14 files changed, 101 insertions, 56 deletions

diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c
index 535584c00f91..0c34bfabc11f 100644
--- a/net/ipv4/inet_diag.c
+++ b/net/ipv4/inet_diag.c
@@ -892,13 +892,16 @@ static int __inet_diag_dump(struct sk_buff *skb, struct netlink_callback *cb,
                 struct inet_diag_req_v2 *r, struct nlattr *bc)
 {
         const struct inet_diag_handler *handler;
+        int err = 0;
 
         handler = inet_diag_lock_handler(r->sdiag_protocol);
         if (!IS_ERR(handler))
                 handler->dump(skb, cb, r, bc);
+        else
+                err = PTR_ERR(handler);
         inet_diag_unlock_handler(handler);
 
-        return skb->len;
+        return err ? : skb->len;
 }
 
 static int inet_diag_dump(struct sk_buff *skb, struct netlink_callback *cb)
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index 5eea4a811042..14bbfcf717ac 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -457,19 +457,28 @@ static int do_ip_setsockopt(struct sock *sk, int level,
         struct inet_sock *inet = inet_sk(sk);
         int val = 0, err;
 
-        if (((1<<optname) & ((1<<IP_PKTINFO) | (1<<IP_RECVTTL) |
-                             (1<<IP_RECVOPTS) | (1<<IP_RECVTOS) |
-                             (1<<IP_RETOPTS) | (1<<IP_TOS) |
-                             (1<<IP_TTL) | (1<<IP_HDRINCL) |
-                             (1<<IP_MTU_DISCOVER) | (1<<IP_RECVERR) |
-                             (1<<IP_ROUTER_ALERT) | (1<<IP_FREEBIND) |
-                             (1<<IP_PASSSEC) | (1<<IP_TRANSPARENT) |
-                             (1<<IP_MINTTL) | (1<<IP_NODEFRAG))) ||
-            optname == IP_UNICAST_IF ||
-            optname == IP_MULTICAST_TTL ||
-            optname == IP_MULTICAST_ALL ||
-            optname == IP_MULTICAST_LOOP ||
-            optname == IP_RECVORIGDSTADDR) {
+        switch (optname) {
+        case IP_PKTINFO:
+        case IP_RECVTTL:
+        case IP_RECVOPTS:
+        case IP_RECVTOS:
+        case IP_RETOPTS:
+        case IP_TOS:
+        case IP_TTL:
+        case IP_HDRINCL:
+        case IP_MTU_DISCOVER:
+        case IP_RECVERR:
+        case IP_ROUTER_ALERT:
+        case IP_FREEBIND:
+        case IP_PASSSEC:
+        case IP_TRANSPARENT:
+        case IP_MINTTL:
+        case IP_NODEFRAG:
+        case IP_UNICAST_IF:
+        case IP_MULTICAST_TTL:
+        case IP_MULTICAST_ALL:
+        case IP_MULTICAST_LOOP:
+        case IP_RECVORIGDSTADDR:
                 if (optlen >= sizeof(int)) {
                         if (get_user(val, (int __user *) optval))
                                 return -EFAULT;
diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c
index 1831092f999f..858fddf6482a 100644
--- a/net/ipv4/ip_vti.c
+++ b/net/ipv4/ip_vti.c
@@ -338,12 +338,17 @@ static int vti_rcv(struct sk_buff *skb)
         if (tunnel != NULL) {
                 struct pcpu_tstats *tstats;
 
+                if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb))
+                        return -1;
+
                 tstats = this_cpu_ptr(tunnel->dev->tstats);
                 u64_stats_update_begin(&tstats->syncp);
                 tstats->rx_packets++;
                 tstats->rx_bytes += skb->len;
                 u64_stats_update_end(&tstats->syncp);
 
