[NET]: Do not memcmp() over pad bytes of struct flowi.
[linux-2.6.git] / net / ipv4 / route.c
index d675ff8..925ee4d 100644 (file)
@@ -55,6 +55,8 @@
  *     Robert Olsson           :       Added rt_cache statistics
  *     Arnaldo C. Melo         :       Convert proc stuff to seq_file
  *     Eric Dumazet            :       hashed spinlocks and rt_check_expire() fixes.
+ *     Ilia Sotnikov           :       Ignore TOS on PMTUD and Redirect
+ *     Ilia Sotnikov           :       Removed TOS from hash calculations
  *
  *             This program is free software; you can redistribute it and/or
  *             modify it under the terms of the GNU General Public License
@@ -62,7 +64,6 @@
  *             2 of the License, or (at your option) any later version.
  */
 
-#include <linux/config.h>
 #include <linux/module.h>
 #include <asm/uaccess.h>
 #include <asm/system.h>
 #include <net/icmp.h>
 #include <net/xfrm.h>
 #include <net/ip_mp_alg.h>
+#include <net/netevent.h>
 #ifdef CONFIG_SYSCTL
 #include <linux/sysctl.h>
 #endif
@@ -204,21 +206,27 @@ __u8 ip_tos2prio[16] = {
 struct rt_hash_bucket {
        struct rtable   *chain;
 };
-#if defined(CONFIG_SMP) || defined(CONFIG_DEBUG_SPINLOCK)
+#if defined(CONFIG_SMP) || defined(CONFIG_DEBUG_SPINLOCK) || \
+       defined(CONFIG_PROVE_LOCKING)
 /*
  * Instead of using one spinlock for each rt_hash_bucket, we use a table of spinlocks
  * The size of this table is a power of two and depends on the number of CPUS.
+ * (on lockdep we have a quite big spinlock_t, so keep the size down there)
  */
-#if NR_CPUS >= 32
-#define RT_HASH_LOCK_SZ        4096
-#elif NR_CPUS >= 16
-#define RT_HASH_LOCK_SZ        2048
-#elif NR_CPUS >= 8
-#define RT_HASH_LOCK_SZ        1024
-#elif NR_CPUS >= 4
-#define RT_HASH_LOCK_SZ        512
+#ifdef CONFIG_LOCKDEP
+# define RT_HASH_LOCK_SZ       256
 #else
-#define RT_HASH_LOCK_SZ        256
+# if NR_CPUS >= 32
+#  define RT_HASH_LOCK_SZ      4096
+# elif NR_CPUS >= 16
+#  define RT_HASH_LOCK_SZ      2048
+# elif NR_CPUS >= 8
+#  define RT_HASH_LOCK_SZ      1024
+# elif NR_CPUS >= 4
+#  define RT_HASH_LOCK_SZ      512
+# else
+#  define RT_HASH_LOCK_SZ      256
+# endif
 #endif
 
 static spinlock_t      *rt_hash_locks;
@@ -240,17 +248,23 @@ static unsigned                   rt_hash_mask;
 static int                     rt_hash_log;
 static unsigned int            rt_hash_rnd;
 
-struct rt_cache_stat *rt_cache_stat;
+static DEFINE_PER_CPU(struct rt_cache_stat, rt_cache_stat);
+#define RT_CACHE_STAT_INC(field) \
+       (__raw_get_cpu_var(rt_cache_stat).field++)
 
 static int rt_intern_hash(unsigned hash, struct rtable *rth,
                                struct rtable **res);
 
-static unsigned int rt_hash_code(u32 daddr, u32 saddr, u8 tos)
+static unsigned int rt_hash_code(u32 daddr, u32 saddr)
 {
-       return (jhash_3words(daddr, saddr, (u32) tos, rt_hash_rnd)
+       return (jhash_2words(daddr, saddr, rt_hash_rnd)
                & rt_hash_mask);
 }
 
+#define rt_hash(daddr, saddr, idx) \
+       rt_hash_code((__force u32)(__be32)(daddr),\
+                    (__force u32)(__be32)(saddr) ^ ((idx) << 5))
+
 #ifdef CONFIG_PROC_FS
 struct rt_cache_iter_state {
        int bucket;
@@ -399,7 +413,7 @@ static void *rt_cpu_seq_start(struct seq_file *seq, loff_t *pos)
                if (!cpu_possible(cpu))
                        continue;
                *pos = cpu+1;
-               return per_cpu_ptr(rt_cache_stat, cpu);
+               return &per_cpu(rt_cache_stat, cpu);
        }
        return NULL;
 }
@@ -412,7 +426,7 @@ static void *rt_cpu_seq_next(struct seq_file *seq, void *v, loff_t *pos)
                if (!cpu_possible(cpu))
                        continue;
                *pos = cpu+1;
-               return per_cpu_ptr(rt_cache_stat, cpu);
+               return &per_cpu(rt_cache_stat, cpu);
        }
        return NULL;
        
