Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

All of the conflicts were cases of overlapping changes.

In net/core/devlink.c, we have to make care that the
resouce size_params have become a struct member rather
than a pointer to such an object.

Signed-off-by: David S. Miller <davem@davemloft.net>

4 files changed, 54 insertions, 13 deletions

diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
index 484f54150525..c2120eb889a9 100644
--- a/net/bridge/br_netfilter_hooks.c
+++ b/net/bridge/br_netfilter_hooks.c
@@ -214,7 +214,7 @@ static int br_validate_ipv4(struct net *net, struct sk_buff *skb)
 
         iph = ip_hdr(skb);
         if (unlikely(ip_fast_csum((u8 *)iph, iph->ihl)))
-                goto inhdr_error;
+                goto csum_error;
 
         len = ntohs(iph->tot_len);
         if (skb->len < len) {
@@ -236,6 +236,8 @@ static int br_validate_ipv4(struct net *net, struct sk_buff *skb)
          */
         return 0;
 
+csum_error:
+        __IP_INC_STATS(net, IPSTATS_MIB_CSUMERRORS);
 inhdr_error:
         __IP_INC_STATS(net, IPSTATS_MIB_INHDRERRORS);
 drop:
diff --git a/net/bridge/br_vlan.c b/net/bridge/br_vlan.c
index 51935270c651..9896f4975353 100644
--- a/net/bridge/br_vlan.c
+++ b/net/bridge/br_vlan.c
@@ -168,6 +168,8 @@ static struct net_bridge_vlan *br_vlan_get_master(struct net_bridge *br, u16 vid
                 masterv = br_vlan_find(vg, vid);
                 if (WARN_ON(!masterv))
                         return NULL;
+                refcount_set(&masterv->refcnt, 1);
+                return masterv;
         }
         refcount_inc(&masterv->refcnt);
 
diff --git a/net/bridge/netfilter/ebt_among.c b/net/bridge/netfilter/ebt_among.c
index ce7152a12bd8..c5afb4232ecb 100644
--- a/net/bridge/netfilter/ebt_among.c
+++ b/net/bridge/netfilter/ebt_among.c
@@ -172,18 +172,35 @@ ebt_among_mt(const struct sk_buff *skb, struct xt_action_param *par)
         return true;
 }
 
+static bool poolsize_invalid(const struct ebt_mac_wormhash *w)
+{
+        return w && w->poolsize >= (INT_MAX / sizeof(struct ebt_mac_wormhash_tuple));
+}
+
 static int ebt_among_mt_check(const struct xt_mtchk_param *par)
 {
         const struct ebt_among_info *info = par->matchinfo;
         const struct ebt_entry_match *em =
                 container_of(par->matchinfo, const struct ebt_entry_match, data);
-        int expected_length = sizeof(struct ebt_among_info);
+        unsigned int expected_length = sizeof(struct ebt_among_info);
         const struct ebt_mac_wormhash *wh_dst, *wh_src;
         int err;
 
+        if (expected_length > em->match_size)
+                return -EINVAL;
+
         wh_dst = ebt_among_wh_dst(info);
-        wh_src = ebt_among_wh_src(info);
+        if (poolsize_invalid(wh_dst))
+                return -EINVAL;
+
         expected_length += ebt_mac_wormhash_size(wh_dst);
+        if (expected_length > em->match_size)
+                return -EINVAL;
+
+        wh_src = ebt_among_wh_src(info);
+        if (poolsize_invalid(wh_src))
+                return -EINVAL;
+
         expected_length += ebt_mac_wormhash_size(wh_src);
 
         if (em->match_size != EBT_ALIGN(expected_length)) {
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 02c4b409d317..254ef9f49567 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1641,7 +1641,8 @@ static int compat_match_to_user(struct ebt_entry_match *m, void __user **dstptr,
         int off = ebt_compat_match_offset(match, m->match_size);
         compat_uint_t msize = m->match_size - off;
 
-        BUG_ON(off >= m->match_size);
+        if (WARN_ON(off >= m->match_size))
+                return -EINVAL;
 
         if (copy_to_user(cm->u.name, match->name,
             strlen(match->name) + 1) || put_user(msize, &cm->match_size))
@@ -1671,7 +1672,8 @@ static int compat_target_to_user(struct ebt_entry_target *t,
         int off = xt_compat_target_offset(target);
         compat_uint_t tsize = t->target_size - off;
 