+                skb->mark = 0;
+                secpath_reset(skb);
                 skb->dev = tunnel->dev;
                 return 1;
         }
diff --git a/net/ipv4/netfilter/iptable_nat.c b/net/ipv4/netfilter/iptable_nat.c
index 9e0ffaf1d942..a82047282dbb 100644
--- a/net/ipv4/netfilter/iptable_nat.c
+++ b/net/ipv4/netfilter/iptable_nat.c
@@ -184,7 +184,8 @@ nf_nat_ipv4_out(unsigned int hooknum,
 
                 if ((ct->tuplehash[dir].tuple.src.u3.ip !=
                      ct->tuplehash[!dir].tuple.dst.u3.ip) ||
-                    (ct->tuplehash[dir].tuple.src.u.all !=
+                    (ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMP &&
+                     ct->tuplehash[dir].tuple.src.u.all !=
                      ct->tuplehash[!dir].tuple.dst.u.all))
                         if (nf_xfrm_me_harder(skb, AF_INET) < 0)
                                 ret = NF_DROP;
@@ -221,6 +222,7 @@ nf_nat_ipv4_local_fn(unsigned int hooknum,
                 }
 #ifdef CONFIG_XFRM
                 else if (!(IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED) &&
+                         ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMP &&
                          ct->tuplehash[dir].tuple.dst.u.all !=
                          ct->tuplehash[!dir].tuple.src.u.all)
                         if (nf_xfrm_me_harder(skb, AF_INET) < 0)
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 432f4bb77238..df251424d816 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -1163,8 +1163,12 @@ static bool rt_bind_exception(struct rtable *rt, struct fib_nh_exception *fnhe,
         spin_lock_bh(&fnhe_lock);
 
         if (daddr == fnhe->fnhe_daddr) {
-                struct rtable *orig;
-
+                struct rtable *orig = rcu_dereference(fnhe->fnhe_rth);
+                if (orig && rt_is_expired(orig)) {
+                        fnhe->fnhe_gw = 0;
+                        fnhe->fnhe_pmtu = 0;
+                        fnhe->fnhe_expires = 0;
+                }
                 if (fnhe->fnhe_pmtu) {
                         unsigned long expires = fnhe->fnhe_expires;
                         unsigned long diff = expires - jiffies;
@@ -1181,7 +1185,6 @@ static bool rt_bind_exception(struct rtable *rt, struct fib_nh_exception *fnhe,
                 } else if (!rt->rt_gateway)
                         rt->rt_gateway = daddr;
 
-                orig = rcu_dereference(fnhe->fnhe_rth);
                 rcu_assign_pointer(fnhe->fnhe_rth, rt);
                 if (orig)
                         rt_free(orig);
@@ -1782,6 +1785,7 @@ static struct rtable *__mkroute_output(const struct fib_result *res,
         if (dev_out->flags & IFF_LOOPBACK)
                 flags |= RTCF_LOCAL;
 
+        do_cache = true;
         if (type == RTN_BROADCAST) {
                 flags |= RTCF_BROADCAST | RTCF_LOCAL;
                 fi = NULL;
@@ -1790,6 +1794,8 @@ static struct rtable *__mkroute_output(const struct fib_result *res,
                 if (!ip_check_mc_rcu(in_dev, fl4->daddr, fl4->saddr,
                                      fl4->flowi4_proto))
                         flags &= ~RTCF_LOCAL;
+                else
+                        do_cache = false;
                 /* If multicast route do not exist use
                  * default one, but do not gateway in this case.
                  * Yes, it is hack.
@@ -1799,8 +1805,8 @@ static struct rtable *__mkroute_output(const struct fib_result *res,
         }
 
         fnhe = NULL;
-        do_cache = fi != NULL;
-        if (fi) {
+        do_cache &= fi != NULL;
+        if (do_cache) {
                 struct rtable __rcu **prth;
                 struct fib_nh *nh = &FIB_RES_NH(*res);
 
@@ -2594,7 +2600,7 @@ int __init ip_rt_init(void)
                 pr_err("Unable to create route proc files\n");
 #ifdef CONFIG_XFRM
         xfrm_init();
-        xfrm4_init(ip_rt_max_size);
+        xfrm4_init();
 #endif
         rtnl_register(PF_INET, RTM_GETROUTE, inet_rtm_getroute, NULL, NULL);
 
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index f32c02e2a543..083092e3aed6 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -549,14 +549,12 @@ int tcp_ioctl(struct sock *sk, int cmd, unsigned long arg)
                          !tp->urg_data ||
                          before(tp->urg_seq, tp->copied_seq) ||
                          !before(tp->urg_seq, tp->rcv_nxt)) {
-                        struct sk_buff *skb;
 
