3 files changed, 27 insertions, 14 deletions

diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c
index b7c0f827140b..6cc9f9371cc5 100644
--- a/net/ipv6/ip6_vti.c
+++ b/net/ipv6/ip6_vti.c
@@ -511,6 +511,7 @@ static int vti6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
                     u8 type, u8 code, int offset, __be32 info)
 {
         __be32 spi;
+        __u32 mark;
         struct xfrm_state *x;
         struct ip6_tnl *t;
         struct ip_esp_hdr *esph;
@@ -524,6 +525,8 @@ static int vti6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
         if (!t)
                 return -1;
 
+        mark = be32_to_cpu(t->parms.o_key);
+
         switch (protocol) {
         case IPPROTO_ESP:
                 esph = (struct ip_esp_hdr *)(skb->data + offset);
@@ -545,7 +548,7 @@ static int vti6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
             type != NDISC_REDIRECT)
                 return 0;
 
-        x = xfrm_state_lookup(net, skb->mark, (const xfrm_address_t *)&iph->daddr,
+        x = xfrm_state_lookup(net, mark, (const xfrm_address_t *)&iph->daddr,
                               spi, protocol, AF_INET6);
         if (!x)
                 return 0;
@@ -1097,7 +1100,6 @@ static int __init vti6_tunnel_init(void)
 
         err = xfrm6_protocol_register(&vti_esp6_protocol, IPPROTO_ESP);
         if (err < 0) {
-                unregister_pernet_device(&vti6_net_ops);
                 pr_err("%s: can't register vti6 protocol\n", __func__);
 
                 goto out;
@@ -1106,7 +1108,6 @@ static int __init vti6_tunnel_init(void)
         err = xfrm6_protocol_register(&vti_ah6_protocol, IPPROTO_AH);
         if (err < 0) {
                 xfrm6_protocol_deregister(&vti_esp6_protocol, IPPROTO_ESP);
-                unregister_pernet_device(&vti6_net_ops);
                 pr_err("%s: can't register vti6 protocol\n", __func__);
 
                 goto out;
@@ -1116,7 +1117,6 @@ static int __init vti6_tunnel_init(void)
         if (err < 0) {
                 xfrm6_protocol_deregister(&vti_ah6_protocol, IPPROTO_AH);
                 xfrm6_protocol_deregister(&vti_esp6_protocol, IPPROTO_ESP);
-                unregister_pernet_device(&vti6_net_ops);
                 pr_err("%s: can't register vti6 protocol\n", __func__);
 
                 goto out;
diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c
index 19ef329bdbf8..b930d080c66f 100644
--- a/net/ipv6/xfrm6_output.c
+++ b/net/ipv6/xfrm6_output.c
@@ -114,12 +114,6 @@ int xfrm6_prepare_output(struct xfrm_state *x, struct sk_buff *skb)
         if (err)
                 return err;
 
-        memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));
-#ifdef CONFIG_NETFILTER
-        IP6CB(skb)->flags |= IP6SKB_XFRM_TRANSFORMED;
-#endif
-
-        skb->protocol = htons(ETH_P_IPV6);
         skb->local_df = 1;
 
         return x->outer_mode->output2(x, skb);
@@ -128,11 +122,13 @@ EXPORT_SYMBOL(xfrm6_prepare_output);
 
 int xfrm6_output_finish(struct sk_buff *skb)
 {
+        memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));
+        skb->protocol = htons(ETH_P_IPV6);
+
 #ifdef CONFIG_NETFILTER
         IP6CB(skb)->flags |= IP6SKB_XFRM_TRANSFORMED;
 #endif
 
-        skb->protocol = htons(ETH_P_IPV6);
         return xfrm_output(skb);
 }
 
@@ -142,6 +138,13 @@ static int __xfrm6_output(struct sk_buff *skb)
         struct xfrm_state *x = dst->xfrm;
         int mtu;
 
+#ifdef CONFIG_NETFILTER
+        if (!x) {
+                IP6CB(skb)->flags |= IP6SKB_REROUTED;
+                return dst_output(skb);
+        }
+#endif
+
         if (skb->protocol == htons(ETH_P_IPV6))
                 mtu = ip6_skb_dst_mtu(skb);
         else
@@ -165,6 +168,7 @@ static int __xfrm6_output(struct sk_buff *skb)
 
 int xfrm6_output(struct sock *sk, struct sk_buff *skb)
 {
-        return NF_HOOK(NFPROTO_IPV6, NF_INET_POST_ROUTING, skb, NULL,
-                       skb_dst(skb)->dev, __xfrm6_output);
+        return NF_HOOK_COND(NFPROTO_IPV6, NF_INET_POST_ROUTING, skb,
+                            NULL, skb_dst(skb)->dev, __xfrm6_output,
+                            !(IP6CB(skb)->flags & IP6SKB_REROUTED));
 }
diff --git a/net/ipv6/xfrm6_protocol.c b/net/ipv6/xfrm6_protocol.c
index 6ab989c486f7..54d13f8dbbae 100644
--- a/net/ipv6/xfrm6_protocol.c
+++ b/net/ipv6/xfrm6_protocol.c
@@ -50,6 +50,10 @@ int xfrm6_rcv_cb(struct sk_buff *skb, u8 protocol, int err)
 {
         int ret;
         struct xfrm6_protocol *handler;
+        struct xfrm6_protocol __rcu **head = proto_handlers(protocol);
+
+        if (!head)
+                return 0;
 
         for_each_protocol_rcu(*proto_handlers(protocol), handler)
                 if ((ret = handler->cb_handler(skb, err)) <= 0)
@@ -184,10 +188,12 @@ int xfrm6_protocol_register(struct xfrm6_protocol *handler,
         struct xfrm6_protocol __rcu **pprev;
         struct xfrm6_protocol *t;
         bool add_netproto = false;
-
         int ret = -EEXIST;
         int priority = handler->priority;
 
+        if (!proto_handlers(protocol) || !netproto(protocol))
+                return -EINVAL;
+
         mutex_lock(&xfrm6_protocol_mutex);
 
         if (!rcu_dereference_protected(*proto_handlers(protocol),
@@ -230,6 +236,9 @@ int xfrm6_protocol_deregister(struct xfrm6_protocol *handler,
         struct xfrm6_protocol *t;
         int ret = -ENOENT;
 
+        if (!proto_handlers(protocol) || !netproto(protocol))
+                return -EINVAL;
+
         mutex_lock(&xfrm6_protocol_mutex);
 
         for (pprev = proto_handlers(protocol);