname       = "ip_local_port_range",
-                .maxlen         = sizeof(init_net.ipv4.sysctl_local_ports.range),
-                .data           = &init_net.ipv4.sysctl_local_ports.range,
+                .maxlen         = sizeof(init_net.ipv4.ip_local_ports.range),
+                .data           = &init_net.ipv4.ip_local_ports.range,
                 .mode           = 0644,
                 .proc_handler   = ipv4_local_port_range,
         },
@@ -858,20 +858,6 @@ static __net_init int ipv4_sysctl_init_net(struct net *net)
                         table[i].data += (void *)net - (void *)&init_net;
         }
 
-        /*
-         * Sane defaults - nobody may create ping sockets.
-         * Boot scripts should set this to distro-specific group.
-         */
-        net->ipv4.sysctl_ping_group_range[0] = make_kgid(&init_user_ns, 1);
-        net->ipv4.sysctl_ping_group_range[1] = make_kgid(&init_user_ns, 0);
-
-        /*
-         * Set defaults for local port range
-         */
-        seqlock_init(&net->ipv4.sysctl_local_ports.lock);
-        net->ipv4.sysctl_local_ports.range[0] =  32768;
-        net->ipv4.sysctl_local_ports.range[1] =  61000;
-
         net->ipv4.ipv4_hdr = register_net_sysctl(net, "net/ipv4", table);
         if (net->ipv4.ipv4_hdr == NULL)
                 goto err_reg;
diff --git a/net/ipv4/tcp_cubic.c b/net/ipv4/tcp_cubic.c
index 8bf224516ba2..b4f1b29b08bd 100644
--- a/net/ipv4/tcp_cubic.c
+++ b/net/ipv4/tcp_cubic.c
@@ -409,7 +409,7 @@ static void bictcp_acked(struct sock *sk, u32 cnt, s32 rtt_us)
                 ratio -= ca->delayed_ack >> ACK_RATIO_SHIFT;
                 ratio += cnt;
 
-                ca->delayed_ack = min(ratio, ACK_RATIO_LIMIT);
+                ca->delayed_ack = clamp(ratio, 1U, ACK_RATIO_LIMIT);
         }
 
         /* Some calls are for duplicates without timetamps */
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 699fb102e971..12d6016bdd9a 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -981,7 +981,7 @@ static int tcp_transmit_skb(struct sock *sk, struct sk_buff *skb, int clone_it,
                 TCP_ADD_STATS(sock_net(sk), TCP_MIB_OUTSEGS,
                               tcp_skb_pcount(skb));
 
-        err = icsk->icsk_af_ops->queue_xmit(skb, &inet->cork.fl);
+        err = icsk->icsk_af_ops->queue_xmit(sk, skb, &inet->cork.fl);
         if (likely(err <= 0))
                 return err;
 
@@ -2441,8 +2441,14 @@ int __tcp_retransmit_skb(struct sock *sk, struct sk_buff *skb)
                 err = tcp_transmit_skb(sk, skb, 1, GFP_ATOMIC);
         }
 
-        if (likely(!err))
+        if (likely(!err)) {
                 TCP_SKB_CB(skb)->sacked |= TCPCB_EVER_RETRANS;
+                /* Update global TCP statistics. */
+                TCP_INC_STATS(sock_net(sk), TCP_MIB_RETRANSSEGS);
+                if (TCP_SKB_CB(skb)->tcp_flags & TCPHDR_SYN)
+                        NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPSYNRETRANS);
+                tp->total_retrans++;
+        }
         return err;
 }
 
@@ -2452,12 +2458,6 @@ int tcp_retransmit_skb(struct sock *sk, struct sk_buff *skb)
         int err = __tcp_retransmit_skb(sk, skb);
 
         if (err == 0) {
-                /* Update global TCP statistics. */
-                TCP_INC_STATS(sock_net(sk), TCP_MIB_RETRANSSEGS);
-                if (TCP_SKB_CB(skb)->tcp_flags & TCPHDR_SYN)
-                        NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPSYNRETRANS);
-                tp->total_retrans++;
-
 #if FASTRETRANS_DEBUG > 0
                 if (TCP_SKB_CB(skb)->sacked & TCPCB_SACKED_RETRANS) {
                         net_dbg_ratelimited("retrans_out leaked\n");
diff --git a/net/ipv4/xfrm4_output.c b/net/ipv4/xfrm4_output.c
index baa0f63731fd..186a8ecf92fa 100644
--- a/net/ipv4/xfrm4_output.c
+++ b/net/ipv4/xfrm4_output.c
@@ -62,10 +62,7 @@ int xfrm4_prepare_output(struct xfrm_state *x, struct sk_buff *skb)
         if (err)
                 return err;
 