                         answ = tp->rcv_nxt - tp->copied_seq;
 
-                        /* Subtract 1, if FIN is in queue. */
-                        skb = skb_peek_tail(&sk->sk_receive_queue);
-                        if (answ && skb)
-                                answ -= tcp_hdr(skb)->fin;
+                        /* Subtract 1, if FIN was received */
+                        if (answ && sock_flag(sk, SOCK_DONE))
+                                answ--;
                 } else
                         answ = tp->urg_seq - tp->copied_seq;
                 release_sock(sk);
@@ -1214,7 +1212,7 @@ new_segment:
 wait_for_sndbuf:
                         set_bit(SOCK_NOSPACE, &sk->sk_socket->flags);
 wait_for_memory:
-                        if (copied && likely(!tp->repair))
+                        if (copied)
                                 tcp_push(sk, flags & ~MSG_MORE, mss_now, TCP_NAGLE_PUSH);
 
                         if ((err = sk_stream_wait_memory(sk, &timeo)) != 0)
@@ -1225,7 +1223,7 @@ wait_for_memory:
         }
 
 out:
-        if (copied && likely(!tp->repair))
+        if (copied)
                 tcp_push(sk, flags, mss_now, tp->nonagle);
         release_sock(sk);
         return copied + copied_syn;
@@ -2766,6 +2764,8 @@ void tcp_get_info(const struct sock *sk, struct tcp_info *info)
                 info->tcpi_options |= TCPI_OPT_ECN;
         if (tp->ecn_flags & TCP_ECN_SEEN)
                 info->tcpi_options |= TCPI_OPT_ECN_SEEN;
+        if (tp->syn_data_acked)
+                info->tcpi_options |= TCPI_OPT_SYN_DATA;
 
         info->tcpi_rto = jiffies_to_usecs(icsk->icsk_rto);
         info->tcpi_ato = jiffies_to_usecs(icsk->icsk_ack.ato);
diff --git a/net/ipv4/tcp_illinois.c b/net/ipv4/tcp_illinois.c
index 813b43a76fec..834857f3c871 100644
--- a/net/ipv4/tcp_illinois.c
+++ b/net/ipv4/tcp_illinois.c
@@ -313,11 +313,13 @@ static void tcp_illinois_info(struct sock *sk, u32 ext,
                         .tcpv_rttcnt = ca->cnt_rtt,
                         .tcpv_minrtt = ca->base_rtt,
                 };
-                u64 t = ca->sum_rtt;
 
-                do_div(t, ca->cnt_rtt);
-                info.tcpv_rtt = t;
+                if (info.tcpv_rttcnt > 0) {
+                        u64 t = ca->sum_rtt;
 
+                        do_div(t, info.tcpv_rttcnt);
+                        info.tcpv_rtt = t;
+                }
                 nla_put(skb, INET_DIAG_VEGASINFO, sizeof(info), &info);
         }
 }
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 432c36649db3..609ff98aeb47 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -4529,6 +4529,9 @@ int tcp_send_rcvq(struct sock *sk, struct msghdr *msg, size_t size)
         struct tcphdr *th;
         bool fragstolen;
 
+        if (size == 0)
+                return 0;
+
         skb = alloc_skb(size + sizeof(*th), sk->sk_allocation);
         if (!skb)
                 goto err;
@@ -5310,11 +5313,6 @@ static bool tcp_validate_incoming(struct sock *sk, struct sk_buff *skb,
                 goto discard;
         }
 
-        /* ts_recent update must be made after we are sure that the packet
-         * is in window.
-         */
-        tcp_replace_ts_recent(tp, TCP_SKB_CB(skb)->seq);
-
         /* step 3: check security and precedence [ignored] */
 
         /* step 4: Check for a SYN
@@ -5549,6 +5547,11 @@ step5:
         if (th->ack && tcp_ack(sk, skb, FLAG_SLOWPATH) < 0)
                 goto discard;
 
+        /* ts_recent update must be made after we are sure that the packet
+         * is in window.
+         */
+        tcp_replace_ts_recent(tp, TCP_SKB_CB(skb)->seq);
+
         tcp_rcv_rtt_measure_ts(sk, skb);
 