@@ -552,9 +566,15 @@ static inline u32 rt_score(struct rtable *rt)
 
 static inline int compare_keys(struct flowi *fl1, struct flowi *fl2)
 {
-       return memcmp(&fl1->nl_u.ip4_u, &fl2->nl_u.ip4_u, sizeof(fl1->nl_u.ip4_u)) == 0 &&
-              fl1->oif     == fl2->oif &&
-              fl1->iif     == fl2->iif;
+       return ((fl1->nl_u.ip4_u.daddr ^ fl2->nl_u.ip4_u.daddr) |
+               (fl1->nl_u.ip4_u.saddr ^ fl2->nl_u.ip4_u.saddr) |
+#ifdef CONFIG_IP_ROUTE_FWMARK
+               (fl1->nl_u.ip4_u.fwmark ^ fl2->nl_u.ip4_u.fwmark) |
+#endif
+               (*(u16 *)&fl1->nl_u.ip4_u.tos ^
+                *(u16 *)&fl2->nl_u.ip4_u.tos) |
+               (fl1->oif ^ fl2->oif) |
+               (fl1->iif ^ fl2->iif)) == 0;
 }
 
 #ifdef CONFIG_IP_ROUTE_MULTIPATH_CACHED
@@ -833,7 +853,7 @@ static int rt_garbage_collect(void)
                                        int r;
 
                                        rthp = rt_remove_balanced_route(
-                                               &rt_hash_table[i].chain,
+                                               &rt_hash_table[k].chain,
                                                rth,
                                                &r);
                                        goal -= r;
@@ -1064,7 +1084,7 @@ static void ip_select_fb_ident(struct iphdr *iph)
        u32 salt;
 
        spin_lock_bh(&ip_fb_id_lock);
-       salt = secure_ip_id(ip_fallback_id ^ iph->daddr);
+       salt = secure_ip_id((__force __be32)ip_fallback_id ^ iph->daddr);
        iph->id = htons(salt & 0xFFFF);
        ip_fallback_id = salt;
        spin_unlock_bh(&ip_fb_id_lock);
@@ -1108,16 +1128,15 @@ static void rt_del(unsigned hash, struct rtable *rt)
        spin_unlock_bh(rt_hash_lock_addr(hash));
 }
 
-void ip_rt_redirect(u32 old_gw, u32 daddr, u32 new_gw,
-                   u32 saddr, u8 tos, struct net_device *dev)
+void ip_rt_redirect(__be32 old_gw, __be32 daddr, __be32 new_gw,
+                   __be32 saddr, struct net_device *dev)
 {
        int i, k;
        struct in_device *in_dev = in_dev_get(dev);
        struct rtable *rth, **rthp;
-       u32  skeys[2] = { saddr, 0 };
+       __be32  skeys[2] = { saddr, 0 };
        int  ikeys[2] = { dev->ifindex, 0 };
-
-       tos &= IPTOS_RT_MASK;
+       struct netevent_redirect netevent;
 
        if (!in_dev)
                return;
@@ -1138,9 +1157,7 @@ void ip_rt_redirect(u32 old_gw, u32 daddr, u32 new_gw,
 
        for (i = 0; i < 2; i++) {
                for (k = 0; k < 2; k++) {
-                       unsigned hash = rt_hash_code(daddr,
-                                                    skeys[i] ^ (ikeys[k] << 5),
-                                                    tos);
+                       unsigned hash = rt_hash(daddr, skeys[i], ikeys[k]);
 
                        rthp=&rt_hash_table[hash].chain;
 
@@ -1150,7 +1167,6 @@ void ip_rt_redirect(u32 old_gw, u32 daddr, u32 new_gw,
 
                                if (rth->fl.fl4_dst != daddr ||
                                    rth->fl.fl4_src != skeys[i] ||
-                                   rth->fl.fl4_tos != tos ||
                                    rth->fl.oif != ikeys[k] ||
                                    rth->fl.iif != 0) {
                                        rthp = &rth->u.rt_next;
@@ -1211,6 +1227,11 @@ void ip_rt_redirect(u32 old_gw, u32 daddr, u32 new_gw,
                                        rt_drop(rt);
                                        goto do_next;
                                }
+                               
+                               netevent.old = &rth->u.dst;
+                               netevent.new = &rt->u.dst;
+                               call_netevent_notifiers(NETEVENT_REDIRECT, 
+                                                       &netevent);
 
                                rt_del(hash, rth);
                                if (!rt_intern_hash(hash, rt, &rt))
@@ -1230,10 +1251,9 @@ reject_redirect:
        if (IN_DEV_LOG_MARTIANS(in_dev) && net_ratelimit())
                printk(KERN_INFO "Redirect from %u.%u.%u.%u on %s about "
                        "%u.%u.%u.%u ignored.\n"
-                       "  Advised path = %u.%u.%u.%u -> %u.%u.%u.%u, "
-                       "tos %02x\n",
+                       "  Advised path = %u.%u.%u.%u -> %u.%u.%u.%u\n",
                       NIPQUAD(old_gw), dev->name, NIPQUAD(new_gw),
-                      NIPQUAD(saddr), NIPQUAD(daddr), tos);
+                      NIPQUAD(saddr), NIPQUAD(daddr));
 #endif
        in_dev_put(in_dev);
 }
@@ -1249,10 +1269,8 @@ static struct dst_entry *ipv4_negative_advice(struct dst_entry *dst)
                        ret = NULL;
                } else if ((rt->rt_flags & RTCF_REDIRECTED) ||
                           rt->u.dst.expires) {
-                       unsigned hash = rt_hash_code(rt->fl.fl4_dst,
-                                                    rt->fl.fl4_src ^
-                                                       (rt->fl.oif << 5),
-                                                    rt->fl.fl4_tos);
+                       unsigned hash = rt_hash(rt->fl.fl4_dst, rt->fl.fl4_src,
+                                               rt->fl.oif);
 #if RT_CACHE_DEBUG >= 1
                        printk(KERN_DEBUG "ip_rt_advice: redirect to "
                                          "%u.%u.%u.%u/%02x dropped\n",
@@ -1369,7 +1387,7 @@ out:      kfree_skb(skb);
  *     are needed for AMPRnet AX.25 paths.
  */
 
