14 files changed, 75 insertions, 40 deletions

diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
index 34e0ded5c14b..87891f5f57b5 100644
--- a/net/ipv6/ip6_fib.c
+++ b/net/ipv6/ip6_fib.c
@@ -1459,7 +1459,7 @@ static int fib6_walk_continue(struct fib6_walker_t *w)
 
                                 if (w->skip) {
                                         w->skip--;
-                                        continue;
+                                        goto skip;
                                 }
 
                                 err = w->func(w);
@@ -1469,6 +1469,7 @@ static int fib6_walk_continue(struct fib6_walker_t *w)
                                 w->count++;
                                 continue;
                         }
+skip:
                         w->state = FWS_U;
                 case FWS_U:
                         if (fn == w->root)
diff --git a/net/ipv6/ip6_offload.c b/net/ipv6/ip6_offload.c
index 59f95affceb0..b2f091566f88 100644
--- a/net/ipv6/ip6_offload.c
+++ b/net/ipv6/ip6_offload.c
@@ -196,7 +196,6 @@ static struct sk_buff **ipv6_gro_receive(struct sk_buff **head,
         unsigned int off;
         u16 flush = 1;
         int proto;
-        __wsum csum;
 
         off = skb_gro_offset(skb);
         hlen = off + sizeof(*iph);
@@ -264,13 +263,10 @@ static struct sk_buff **ipv6_gro_receive(struct sk_buff **head,
 
         NAPI_GRO_CB(skb)->flush |= flush;
 
-        csum = skb->csum;
-        skb_postpull_rcsum(skb, iph, skb_network_header_len(skb));
+        skb_gro_postpull_rcsum(skb, iph, nlen);
 
         pp = ops->callbacks.gro_receive(head, skb);
 
-        skb->csum = csum;
-
 out_unlock:
         rcu_read_unlock();
 
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 40e7581374f7..fbf11562b54c 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -344,12 +344,16 @@ static unsigned int ip6_dst_mtu_forward(const struct dst_entry *dst)
 
 static bool ip6_pkt_too_big(const struct sk_buff *skb, unsigned int mtu)
 {
-        if (skb->len <= mtu || skb->local_df)
+        if (skb->len <= mtu)
                 return false;
 
+        /* ipv6 conntrack defrag sets max_frag_size + local_df */
         if (IP6CB(skb)->frag_max_size && IP6CB(skb)->frag_max_size > mtu)
                 return true;
 
+        if (skb->local_df)
+                return false;
+
         if (skb_is_gso(skb) && skb_gso_network_seglen(skb) <= mtu)
                 return false;
 
@@ -1225,7 +1229,7 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to,
                 unsigned int maxnonfragsize, headersize;
 
                 headersize = sizeof(struct ipv6hdr) +
-                             (opt ? opt->tot_len : 0) +
+                             (opt ? opt->opt_flen + opt->opt_nflen : 0) +
                              (dst_allfrag(&rt->dst) ?
                               sizeof(struct frag_hdr) : 0) +
                              rt->rt6i_nfheader_len;
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index b05b609f69d1..f6a66bb4114d 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -1557,7 +1557,7 @@ static int ip6_tnl_validate(struct nlattr *tb[], struct nlattr *data[])
 {
         u8 proto;
 
-        if (!data)
+        if (!data || !data[IFLA_IPTUN_PROTO])
                 return 0;
 
         proto = nla_get_u8(data[IFLA_IPTUN_PROTO]);
diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c
index b7c0f827140b..6cc9f9371cc5 100644
--- a/net/ipv6/ip6_vti.c
+++ b/net/ipv6/ip6_vti.c
@@ -511,6 +511,7 @@ static int vti6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
                     u8 type, u8 code, int offset, __be32 info)
 {
         __be32 spi;
+        __u32 mark;
         struct xfrm_state *x;
         struct ip6_tnl *t;
         struct ip_esp_hdr *esph;
@@ -524,6 +525,8 @@ static int vti6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
         if (!t)
                 return -1;
 
+        mark = be32_to_cpu(t->parms.o_key);
+
         switch (protocol) {
         case IPPROTO_ESP:
                 esph = (struct ip_esp_hdr *)(skb->data + offset);
@@ -545,7 +548,7 @@ static int vti6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
             type != NDISC_REDIRECT)
                 return 0;
 