         /* Process urgent data. */
@@ -5646,6 +5649,7 @@ static bool tcp_rcv_fastopen_synack(struct sock *sk, struct sk_buff *synack,
                 tcp_rearm_rto(sk);
                 return true;
         }
+        tp->syn_data_acked = tp->syn_data;
         return false;
 }
 
@@ -5963,7 +5967,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
 
         req = tp->fastopen_rsk;
         if (req != NULL) {
-                BUG_ON(sk->sk_state != TCP_SYN_RECV &&
+                WARN_ON_ONCE(sk->sk_state != TCP_SYN_RECV &&
                     sk->sk_state != TCP_FIN_WAIT1);
 
                 if (tcp_check_req(sk, skb, req, NULL, true) == NULL)
@@ -6052,7 +6056,15 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
                          * ACK we have received, this would have acknowledged
                          * our SYNACK so stop the SYNACK timer.
                          */
-                        if (acceptable && req != NULL) {
+                        if (req != NULL) {
+                                /* Return RST if ack_seq is invalid.
+                                 * Note that RFC793 only says to generate a
+                                 * DUPACK for it but for TCP Fast Open it seems
+                                 * better to treat this case like TCP_SYN_RECV
+                                 * above.
+                                 */
+                                if (!acceptable)
+                                        return 1;
                                 /* We no longer need the request sock. */
                                 reqsk_fastopen_remove(sk, req, false);
                                 tcp_rearm_rto(sk);
@@ -6118,6 +6130,11 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
         } else
                 goto discard;
 
+        /* ts_recent update must be made after we are sure that the packet
+         * is in window.
+         */
+        tcp_replace_ts_recent(tp, TCP_SKB_CB(skb)->seq);
+
         /* step 6: check the URG bit */
         tcp_urg(sk, skb, th);
 
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index ef998b008a57..0c4a64355603 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -1461,6 +1461,7 @@ static int tcp_v4_conn_req_fastopen(struct sock *sk,
                 skb_set_owner_r(skb, child);
                 __skb_queue_tail(&child->sk_receive_queue, skb);
                 tp->rcv_nxt = TCP_SKB_CB(skb)->end_seq;
+                tp->syn_data_acked = 1;
         }
         sk->sk_data_ready(sk, 0);
         bh_unlock_sock(child);
diff --git a/net/ipv4/tcp_metrics.c b/net/ipv4/tcp_metrics.c
index 4c752a6e0bcd..f696d7c2e9fa 100644
--- a/net/ipv4/tcp_metrics.c
+++ b/net/ipv4/tcp_metrics.c
@@ -1,7 +1,6 @@
 #include <linux/rcupdate.h>
 #include <linux/spinlock.h>
 #include <linux/jiffies.h>
-#include <linux/bootmem.h>
 #include <linux/module.h>
 #include <linux/cache.h>
 #include <linux/slab.h>
@@ -9,6 +8,7 @@
 #include <linux/tcp.h>
 #include <linux/hash.h>
 #include <linux/tcp_metrics.h>
+#include <linux/vmalloc.h>
 
 #include <net/inet_connection_sock.h>
 #include <net/net_namespace.h>
@@ -864,7 +864,7 @@ static int parse_nl_addr(struct genl_info *info, struct inetpeer_addr *addr,
         }
         a = info->attrs[TCP_METRICS_ATTR_ADDR_IPV6];
         if (a) {
-                if (nla_len(a) != sizeof(sizeof(struct in6_addr)))
+                if (nla_len(a) != sizeof(struct in6_addr))
                         return -EINVAL;
                 addr->family = AF_INET6;
                 memcpy(addr->addr.a6, nla_data(a), sizeof(addr->addr.a6));
@@ -1034,7 +1034,10 @@ static int __net_init tcp_net_metrics_init(struct net *net)
         net->ipv4.tcp_metrics_hash_log = order_base_2(slots);
         size = sizeof(struct tcpm_hash_bucket) << net->ipv4.tcp_metrics_hash_log;
 
-        net->ipv4.tcp_metrics_hash = kzalloc(size, GFP_KERNEL);
+        net->ipv4.tcp_metrics_hash = kzalloc(size, GFP_KERNEL | __GFP_NOWARN);
+        if (!net->ipv4.tcp_metrics_hash)
+                net->ipv4.tcp_metrics_hash = vzalloc(size);
+
         if (!net->ipv4.tcp_metrics_hash)
                 return -ENOMEM;
 