-static unsigned short mtu_plateau[] =
+static const unsigned short mtu_plateau[] =
 {32000, 17914, 8166, 4352, 2002, 1492, 576, 296, 216, 128 };
 
 static __inline__ unsigned short guess_mtu(unsigned short old_mtu)
@@ -1387,16 +1405,15 @@ unsigned short ip_rt_frag_needed(struct iphdr *iph, unsigned short new_mtu)
        int i;
        unsigned short old_mtu = ntohs(iph->tot_len);
        struct rtable *rth;
-       u32  skeys[2] = { iph->saddr, 0, };
-       u32  daddr = iph->daddr;
-       u8   tos = iph->tos & IPTOS_RT_MASK;
+       __be32  skeys[2] = { iph->saddr, 0, };
+       __be32  daddr = iph->daddr;
        unsigned short est_mtu = 0;
 
        if (ipv4_config.no_pmtu_disc)
                return 0;
 
        for (i = 0; i < 2; i++) {
-               unsigned hash = rt_hash_code(daddr, skeys[i], tos);
+               unsigned hash = rt_hash(daddr, skeys[i], 0);
 
                rcu_read_lock();
                for (rth = rcu_dereference(rt_hash_table[hash].chain); rth;
@@ -1405,7 +1422,6 @@ unsigned short ip_rt_frag_needed(struct iphdr *iph, unsigned short new_mtu)
                            rth->fl.fl4_src == skeys[i] &&
                            rth->rt_dst  == daddr &&
                            rth->rt_src  == iph->saddr &&
-                           rth->fl.fl4_tos == tos &&
                            rth->fl.iif == 0 &&
                            !(dst_metric_locked(&rth->u.dst, RTAX_MTU))) {
                                unsigned short mtu = new_mtu;
@@ -1451,6 +1467,7 @@ static void ip_rt_update_pmtu(struct dst_entry *dst, u32 mtu)
                }
                dst->metrics[RTAX_MTU-1] = mtu;
                dst_set_expires(dst, ip_rt_mtu_expires);
+               call_netevent_notifiers(NETEVENT_PMTU_UPDATE, dst);
        }
 }
 
@@ -1521,7 +1538,7 @@ static int ip_rt_bug(struct sk_buff *skb)
 
 void ip_rt_get_source(u8 *addr, struct rtable *rt)
 {
-       u32 src;
+       __be32 src;
        struct fib_result res;
 
        if (rt->fl.iif == 0)
@@ -1587,12 +1604,12 @@ static void rt_set_nexthop(struct rtable *rt, struct fib_result *res, u32 itag)
         rt->rt_type = res->type;
 }
 
-static int ip_route_input_mc(struct sk_buff *skb, u32 daddr, u32 saddr,
+static int ip_route_input_mc(struct sk_buff *skb, __be32 daddr, __be32 saddr,
                                u8 tos, struct net_device *dev, int our)
 {
        unsigned hash;
        struct rtable *rth;
-       u32 spec_dst;
+       __be32 spec_dst;
        struct in_device *in_dev = in_dev_get(dev);
        u32 itag = 0;
 
@@ -1656,7 +1673,7 @@ static int ip_route_input_mc(struct sk_buff *skb, u32 daddr, u32 saddr,
        RT_CACHE_STAT_INC(in_slow_mc);
 
        in_dev_put(in_dev);
-       hash = rt_hash_code(daddr, saddr ^ (dev->ifindex << 5), tos);
+       hash = rt_hash(daddr, saddr, dev->ifindex);
        return rt_intern_hash(hash, rth, (struct rtable**) &skb->dst);
 
 e_nobufs:
@@ -1672,8 +1689,8 @@ e_inval:
 static void ip_handle_martian_source(struct net_device *dev,
                                     struct in_device *in_dev,
                                     struct sk_buff *skb,
-                                    u32 daddr,
-                                    u32 saddr) 
+                                    __be32 daddr,
+                                    __be32 saddr)
 {
        RT_CACHE_STAT_INC(in_martian_src);
 #ifdef CONFIG_IP_ROUTE_VERBOSE
@@ -1703,7 +1720,7 @@ static void ip_handle_martian_source(struct net_device *dev,
 static inline int __mkroute_input(struct sk_buff *skb, 
                                  struct fib_result* res, 
                                  struct in_device *in_dev, 
-                                 u32 daddr, u32 saddr, u32 tos, 
+                                 __be32 daddr, __be32 saddr, u32 tos,
                                  struct rtable **result) 
 {
 
@@ -1711,7 +1728,8 @@ static inline int __mkroute_input(struct sk_buff *skb,
        int err;
        struct in_device *out_dev;
        unsigned flags = 0;
-       u32 spec_dst, itag;
+       __be32 spec_dst;
+       u32 itag;
 
        /* get a working reference to the output device */
        out_dev = in_dev_get(FIB_RES_DEV(*res));
@@ -1758,6 +1776,7 @@ static inline int __mkroute_input(struct sk_buff *skb,
                goto cleanup;
        }
 