-        x = xfrm_state_lookup(net, skb->mark, (const xfrm_address_t *)&iph->daddr,
+        x = xfrm_state_lookup(net, mark, (const xfrm_address_t *)&iph->daddr,
                               spi, protocol, AF_INET6);
         if (!x)
                 return 0;
@@ -1097,7 +1100,6 @@ static int __init vti6_tunnel_init(void)
 
         err = xfrm6_protocol_register(&vti_esp6_protocol, IPPROTO_ESP);
         if (err < 0) {
-                unregister_pernet_device(&vti6_net_ops);
                 pr_err("%s: can't register vti6 protocol\n", __func__);
 
                 goto out;
@@ -1106,7 +1108,6 @@ static int __init vti6_tunnel_init(void)
         err = xfrm6_protocol_register(&vti_ah6_protocol, IPPROTO_AH);
         if (err < 0) {
                 xfrm6_protocol_deregister(&vti_esp6_protocol, IPPROTO_ESP);
-                unregister_pernet_device(&vti6_net_ops);
                 pr_err("%s: can't register vti6 protocol\n", __func__);
 
                 goto out;
@@ -1116,7 +1117,6 @@ static int __init vti6_tunnel_init(void)
         if (err < 0) {
                 xfrm6_protocol_deregister(&vti_ah6_protocol, IPPROTO_AH);
                 xfrm6_protocol_deregister(&vti_esp6_protocol, IPPROTO_ESP);
-                unregister_pernet_device(&vti6_net_ops);
                 pr_err("%s: can't register vti6 protocol\n", __func__);
 
                 goto out;
diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
index 8659067da28e..8250474ab7dc 100644
--- a/net/ipv6/ip6mr.c
+++ b/net/ipv6/ip6mr.c
@@ -1633,7 +1633,7 @@ struct sock *mroute6_socket(struct net *net, struct sk_buff *skb)
 {
         struct mr6_table *mrt;
         struct flowi6 fl6 = {
-                .flowi6_iif     = skb->skb_iif,
+                .flowi6_iif     = skb->skb_iif ? : LOOPBACK_IFINDEX,
                 .flowi6_oif     = skb->dev->ifindex,
                 .flowi6_mark    = skb->mark,
         };
diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
index 09a22f4f36c9..ca8d4ea48a5d 100644
--- a/net/ipv6/ndisc.c
+++ b/net/ipv6/ndisc.c
@@ -851,7 +851,7 @@ out:
 static void ndisc_recv_na(struct sk_buff *skb)
 {
         struct nd_msg *msg = (struct nd_msg *)skb_transport_header(skb);
-        const struct in6_addr *saddr = &ipv6_hdr(skb)->saddr;
+        struct in6_addr *saddr = &ipv6_hdr(skb)->saddr;
         const struct in6_addr *daddr = &ipv6_hdr(skb)->daddr;
         u8 *lladdr = NULL;
         u32 ndoptlen = skb_tail_pointer(skb) - (skb_transport_header(skb) +
@@ -944,10 +944,7 @@ static void ndisc_recv_na(struct sk_buff *skb)
                         /*
                          * Change: router to host
                          */
-                        struct rt6_info *rt;
-                        rt = rt6_get_dflt_router(saddr, dev);
-                        if (rt)
-                                ip6_del_rt(rt);
+                        rt6_clean_tohost(dev_net(dev),  saddr);
                 }
 
 out:
diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
index 95f3f1da0d7f..d38e6a8d8b9f 100644
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
@@ -30,13 +30,15 @@ int ip6_route_me_harder(struct sk_buff *skb)
                 .daddr = iph->daddr,
                 .saddr = iph->saddr,
         };
+        int err;
 
         dst = ip6_route_output(net, skb->sk, &fl6);
-        if (dst->error) {
+        err = dst->error;
+        if (err) {
                 IP6_INC_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES);
                 LIMIT_NETDEBUG(KERN_DEBUG "ip6_route_me_harder: No more route.\n");
                 dst_release(dst);
-                return dst->error;
+                return err;
         }
 
