5 files changed, 6 insertions, 19 deletions

diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c
index 7a7a00147e55..1bed0cdf53e3 100644
--- a/net/ipv4/xfrm4_policy.c
+++ b/net/ipv4/xfrm4_policy.c
@@ -52,7 +52,7 @@ __xfrm4_find_bundle(struct flowi *fl, struct xfrm_policy *policy)
                     xdst->u.rt.fl.fl4_dst == fl->fl4_dst &&
                     xdst->u.rt.fl.fl4_src == fl->fl4_src &&
                     xdst->u.rt.fl.fl4_tos == fl->fl4_tos &&
-                    xfrm_bundle_ok(xdst, fl, AF_INET, 0)) {
+                    xfrm_bundle_ok(policy, xdst, fl, AF_INET, 0)) {
                         dst_clone(dst);
                         break;
                 }
diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
index 6a252e2134d1..73cee2ec07e8 100644
--- a/net/ipv6/xfrm6_policy.c
+++ b/net/ipv6/xfrm6_policy.c
@@ -73,7 +73,7 @@ __xfrm6_find_bundle(struct flowi *fl, struct xfrm_policy *policy)
                                  xdst->u.rt6.rt6i_src.plen);
                 if (ipv6_addr_equal(&xdst->u.rt6.rt6i_dst.addr, &fl_dst_prefix) &&
                     ipv6_addr_equal(&xdst->u.rt6.rt6i_src.addr, &fl_src_prefix) &&
-                    xfrm_bundle_ok(xdst, fl, AF_INET6,
+                    xfrm_bundle_ok(policy, xdst, fl, AF_INET6,
                                    (xdst->u.rt6.rt6i_dst.plen != 128 ||
                                     xdst->u.rt6.rt6i_src.plen != 128))) {
                         dst_clone(dst);
diff --git a/net/key/af_key.c b/net/key/af_key.c
index ff98e70b0931..20ff7cca1d07 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -2928,11 +2928,6 @@ static struct xfrm_policy *pfkey_compile_policy(struct sock *sk, int opt,
                 if (*dir)
                         goto out;
         }
-        else {
-                *dir = security_xfrm_sock_policy_alloc(xp, sk);
-                if (*dir)
-                        goto out;
-        }
 
         *dir = pol->sadb_x_policy_dir-1;
         return xp;
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index fffdd34f3baf..695761ff1321 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1744,7 +1744,7 @@ static struct dst_entry *xfrm_dst_check(struct dst_entry *dst, u32 cookie)
 
 static int stale_bundle(struct dst_entry *dst)
 {
-        return !xfrm_bundle_ok((struct xfrm_dst *)dst, NULL, AF_UNSPEC, 0);
+        return !xfrm_bundle_ok(NULL, (struct xfrm_dst *)dst, NULL, AF_UNSPEC, 0);
 }
 
 void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev)
@@ -1866,7 +1866,8 @@ EXPORT_SYMBOL(xfrm_init_pmtu);
  * still valid.
  */
 
-int xfrm_bundle_ok(struct xfrm_dst *first, struct flowi *fl, int family, int strict)
+int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *first,
+                struct flowi *fl, int family, int strict)
 {
         struct dst_entry *dst = &first->u.dst;
         struct xfrm_dst *last;
@@ -1883,7 +1884,7 @@ int xfrm_bundle_ok(struct xfrm_dst *first, struct flowi *fl, int family, int str
 
                 if (fl && !xfrm_selector_match(&dst->xfrm->sel, fl, family))
                         return 0;
-                if (fl && !security_xfrm_flow_state_match(fl, dst->xfrm))
+                if (fl && !security_xfrm_flow_state_match(fl, dst->xfrm, pol))
                         return 0;
                 if (dst->xfrm->km.state != XFRM_STATE_VALID)
                         return 0;
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index d54b3a70d5df..2b2e59d8ffbc 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1992,15 +1992,6 @@ static struct xfrm_policy *xfrm_compile_policy(struct sock *sk, int opt,
         xp->type = XFRM_POLICY_TYPE_MAIN;
         copy_templates(xp, ut, nr);
 
-        if (!xp->security) {
-                int err = security_xfrm_sock_policy_alloc(xp, sk);
-                if (err) {
-                        kfree(xp);
-                        *dir = err;
-                        return NULL;
-                }
-        }
-
         *dir = p->dir;
 
         return xp;