+       atomic_set(&rth->u.dst.__refcnt, 1);
        rth->u.dst.flags= DST_HOST;
 #ifdef CONFIG_IP_ROUTE_MULTIPATH_CACHED
        if (res->fi->fib_nhs > 1)
@@ -1803,7 +1822,7 @@ static inline int ip_mkroute_input_def(struct sk_buff *skb,
                                       struct fib_result* res, 
                                       const struct flowi *fl,
                                       struct in_device *in_dev,
-                                      u32 daddr, u32 saddr, u32 tos)
+                                      __be32 daddr, __be32 saddr, u32 tos)
 {
        struct rtable* rth = NULL;
        int err;
@@ -1818,10 +1837,9 @@ static inline int ip_mkroute_input_def(struct sk_buff *skb,
        err = __mkroute_input(skb, res, in_dev, daddr, saddr, tos, &rth);
        if (err)
                return err;
-       atomic_set(&rth->u.dst.__refcnt, 1);
 
        /* put it into the cache */
-       hash = rt_hash_code(daddr, saddr ^ (fl->iif << 5), tos);
+       hash = rt_hash(daddr, saddr, fl->iif);
        return rt_intern_hash(hash, rth, (struct rtable**)&skb->dst);   
 }
 
@@ -1829,11 +1847,11 @@ static inline int ip_mkroute_input(struct sk_buff *skb,
                                   struct fib_result* res, 
                                   const struct flowi *fl,
                                   struct in_device *in_dev,
-                                  u32 daddr, u32 saddr, u32 tos)
+                                  __be32 daddr, __be32 saddr, u32 tos)
 {
 #ifdef CONFIG_IP_ROUTE_MULTIPATH_CACHED
-       struct rtable* rth = NULL;
-       unsigned char hop, hopcount, lasthop;
+       struct rtable* rth = NULL, *rtres;
+       unsigned char hop, hopcount;
        int err = -EINVAL;
        unsigned int hash;
 
@@ -1842,8 +1860,6 @@ static inline int ip_mkroute_input(struct sk_buff *skb,
        else
                hopcount = 1;
 
-       lasthop = hopcount - 1;
-
        /* distinguish between multipath and singlepath */
        if (hopcount < 2)
                return ip_mkroute_input_def(skb, res, fl, in_dev, daddr,
@@ -1853,6 +1869,10 @@ static inline int ip_mkroute_input(struct sk_buff *skb,
        for (hop = 0; hop < hopcount; hop++) {
                res->nh_sel = hop;
 
+               /* put reference to previous result */
+               if (hop)
+                       ip_rt_put(rtres);
+
                /* create a routing cache entry */
                err = __mkroute_input(skb, res, in_dev, daddr, saddr, tos,
                                      &rth);
@@ -1860,8 +1880,8 @@ static inline int ip_mkroute_input(struct sk_buff *skb,
                        return err;
 
                /* put it into the cache */
-               hash = rt_hash_code(daddr, saddr ^ (fl->iif << 5), tos);
-               err = rt_intern_hash(hash, rth, (struct rtable**)&skb->dst);
+               hash = rt_hash(daddr, saddr, fl->iif);
+               err = rt_intern_hash(hash, rth, &rtres);
                if (err)
                        return err;
 
@@ -1871,13 +1891,8 @@ static inline int ip_mkroute_input(struct sk_buff *skb,
                                     FIB_RES_NETMASK(*res),
                                     res->prefixlen,
                                     &FIB_RES_NH(*res));
-
-               /* only for the last hop the reference count is handled
-                * outside
-                */
-               if (hop == lasthop)
-                       atomic_set(&(skb->dst->__refcnt), 1);
        }
+       skb->dst = &rtres->u.dst;
        return err;
 #else /* CONFIG_IP_ROUTE_MULTIPATH_CACHED  */
        return ip_mkroute_input_def(skb, res, fl, in_dev, daddr, saddr, tos);
@@ -1895,7 +1910,7 @@ static inline int ip_mkroute_input(struct sk_buff *skb,
  *     2. IP spoofing attempts are filtered with 100% of guarantee.
  */
 
-static int ip_route_input_slow(struct sk_buff *skb, u32 daddr, u32 saddr,
+static int ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr,
                               u8 tos, struct net_device *dev)
 {
        struct fib_result res;
@@ -1914,7 +1929,7 @@ static int ip_route_input_slow(struct sk_buff *skb, u32 daddr, u32 saddr,
        u32             itag = 0;
        struct rtable * rth;
        unsigned        hash;
-       u32             spec_dst;
+       __be32          spec_dst;
        int             err = -EINVAL;
        int             free_res = 0;
 
@@ -1930,7 +1945,7 @@ static int ip_route_input_slow(struct sk_buff *skb, u32 daddr, u32 saddr,
        if (MULTICAST(saddr) || BADCLASS(saddr) || LOOPBACK(saddr))
                goto martian_source;
 
-       if (daddr == 0xFFFFFFFF || (saddr == 0 && daddr == 0))
+       if (daddr == htonl(0xFFFFFFFF) || (saddr == 0 && daddr == 0))
                goto brd_input;
 
