diff --git a/[refs] b/[refs]
index 67b0320501db..2f73c09f9e01 100644
--- a/[refs]
+++ b/[refs]
@@ -1,2 +1,2 @@
 ---
-refs/heads/master: 1ba56fb45a927d083f655302e75a1911a75b5da6
+refs/heads/master: b2942004fb5c9f3304b77e187b8a1977b3626c9b
diff --git a/trunk/net/ipv4/ip_vti.c b/trunk/net/ipv4/ip_vti.c
index 1831092f999f..858fddf6482a 100644
--- a/trunk/net/ipv4/ip_vti.c
+++ b/trunk/net/ipv4/ip_vti.c
@@ -338,12 +338,17 @@ static int vti_rcv(struct sk_buff *skb)
 	if (tunnel != NULL) {
 		struct pcpu_tstats *tstats;
 
+		if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb))
+			return -1;
+
 		tstats = this_cpu_ptr(tunnel->dev->tstats);
 		u64_stats_update_begin(&tstats->syncp);
 		tstats->rx_packets++;
 		tstats->rx_bytes += skb->len;
 		u64_stats_update_end(&tstats->syncp);
 
+		skb->mark = 0;
+		secpath_reset(skb);
 		skb->dev = tunnel->dev;
 		return 1;
 	}