         /* Drop old route. */
diff --git a/net/ipv6/netfilter/ip6t_rpfilter.c b/net/ipv6/netfilter/ip6t_rpfilter.c
index e0983f3648a6..790e0c6b19e1 100644
--- a/net/ipv6/netfilter/ip6t_rpfilter.c
+++ b/net/ipv6/netfilter/ip6t_rpfilter.c
@@ -33,6 +33,7 @@ static bool rpfilter_lookup_reverse6(const struct sk_buff *skb,
         struct ipv6hdr *iph = ipv6_hdr(skb);
         bool ret = false;
         struct flowi6 fl6 = {
+                .flowi6_iif = LOOPBACK_IFINDEX,
                 .flowlabel = (* (__be32 *) iph) & IPV6_FLOWINFO_MASK,
                 .flowi6_proto = iph->nexthdr,
                 .daddr = iph->saddr,
diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c
index 6313abd53c9d..56596ce390a1 100644
--- a/net/ipv6/output_core.c
+++ b/net/ipv6/output_core.c
@@ -12,7 +12,7 @@ void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt)
 {
         static atomic_t ipv6_fragmentation_id;
         struct in6_addr addr;
-        int old, new;
+        int ident;
 
 #if IS_ENABLED(CONFIG_IPV6)
         struct inet_peer *peer;
@@ -26,15 +26,10 @@ void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt)
                 return;
         }
 #endif
-        do {
-                old = atomic_read(&ipv6_fragmentation_id);
-                new = old + 1;
-                if (!new)
-                        new = 1;
-        } while (atomic_cmpxchg(&ipv6_fragmentation_id, old, new) != old);
+        ident = atomic_inc_return(&ipv6_fragmentation_id);
 
         addr = rt->rt6i_dst.addr;
-        addr.s6_addr32[0] ^= (__force __be32)new;
+        addr.s6_addr32[0] ^= (__force __be32)ident;
         fhdr->identification = htonl(secure_ipv6_id(addr.s6_addr32));
 }
 EXPORT_SYMBOL(ipv6_select_ident);
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 4011617cca68..6ebdb7b6744c 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -1273,6 +1273,7 @@ void ip6_redirect(struct sk_buff *skb, struct net *net, int oif, u32 mark)
         struct flowi6 fl6;
 
         memset(&fl6, 0, sizeof(fl6));
+        fl6.flowi6_iif = LOOPBACK_IFINDEX;
         fl6.flowi6_oif = oif;
         fl6.flowi6_mark = mark;
         fl6.daddr = iph->daddr;
@@ -1294,6 +1295,7 @@ void ip6_redirect_no_header(struct sk_buff *skb, struct net *net, int oif,
         struct flowi6 fl6;
 
         memset(&fl6, 0, sizeof(fl6));
+        fl6.flowi6_iif = LOOPBACK_IFINDEX;
         fl6.flowi6_oif = oif;
         fl6.flowi6_mark = mark;
         fl6.daddr = msg->dest;
@@ -2232,6 +2234,27 @@ void rt6_remove_prefsrc(struct inet6_ifaddr *ifp)
         fib6_clean_all(net, fib6_remove_prefsrc, &adni);
 }
 
+#define RTF_RA_ROUTER           (RTF_ADDRCONF | RTF_DEFAULT | RTF_GATEWAY)
+#define RTF_CACHE_GATEWAY       (RTF_GATEWAY | RTF_CACHE)
+
+/* Remove routers and update dst entries when gateway turn into host. */
+static int fib6_clean_tohost(struct rt6_info *rt, void *arg)
+{
+        struct in6_addr *gateway = (struct in6_addr *)arg;
+
+        if ((((rt->rt6i_flags & RTF_RA_ROUTER) == RTF_RA_ROUTER) ||
+             ((rt->rt6i_flags & RTF_CACHE_GATEWAY) == RTF_CACHE_GATEWAY)) &&
+             ipv6_addr_equal(gateway, &rt->rt6i_gateway)) {
+                return -1;
+        }
+        return 0;
+}
+
+void rt6_clean_tohost(struct net *net, struct in6_addr *gateway)
+{
+        fib6_clean_all(net, fib6_clean_tohost, gateway);
+}
+
 struct arg_dev_net {
         struct net_device *dev;
         struct net *net;
@@ -2707,6 +2730,9 @@ static int inet6_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr* nlh)
         if (tb[RTA_OIF])
                 oif = nla_get_u32(tb[RTA_OIF]);
 
+        if (tb[RTA_MARK])
+                fl6.flowi6_mark = nla_get_u32(tb[RTA_MARK]);
+
         if (iif) {
                 struct net_device *dev;
                 int flags = 0;
diff --git a/net/ipv6/tcpv6_offload.c b/net/ipv6/tcpv6_offload.c
index 0d78132ff18a..8517d3cd1aed 100644
--- a/net/ipv6/tcpv6_offload.c
+++ b/net/ipv6/tcpv6_offload.c
@@ -42,7 +42,7 @@ static struct sk_buff **tcp6_gro_receive(struct sk_buff **head,
         if (NAPI_GRO_CB(skb)->flush)
                 goto skip_csum;
 