        /* Accept zero addresses only to limited broadcast;
@@ -2042,7 +2057,7 @@ local_input:
                rth->rt_flags   &= ~RTCF_LOCAL;
        }
        rth->rt_type    = res.type;
-       hash = rt_hash_code(daddr, saddr ^ (fl.iif << 5), tos);
+       hash = rt_hash(daddr, saddr, fl.iif);
        err = rt_intern_hash(hash, rth, (struct rtable**)&skb->dst);
        goto done;
 
@@ -2081,7 +2096,7 @@ martian_source:
        goto e_inval;
 }
 
-int ip_route_input(struct sk_buff *skb, u32 daddr, u32 saddr,
+int ip_route_input(struct sk_buff *skb, __be32 daddr, __be32 saddr,
                   u8 tos, struct net_device *dev)
 {
        struct rtable * rth;
@@ -2089,7 +2104,7 @@ int ip_route_input(struct sk_buff *skb, u32 daddr, u32 saddr,
        int iif = dev->ifindex;
 
        tos &= IPTOS_RT_MASK;
-       hash = rt_hash_code(daddr, saddr ^ (iif << 5), tos);
+       hash = rt_hash(daddr, saddr, iif);
 
        rcu_read_lock();
        for (rth = rcu_dereference(rt_hash_table[hash].chain); rth;
@@ -2129,7 +2144,7 @@ int ip_route_input(struct sk_buff *skb, u32 daddr, u32 saddr,
                struct in_device *in_dev;
 
                rcu_read_lock();
-               if ((in_dev = __in_dev_get(dev)) != NULL) {
+               if ((in_dev = __in_dev_get_rcu(dev)) != NULL) {
                        int our = ip_check_mc(in_dev, daddr, saddr,
                                skb->nh.iph->protocol);
                        if (our
@@ -2163,7 +2178,7 @@ static inline int __mkroute_output(struct rtable **result,
        if (LOOPBACK(fl->fl4_src) && !(dev_out->flags&IFF_LOOPBACK))
                return -EINVAL;
 
-       if (fl->fl4_dst == 0xFFFFFFFF)
+       if (fl->fl4_dst == htonl(0xFFFFFFFF))
                res->type = RTN_BROADCAST;
        else if (MULTICAST(fl->fl4_dst))
                res->type = RTN_MULTICAST;
@@ -2206,6 +2221,7 @@ static inline int __mkroute_output(struct rtable **result,
                goto cleanup;
        }               
 
+       atomic_set(&rth->u.dst.__refcnt, 1);
        rth->u.dst.flags= DST_HOST;
 #ifdef CONFIG_IP_ROUTE_MULTIPATH_CACHED
        if (res->fi) {
@@ -2286,12 +2302,7 @@ static inline int ip_mkroute_output_def(struct rtable **rp,
        int err = __mkroute_output(&rth, res, fl, oldflp, dev_out, flags);
        unsigned hash;
        if (err == 0) {
-               u32 tos = RT_FL_TOS(oldflp);
-
-               atomic_set(&rth->u.dst.__refcnt, 1);
-               
-               hash = rt_hash_code(oldflp->fl4_dst, 
-                                   oldflp->fl4_src ^ (oldflp->oif << 5), tos);
+               hash = rt_hash(oldflp->fl4_dst, oldflp->fl4_src, oldflp->oif);
                err = rt_intern_hash(hash, rth, rp);
        }
        
@@ -2306,7 +2317,6 @@ static inline int ip_mkroute_output(struct rtable** rp,
                                    unsigned flags)
 {
 #ifdef CONFIG_IP_ROUTE_MULTIPATH_CACHED
-       u32 tos = RT_FL_TOS(oldflp);
        unsigned char hop;
        unsigned hash;
        int err = -EINVAL;
@@ -2324,15 +2334,18 @@ static inline int ip_mkroute_output(struct rtable** rp,
                        dev2nexthop = FIB_RES_DEV(*res);
                        dev_hold(dev2nexthop);
 
+                       /* put reference to previous result */
+                       if (hop)
+                               ip_rt_put(*rp);
+
                        err = __mkroute_output(&rth, res, fl, oldflp,
                                               dev2nexthop, flags);
 
                        if (err != 0)
                                goto cleanup;
 
-                       hash = rt_hash_code(oldflp->fl4_dst, 
-                                           oldflp->fl4_src ^
-                                           (oldflp->oif << 5), tos);
+                       hash = rt_hash(oldflp->fl4_dst, oldflp->fl4_src,
+                                       oldflp->oif);
                        err = rt_intern_hash(hash, rth, rp);
 
                        /* forward hop information to multipath impl. */
@@ -2348,7 +2361,6 @@ static inline int ip_mkroute_output(struct rtable** rp,
                        if (err != 0)
                                return err;
                }
-               atomic_set(&(*rp)->u.dst.__refcnt, 1);
                return err;
        } else {
                return ip_mkroute_output_def(rp, res, fl, oldflp, dev_out,
@@ -2412,7 +2424,7 @@ static int ip_route_output_slow(struct rtable **rp, const struct flowi *oldflp)
                 */
 
                if (oldflp->oif == 0
-                   && (MULTICAST(oldflp->fl4_dst) || oldflp->fl4_dst == 0xFFFFFFFF)) {
+                   && (MULTICAST(oldflp->fl4_dst) || oldflp->fl4_dst == htonl(0xFFFFFFFF))) {
                        /* Special hack: user can direct multicasts
                           and limited broadcast via necessary interface
                           without fiddling with IP_MULTICAST_IF or IP_PKTINFO.
@@ -2442,12 +2454,14 @@ static int ip_route_output_slow(struct rtable **rp, const struct flowi *oldflp)
                err = -ENODEV;
                if (dev_out == NULL)
                        goto out;
-               if (__in_dev_get(dev_out) == NULL) {
+
+               /* RACE: Check return value of inet_select_addr instead. */
+               if (__in_dev_get_rtnl(dev_out) == NULL) {
                        dev_put(dev_out);
                        goto out;       /* Wrong error code */
                }
 