-        memset(IPCB(skb), 0, sizeof(*IPCB(skb)));
-        IPCB(skb)->flags |= IPSKB_XFRM_TUNNEL_SIZE | IPSKB_XFRM_TRANSFORMED;
-
-        skb->protocol = htons(ETH_P_IP);
+        IPCB(skb)->flags |= IPSKB_XFRM_TUNNEL_SIZE;
 
         return x->outer_mode->output2(x, skb);
 }
@@ -73,27 +70,34 @@ EXPORT_SYMBOL(xfrm4_prepare_output);
 
 int xfrm4_output_finish(struct sk_buff *skb)
 {
-#ifdef CONFIG_NETFILTER
-        if (!skb_dst(skb)->xfrm) {
-                IPCB(skb)->flags |= IPSKB_REROUTED;
-                return dst_output(skb);
-        }
+        memset(IPCB(skb), 0, sizeof(*IPCB(skb)));
+        skb->protocol = htons(ETH_P_IP);
 
+#ifdef CONFIG_NETFILTER
         IPCB(skb)->flags |= IPSKB_XFRM_TRANSFORMED;
 #endif
 
-        skb->protocol = htons(ETH_P_IP);
         return xfrm_output(skb);
 }
 
-int xfrm4_output(struct sk_buff *skb)
+static int __xfrm4_output(struct sk_buff *skb)
 {
-        struct dst_entry *dst = skb_dst(skb);
-        struct xfrm_state *x = dst->xfrm;
+        struct xfrm_state *x = skb_dst(skb)->xfrm;
+
+#ifdef CONFIG_NETFILTER
+        if (!x) {
+                IPCB(skb)->flags |= IPSKB_REROUTED;
+                return dst_output(skb);
+        }
+#endif
 
+        return x->outer_mode->afinfo->output_finish(skb);
+}
+
+int xfrm4_output(struct sock *sk, struct sk_buff *skb)
+{
         return NF_HOOK_COND(NFPROTO_IPV4, NF_INET_POST_ROUTING, skb,
-                            NULL, dst->dev,
-                            x->outer_mode->afinfo->output_finish,
+                            NULL, skb_dst(skb)->dev, __xfrm4_output,
                             !(IPCB(skb)->flags & IPSKB_REROUTED));
 }
 
diff --git a/net/ipv4/xfrm4_protocol.c b/net/ipv4/xfrm4_protocol.c
index 7f7b243e8139..a2ce0101eaac 100644
--- a/net/ipv4/xfrm4_protocol.c
+++ b/net/ipv4/xfrm4_protocol.c
@@ -50,8 +50,12 @@ int xfrm4_rcv_cb(struct sk_buff *skb, u8 protocol, int err)
 {
         int ret;
         struct xfrm4_protocol *handler;
+        struct xfrm4_protocol __rcu **head = proto_handlers(protocol);
 
-        for_each_protocol_rcu(*proto_handlers(protocol), handler)
+        if (!head)
+                return 0;
+
+        for_each_protocol_rcu(*head, handler)
                 if ((ret = handler->cb_handler(skb, err)) <= 0)
                         return ret;
 
@@ -64,15 +68,20 @@ int xfrm4_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi,
 {
         int ret;
         struct xfrm4_protocol *handler;
+        struct xfrm4_protocol __rcu **head = proto_handlers(nexthdr);
 
         XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = NULL;
         XFRM_SPI_SKB_CB(skb)->family = AF_INET;
         XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr);
 
-        for_each_protocol_rcu(*proto_handlers(nexthdr), handler)
+        if (!head)
+                goto out;
+
+        for_each_protocol_rcu(*head, handler)
                 if ((ret = handler->input_handler(skb, nexthdr, spi, encap_type)) != -EINVAL)
                         return ret;
 
+out:
         icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
 
         kfree_skb(skb);
@@ -208,6 +217,9 @@ int xfrm4_protocol_register(struct xfrm4_protocol *handler,
         int ret = -EEXIST;
         int priority = handler->priority;
 
+        if (!proto_handlers(protocol) || !netproto(protocol))
+                return -EINVAL;
+
         mutex_lock(&xfrm4_protocol_mutex);
 
         if (!rcu_dereference_protected(*proto_handlers(protocol),
@@ -250,6 +262,9 @@ int xfrm4_protocol_deregister(struct xfrm4_protocol *handler,
         struct xfrm4_protocol *t;
         int ret = -ENOENT;
 
+        if (!proto_handlers(protocol) || !netproto(protocol))
+                return -EINVAL;
+
         mutex_lock(&xfrm4_protocol_mutex);
 
         for (pprev = proto_handlers(protocol);