-        BUG_ON(off >= t->target_size);
+        if (WARN_ON(off >= t->target_size))
+                return -EINVAL;
 
         if (copy_to_user(cm->u.name, target->name,
             strlen(target->name) + 1) || put_user(tsize, &cm->match_size))
@@ -1902,7 +1904,8 @@ static int ebt_buf_add(struct ebt_entries_buf_state *state,
         if (state->buf_kern_start == NULL)
                 goto count_only;
 
-        BUG_ON(state->buf_kern_offset + sz > state->buf_kern_len);
+        if (WARN_ON(state->buf_kern_offset + sz > state->buf_kern_len))
+                return -EINVAL;
 
         memcpy(state->buf_kern_start + state->buf_kern_offset, data, sz);
 
@@ -1915,7 +1918,8 @@ static int ebt_buf_add_pad(struct ebt_entries_buf_state *state, unsigned int sz)
 {
         char *b = state->buf_kern_start;
 
-        BUG_ON(b && state->buf_kern_offset > state->buf_kern_len);
+        if (WARN_ON(b && state->buf_kern_offset > state->buf_kern_len))
+                return -EINVAL;
 
         if (b != NULL && sz > 0)
                 memset(b + state->buf_kern_offset, 0, sz);
@@ -1992,8 +1996,10 @@ static int compat_mtw_from_user(struct compat_ebt_entry_mwt *mwt,
         pad = XT_ALIGN(size_kern) - size_kern;
 
         if (pad > 0 && dst) {
-                BUG_ON(state->buf_kern_len <= pad);
-                BUG_ON(state->buf_kern_offset - (match_size + off) + size_kern > state->buf_kern_len - pad);
+                if (WARN_ON(state->buf_kern_len <= pad))
+                        return -EINVAL;
+                if (WARN_ON(state->buf_kern_offset - (match_size + off) + size_kern > state->buf_kern_len - pad))
+                        return -EINVAL;
                 memset(dst + size_kern, 0, pad);
         }
         return off + match_size;
@@ -2043,7 +2049,8 @@ static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32,
                 if (ret < 0)
                         return ret;
 
-                BUG_ON(ret < match32->match_size);
+                if (WARN_ON(ret < match32->match_size))
+                        return -EINVAL;
                 growth += ret - match32->match_size;
                 growth += ebt_compat_entry_padsize();
 
@@ -2053,7 +2060,9 @@ static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32,
                 if (match_kern)
                         match_kern->match_size = ret;
 
-                WARN_ON(type == EBT_COMPAT_TARGET && size_left);
+                if (WARN_ON(type == EBT_COMPAT_TARGET && size_left))
+                        return -EINVAL;
+
                 match32 = (struct compat_ebt_entry_mwt *) buf;
         }
 
@@ -2109,6 +2118,15 @@ static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base,
          *
          * offsets are relative to beginning of struct ebt_entry (i.e., 0).
          */
+        for (i = 0; i < 4 ; ++i) {
+                if (offsets[i] >= *total)
+                        return -EINVAL;
+                if (i == 0)
+                        continue;
+                if (offsets[i-1] > offsets[i])
+                        return -EINVAL;
+        }
+
         for (i = 0, j = 1 ; j < 4 ; j++, i++) {
                 struct compat_ebt_entry_mwt *match32;
                 unsigned int size;
@@ -2140,7 +2158,8 @@ static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base,
 
         startoff = state->buf_user_offset - startoff;
 
-        BUG_ON(*total < startoff);
+        if (WARN_ON(*total < startoff))
+                return -EINVAL;
         *total -= startoff;
         return 0;
 }
@@ -2267,7 +2286,8 @@ static int compat_do_replace(struct net *net, void __user *user,
         state.buf_kern_len = size64;
 
         ret = compat_copy_entries(entries_tmp, tmp.entries_size, &state);
-        BUG_ON(ret < 0);        /* parses same data again */
+        if (WARN_ON(ret < 0))
+                goto out_unlock;
 
         vfree(entries_tmp);
         tmp.entries_size = size64;