-               if (LOCAL_MCAST(oldflp->fl4_dst) || oldflp->fl4_dst == 0xFFFFFFFF) {
+               if (LOCAL_MCAST(oldflp->fl4_dst) || oldflp->fl4_dst == htonl(0xFFFFFFFF)) {
                        if (!fl.fl4_src)
                                fl.fl4_src = inet_select_addr(dev_out, 0,
                                                              RT_SCOPE_LINK);
@@ -2560,7 +2574,7 @@ int __ip_route_output_key(struct rtable **rp, const struct flowi *flp)
        unsigned hash;
        struct rtable *rth;
 
-       hash = rt_hash_code(flp->fl4_dst, flp->fl4_src ^ (flp->oif << 5), flp->fl4_tos);
+       hash = rt_hash(flp->fl4_dst, flp->fl4_src, flp->oif);
 
        rcu_read_lock_bh();
        for (rth = rcu_dereference(rt_hash_table[hash].chain); rth;
@@ -2600,6 +2614,8 @@ int __ip_route_output_key(struct rtable **rp, const struct flowi *flp)
        return ip_route_output_slow(rp, flp);
 }
 
+EXPORT_SYMBOL_GPL(__ip_route_output_key);
+
 int ip_route_output_flow(struct rtable **rp, struct flowi *flp, struct sock *sk, int flags)
 {
        int err;
@@ -2618,6 +2634,8 @@ int ip_route_output_flow(struct rtable **rp, struct flowi *flp, struct sock *sk,
        return 0;
 }
 
+EXPORT_SYMBOL_GPL(ip_route_output_flow);
+
 int ip_route_output_key(struct rtable **rp, struct flowi *flp)
 {
        return ip_route_output_flow(rp, flp, NULL, 0);
@@ -2628,51 +2646,54 @@ static int rt_fill_info(struct sk_buff *skb, u32 pid, u32 seq, int event,
 {
        struct rtable *rt = (struct rtable*)skb->dst;
        struct rtmsg *r;
-       struct nlmsghdr  *nlh;
-       unsigned char    *b = skb->tail;
+       struct nlmsghdr *nlh;
        struct rta_cacheinfo ci;
-#ifdef CONFIG_IP_MROUTE
-       struct rtattr *eptr;
-#endif
-       nlh = NLMSG_NEW(skb, pid, seq, event, sizeof(*r), flags);
-       r = NLMSG_DATA(nlh);
+
+       nlh = nlmsg_put(skb, pid, seq, event, sizeof(*r), flags);
+       if (nlh == NULL)
+               return -ENOBUFS;
+
+       r = nlmsg_data(nlh);
        r->rtm_family    = AF_INET;
        r->rtm_dst_len  = 32;
        r->rtm_src_len  = 0;
        r->rtm_tos      = rt->fl.fl4_tos;
        r->rtm_table    = RT_TABLE_MAIN;
+       NLA_PUT_U32(skb, RTA_TABLE, RT_TABLE_MAIN);
        r->rtm_type     = rt->rt_type;
        r->rtm_scope    = RT_SCOPE_UNIVERSE;
        r->rtm_protocol = RTPROT_UNSPEC;
        r->rtm_flags    = (rt->rt_flags & ~0xFFFF) | RTM_F_CLONED;
        if (rt->rt_flags & RTCF_NOTIFY)
                r->rtm_flags |= RTM_F_NOTIFY;
-       RTA_PUT(skb, RTA_DST, 4, &rt->rt_dst);
+
+       NLA_PUT_BE32(skb, RTA_DST, rt->rt_dst);
+
        if (rt->fl.fl4_src) {
                r->rtm_src_len = 32;
-               RTA_PUT(skb, RTA_SRC, 4, &rt->fl.fl4_src);
+               NLA_PUT_BE32(skb, RTA_SRC, rt->fl.fl4_src);
        }
        if (rt->u.dst.dev)
-               RTA_PUT(skb, RTA_OIF, sizeof(int), &rt->u.dst.dev->ifindex);
+               NLA_PUT_U32(skb, RTA_OIF, rt->u.dst.dev->ifindex);
 #ifdef CONFIG_NET_CLS_ROUTE
        if (rt->u.dst.tclassid)
-               RTA_PUT(skb, RTA_FLOW, 4, &rt->u.dst.tclassid);
+               NLA_PUT_U32(skb, RTA_FLOW, rt->u.dst.tclassid);
 #endif
 #ifdef CONFIG_IP_ROUTE_MULTIPATH_CACHED
-       if (rt->rt_multipath_alg != IP_MP_ALG_NONE) {
-               __u32 alg = rt->rt_multipath_alg;
-
-               RTA_PUT(skb, RTA_MP_ALGO, 4, &alg);
-       }
+       if (rt->rt_multipath_alg != IP_MP_ALG_NONE)
+               NLA_PUT_U32(skb, RTA_MP_ALGO, rt->rt_multipath_alg);
 #endif
        if (rt->fl.iif)
-               RTA_PUT(skb, RTA_PREFSRC, 4, &rt->rt_spec_dst);
+               NLA_PUT_BE32(skb, RTA_PREFSRC, rt->rt_spec_dst);
        else if (rt->rt_src != rt->fl.fl4_src)
-               RTA_PUT(skb, RTA_PREFSRC, 4, &rt->rt_src);
+               NLA_PUT_BE32(skb, RTA_PREFSRC, rt->rt_src);
+
        if (rt->rt_dst != rt->rt_gateway)
-               RTA_PUT(skb, RTA_GATEWAY, 4, &rt->rt_gateway);
+               NLA_PUT_BE32(skb, RTA_GATEWAY, rt->rt_gateway);
+
        if (rtnetlink_put_metrics(skb, rt->u.dst.metrics) < 0)
-               goto rtattr_failure;
+               goto nla_put_failure;
+
        ci.rta_lastuse  = jiffies_to_clock_t(jiffies - rt->u.dst.lastuse);
        ci.rta_used     = rt->u.dst.__use;
        ci.rta_clntref  = atomic_read(&rt->u.dst.__refcnt);
@@ -2689,13 +2710,10 @@ static int rt_fill_info(struct sk_buff *skb, u32 pid, u32 seq, int event,
                        ci.rta_tsage = xtime.tv_sec - rt->peer->tcp_ts_stamp;
                }
        }
-#ifdef CONFIG_IP_MROUTE
-       eptr = (struct rtattr*)skb->tail;
-#endif
-       RTA_PUT(skb, RTA_CACHEINFO, sizeof(ci), &ci);
+
        if (rt->fl.iif) {
 #ifdef CONFIG_IP_MROUTE
-               u32 dst = rt->rt_dst;
+               __be32 dst = rt->rt_dst;
 