@@ -1055,7 +1058,10 @@ static void __net_exit tcp_net_metrics_exit(struct net *net)
                         tm = next;
                 }
         }
-        kfree(net->ipv4.tcp_metrics_hash);
+        if (is_vmalloc_addr(net->ipv4.tcp_metrics_hash))
+                vfree(net->ipv4.tcp_metrics_hash);
+        else
+                kfree(net->ipv4.tcp_metrics_hash);
 }
 
 static __net_initdata struct pernet_operations tcp_net_metrics_ops = {
diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
index 27536ba16c9d..a7302d974f32 100644
--- a/net/ipv4/tcp_minisocks.c
+++ b/net/ipv4/tcp_minisocks.c
@@ -510,6 +510,7 @@ struct sock *tcp_create_openreq_child(struct sock *sk, struct request_sock *req,
                 newtp->rx_opt.mss_clamp = req->mss;
                 TCP_ECN_openreq_child(newtp, req);
                 newtp->fastopen_rsk = NULL;
+                newtp->syn_data_acked = 0;
 
                 TCP_INC_STATS_BH(sock_net(sk), TCP_MIB_PASSIVEOPENS);
         }
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index cfe6ffe1c177..2798706cb063 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -1986,6 +1986,9 @@ static bool tcp_write_xmit(struct sock *sk, unsigned int mss_now, int nonagle,
                 tso_segs = tcp_init_tso_segs(sk, skb, mss_now);
                 BUG_ON(!tso_segs);
 
+                if (unlikely(tp->repair) && tp->repair_queue == TCP_SEND_QUEUE)
+                        goto repair; /* Skip network transmission */
+
                 cwnd_quota = tcp_cwnd_test(tp, skb);
                 if (!cwnd_quota)
                         break;
@@ -2026,6 +2029,7 @@ static bool tcp_write_xmit(struct sock *sk, unsigned int mss_now, int nonagle,
                 if (unlikely(tcp_transmit_skb(sk, skb, 1, gfp)))
                         break;
 
+repair:
                 /* Advance the send_head.  This one is sent out.
                  * This call will increment packets_out.
                  */
diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
index fc04711e80c8..d47c1b4421a3 100644
--- a/net/ipv4/tcp_timer.c
+++ b/net/ipv4/tcp_timer.c
@@ -347,8 +347,8 @@ void tcp_retransmit_timer(struct sock *sk)
                 return;
         }
         if (tp->fastopen_rsk) {
-                BUG_ON(sk->sk_state != TCP_SYN_RECV &&
-                    sk->sk_state != TCP_FIN_WAIT1);
+                WARN_ON_ONCE(sk->sk_state != TCP_SYN_RECV &&
+                             sk->sk_state != TCP_FIN_WAIT1);
                 tcp_fastopen_synack_timer(sk);
                 /* Before we receive ACK to our SYN-ACK don't retransmit
                  * anything else (e.g., data or FIN segments).
diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c
index 05c5ab8d983c..3be0ac2c1920 100644
--- a/net/ipv4/xfrm4_policy.c
+++ b/net/ipv4/xfrm4_policy.c
@@ -279,19 +279,8 @@ static void __exit xfrm4_policy_fini(void)
         xfrm_policy_unregister_afinfo(&xfrm4_policy_afinfo);
 }
 
-void __init xfrm4_init(int rt_max_size)
+void __init xfrm4_init(void)
 {
-        /*
-         * Select a default value for the gc_thresh based on the main route
-         * table hash size.  It seems to me the worst case scenario is when
-         * we have ipsec operating in transport mode, in which we create a
-         * dst_entry per socket.  The xfrm gc algorithm starts trying to remove
-         * entries at gc_thresh, and prevents new allocations as 2*gc_thresh
-         * so lets set an initial xfrm gc_thresh value at the rt_max_size/2.
-         * That will let us store an ipsec connection per route table entry,
-         * and start cleaning when were 1/2 full
-         */
-        xfrm4_dst_ops.gc_thresh = rt_max_size/2;
         dst_entries_init(&xfrm4_dst_ops);
 
         xfrm4_state_init();