-        wsum = skb->csum;
+        wsum = NAPI_GRO_CB(skb)->csum;
 
         switch (skb->ip_summed) {
         case CHECKSUM_NONE:
diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c
index 19ef329bdbf8..b930d080c66f 100644
--- a/net/ipv6/xfrm6_output.c
+++ b/net/ipv6/xfrm6_output.c
@@ -114,12 +114,6 @@ int xfrm6_prepare_output(struct xfrm_state *x, struct sk_buff *skb)
         if (err)
                 return err;
 
-        memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));
-#ifdef CONFIG_NETFILTER
-        IP6CB(skb)->flags |= IP6SKB_XFRM_TRANSFORMED;
-#endif
-
-        skb->protocol = htons(ETH_P_IPV6);
         skb->local_df = 1;
 
         return x->outer_mode->output2(x, skb);
@@ -128,11 +122,13 @@ EXPORT_SYMBOL(xfrm6_prepare_output);
 
 int xfrm6_output_finish(struct sk_buff *skb)
 {
+        memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));
+        skb->protocol = htons(ETH_P_IPV6);
+
 #ifdef CONFIG_NETFILTER
         IP6CB(skb)->flags |= IP6SKB_XFRM_TRANSFORMED;
 #endif
 
-        skb->protocol = htons(ETH_P_IPV6);
         return xfrm_output(skb);
 }
 
@@ -142,6 +138,13 @@ static int __xfrm6_output(struct sk_buff *skb)
         struct xfrm_state *x = dst->xfrm;
         int mtu;
 
+#ifdef CONFIG_NETFILTER
+        if (!x) {
+                IP6CB(skb)->flags |= IP6SKB_REROUTED;
+                return dst_output(skb);
+        }
+#endif
+
         if (skb->protocol == htons(ETH_P_IPV6))
                 mtu = ip6_skb_dst_mtu(skb);
         else
@@ -165,6 +168,7 @@ static int __xfrm6_output(struct sk_buff *skb)
 
 int xfrm6_output(struct sock *sk, struct sk_buff *skb)
 {
-        return NF_HOOK(NFPROTO_IPV6, NF_INET_POST_ROUTING, skb, NULL,
-                       skb_dst(skb)->dev, __xfrm6_output);
+        return NF_HOOK_COND(NFPROTO_IPV6, NF_INET_POST_ROUTING, skb,
+                            NULL, skb_dst(skb)->dev, __xfrm6_output,
+                            !(IP6CB(skb)->flags & IP6SKB_REROUTED));
 }
diff --git a/net/ipv6/xfrm6_protocol.c b/net/ipv6/xfrm6_protocol.c
index 6ab989c486f7..54d13f8dbbae 100644
--- a/net/ipv6/xfrm6_protocol.c
+++ b/net/ipv6/xfrm6_protocol.c
@@ -50,6 +50,10 @@ int xfrm6_rcv_cb(struct sk_buff *skb, u8 protocol, int err)
 {
         int ret;
         struct xfrm6_protocol *handler;
+        struct xfrm6_protocol __rcu **head = proto_handlers(protocol);
+
+        if (!head)
+                return 0;
 
         for_each_protocol_rcu(*proto_handlers(protocol), handler)
                 if ((ret = handler->cb_handler(skb, err)) <= 0)
@@ -184,10 +188,12 @@ int xfrm6_protocol_register(struct xfrm6_protocol *handler,
         struct xfrm6_protocol __rcu **pprev;
         struct xfrm6_protocol *t;
         bool add_netproto = false;
-
         int ret = -EEXIST;
         int priority = handler->priority;
 
+        if (!proto_handlers(protocol) || !netproto(protocol))
+                return -EINVAL;
+
         mutex_lock(&xfrm6_protocol_mutex);
 
         if (!rcu_dereference_protected(*proto_handlers(protocol),
@@ -230,6 +236,9 @@ int xfrm6_protocol_deregister(struct xfrm6_protocol *handler,
         struct xfrm6_protocol *t;
         int ret = -ENOENT;
 
+        if (!proto_handlers(protocol) || !netproto(protocol))
+                return -EINVAL;
+
         mutex_lock(&xfrm6_protocol_mutex);
 
         for (pprev = proto_handlers(protocol);