                if (MULTICAST(dst) && !LOCAL_MCAST(dst) &&
                    ipv4_devconf.mc_forwarding) {
@@ -2704,104 +2722,113 @@ static int rt_fill_info(struct sk_buff *skb, u32 pid, u32 seq, int event,
                                if (!nowait) {
                                        if (err == 0)
                                                return 0;
-                                       goto nlmsg_failure;
+                                       goto nla_put_failure;
                                } else {
                                        if (err == -EMSGSIZE)
-                                               goto nlmsg_failure;
-                                       ((struct rta_cacheinfo*)RTA_DATA(eptr))->rta_error = err;
+                                               goto nla_put_failure;
+                                       ci.rta_error = err;
                                }
                        }
                } else
 #endif
-                       RTA_PUT(skb, RTA_IIF, sizeof(int), &rt->fl.iif);
+                       NLA_PUT_U32(skb, RTA_IIF, rt->fl.iif);
        }
 
-       nlh->nlmsg_len = skb->tail - b;
-       return skb->len;
+       NLA_PUT(skb, RTA_CACHEINFO, sizeof(ci), &ci);
 
-nlmsg_failure:
-rtattr_failure:
-       skb_trim(skb, b - skb->data);
-       return -1;
+       return nlmsg_end(skb, nlh);
+
+nla_put_failure:
+       return nlmsg_cancel(skb, nlh);
 }
 
 int inet_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr* nlh, void *arg)
 {
-       struct rtattr **rta = arg;
-       struct rtmsg *rtm = NLMSG_DATA(nlh);
+       struct rtmsg *rtm;
+       struct nlattr *tb[RTA_MAX+1];
        struct rtable *rt = NULL;
-       u32 dst = 0;
-       u32 src = 0;
-       int iif = 0;
-       int err = -ENOBUFS;
+       __be32 dst = 0;
+       __be32 src = 0;
+       u32 iif;
+       int err;
        struct sk_buff *skb;
 
+       err = nlmsg_parse(nlh, sizeof(*rtm), tb, RTA_MAX, rtm_ipv4_policy);
+       if (err < 0)
+               goto errout;
+
+       rtm = nlmsg_data(nlh);
+
        skb = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
-       if (!skb)
-               goto out;
+       if (skb == NULL) {
+               err = -ENOBUFS;
+               goto errout;
+       }
 
        /* Reserve room for dummy headers, this skb can pass
           through good chunk of routing engine.
         */
-       skb->mac.raw = skb->data;
+       skb->mac.raw = skb->nh.raw = skb->data;
+
+       /* Bugfix: need to give ip_route_input enough of an IP header to not gag. */
+       skb->nh.iph->protocol = IPPROTO_ICMP;
        skb_reserve(skb, MAX_HEADER + sizeof(struct iphdr));
 
