Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

Pull networking fixes from David Miller:

 1) Fix verifier memory corruption and other bugs in BPF layer, from
    Alexei Starovoitov.

 2) Add a conservative fix for doing BPF properly in the BPF classifier
    of the packet scheduler on ingress.  Also from Alexei.

 3) The SKB scrubber should not clear out the packet MARK and security
    label, from Herbert Xu.

 4) Fix oops on rmmod in stmmac driver, from Bryan O'Donoghue.

 5) Pause handling is not correct in the stmmac driver because it
    doesn't take into consideration the RX and TX fifo sizes.  From
    Vince Bridgers.

 6) Failure path missing unlock in FOU driver, from Wang Cong.

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (44 commits)
  net: dsa: use DEVICE_ATTR_RW to declare temp1_max
  netns: remove BUG_ONs from net_generic()
  IB/ipoib: Fix ndo_get_iflink
  sfc: Fix memcpy() with const destination compiler warning.
  altera tse: Fix network-delays and -retransmissions after high throughput.
  net: remove unused 'dev' argument from netif_needs_gso()
  act_mirred: Fix bogus header when redirecting from VLAN
  inet_diag: fix access to tcp cc information
  tcp: tcp_get_info() should fetch socket fields once
  net: dsa: mv88e6xxx: Add missing initialization in mv88e6xxx_set_port_state()
  skbuff: Do not scrub skb mark within the same name space
  Revert "net: Reset secmark when scrubbing packet"
  bpf: fix two bugs in verification logic when accessing 'ctx' pointer
  bpf: fix bpf helpers to use skb->mac_header relative offsets
  stmmac: Configure Flow Control to work correctly based on rxfifo size
  stmmac: Enable unicast pause frame detect in GMAC Register 6
  stmmac: Read tx-fifo-depth and rx-fifo-depth from the devicetree
  stmmac: Add defines and documentation for enabling flow control
  stmmac: Add properties for transmit and receive fifo sizes
  stmmac: fix oops on rmmod after assigning ip addr
  ...

1 files changed, 9 insertions, 3 deletions

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 630a7bac1e51..47dcd3aa6e23 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -1397,7 +1397,8 @@ peek_stack:
                         /* tell verifier to check for equivalent states
                          * after every call and jump
                          */
-                        env->explored_states[t + 1] = STATE_LIST_MARK;
+                        if (t + 1 < insn_cnt)
+                                env->explored_states[t + 1] = STATE_LIST_MARK;
                 } else {
                         /* conditional jump with two edges */
                         ret = push_insn(t, t + 1, FALLTHROUGH, env);
@@ -1636,6 +1637,8 @@ static int do_check(struct verifier_env *env)
                         if (err)
                                 return err;
 
+                        src_reg_type = regs[insn->src_reg].type;
+
                         /* check that memory (src_reg + off) is readable,
                          * the state of dst_reg will be updated by this func
                          */
@@ -1645,9 +1648,12 @@ static int do_check(struct verifier_env *env)
                         if (err)
                                 return err;
 
-                        src_reg_type = regs[insn->src_reg].type;
+                        if (BPF_SIZE(insn->code) != BPF_W) {
+                                insn_idx++;
+                                continue;
+                        }
 
-                        if (insn->imm == 0 && BPF_SIZE(insn->code) == BPF_W) {
+                        if (insn->imm == 0) {
                                 /* saw a valid insn
                                  * dst_reg = *(u32 *)(src_reg + off)
                                  * use reserved 'imm' field to mark this insn