-       if (rta[RTA_SRC - 1])
-               memcpy(&src, RTA_DATA(rta[RTA_SRC - 1]), 4);
-       if (rta[RTA_DST - 1])
-               memcpy(&dst, RTA_DATA(rta[RTA_DST - 1]), 4);
-       if (rta[RTA_IIF - 1])
-               memcpy(&iif, RTA_DATA(rta[RTA_IIF - 1]), sizeof(int));
+       src = tb[RTA_SRC] ? nla_get_be32(tb[RTA_SRC]) : 0;
+       dst = tb[RTA_DST] ? nla_get_be32(tb[RTA_DST]) : 0;
+       iif = tb[RTA_IIF] ? nla_get_u32(tb[RTA_IIF]) : 0;
 
        if (iif) {
-               struct net_device *dev = __dev_get_by_index(iif);
-               err = -ENODEV;
-               if (!dev)
-                       goto out_free;
+               struct net_device *dev;
+
+               dev = __dev_get_by_index(iif);
+               if (dev == NULL) {
+                       err = -ENODEV;
+                       goto errout_free;
+               }
+
                skb->protocol   = htons(ETH_P_IP);
                skb->dev        = dev;
                local_bh_disable();
                err = ip_route_input(skb, dst, src, rtm->rtm_tos, dev);
                local_bh_enable();
-               rt = (struct rtable*)skb->dst;
-               if (!err && rt->u.dst.error)
+
+               rt = (struct rtable*) skb->dst;
+               if (err == 0 && rt->u.dst.error)
                        err = -rt->u.dst.error;
        } else {
-               struct flowi fl = { .nl_u = { .ip4_u = { .daddr = dst,
-                                                        .saddr = src,
-                                                        .tos = rtm->rtm_tos } } };
-               int oif = 0;
-               if (rta[RTA_OIF - 1])
-                       memcpy(&oif, RTA_DATA(rta[RTA_OIF - 1]), sizeof(int));
-               fl.oif = oif;
+               struct flowi fl = {
+                       .nl_u = {
+                               .ip4_u = {
+                                       .daddr = dst,
+                                       .saddr = src,
+                                       .tos = rtm->rtm_tos,
+                               },
+                       },
+                       .oif = tb[RTA_OIF] ? nla_get_u32(tb[RTA_OIF]) : 0,
+               };
                err = ip_route_output_key(&rt, &fl);
        }
+
        if (err)
-               goto out_free;
+               goto errout_free;
 
        skb->dst = &rt->u.dst;
        if (rtm->rtm_flags & RTM_F_NOTIFY)
                rt->rt_flags |= RTCF_NOTIFY;
 
-       NETLINK_CB(skb).dst_pid = NETLINK_CB(in_skb).pid;
-
        err = rt_fill_info(skb, NETLINK_CB(in_skb).pid, nlh->nlmsg_seq,
                                RTM_NEWROUTE, 0, 0);
-       if (!err)
-               goto out_free;
-       if (err < 0) {
-               err = -EMSGSIZE;
-               goto out_free;
-       }
+       if (err <= 0)
+               goto errout_free;
 
-       err = netlink_unicast(rtnl, skb, NETLINK_CB(in_skb).pid, MSG_DONTWAIT);
-       if (err > 0)
-               err = 0;
-out:   return err;
+       err = rtnl_unicast(skb, NETLINK_CB(in_skb).pid);
+errout:
+       return err;
 
-out_free:
+errout_free:
        kfree_skb(skb);
-       goto out;
+       goto errout;
 }
 
 int ip_rt_dump(struct sk_buff *skb,  struct netlink_callback *cb)
@@ -3085,7 +3112,7 @@ static int ip_rt_acct_read(char *buffer, char **start, off_t offset,
                memcpy(dst, src, length);
 
                /* Add the other cpus in, one int at a time */
-               for_each_cpu(i) {
+               for_each_possible_cpu(i) {
                        unsigned int j;
 
                        src = ((u32 *) IP_RT_ACCT_CPU(i)) + offset;
@@ -3129,22 +3156,17 @@ int __init ip_rt_init(void)
        }
 #endif
 
-       ipv4_dst_ops.kmem_cachep = kmem_cache_create("ip_dst_cache",
-                                                    sizeof(struct rtable),
-                                                    0, SLAB_HWCACHE_ALIGN,
-                                                    NULL, NULL);
-
-       if (!ipv4_dst_ops.kmem_cachep)
-               panic("IP: failed to allocate ip_dst_cache\n");
+       ipv4_dst_ops.kmem_cachep =
+               kmem_cache_create("ip_dst_cache", sizeof(struct rtable), 0,
+                                 SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL, NULL);
 
        rt_hash_table = (struct rt_hash_bucket *)
                alloc_large_system_hash("IP route cache",
                                        sizeof(struct rt_hash_bucket),
                                        rhash_entries,
                                        (num_physpages >= 128 * 1024) ?
-                                               (27 - PAGE_SHIFT) :
-                                               (29 - PAGE_SHIFT),
-                                       HASH_HIGHMEM,
+                                       15 : 17,
+                                       0,
                                        &rt_hash_log,
                                        &rt_hash_mask,
                                        0);
@@ -3154,10 +3176,6 @@ int __init ip_rt_init(void)
        ipv4_dst_ops.gc_thresh = (rt_hash_mask + 1);
        ip_rt_max_size = (rt_hash_mask + 1) * 16;
 
-       rt_cache_stat = alloc_percpu(struct rt_cache_stat);
-       if (!rt_cache_stat)
-               return -ENOMEM;
-
        devinet_init();
        ip_fib_init();
 
@@ -3185,7 +3203,6 @@ int __init ip_rt_init(void)
        if (!proc_net_fops_create("rt_cache", S_IRUGO, &rt_cache_seq_fops) ||
            !(rtstat_pde = create_proc_entry("rt_cache", S_IRUGO, 
                                             proc_net_stat))) {
-               free_percpu(rt_cache_stat);
                return -ENOMEM;
        }
        rtstat_pde->proc_fops = &rt_cpu_seq_fops;