5 files changed, 43 insertions, 33 deletions

diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
index 568d5bf17534..702a1ae9220b 100644
--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -446,8 +446,11 @@ static struct sk_buff *br_ip6_multicast_alloc_query(struct net_bridge *br,
         ip6h->nexthdr = IPPROTO_HOPOPTS;
         ip6h->hop_limit = 1;
         ipv6_addr_set(&ip6h->daddr, htonl(0xff020000), 0, 0, htonl(1));
-        ipv6_dev_get_saddr(dev_net(br->dev), br->dev, &ip6h->daddr, 0,
-                           &ip6h->saddr);
+        if (ipv6_dev_get_saddr(dev_net(br->dev), br->dev, &ip6h->daddr, 0,
+                               &ip6h->saddr)) {
+                kfree_skb(skb);
+                return NULL;
+        }
         ipv6_eth_mc_map(&ip6h->daddr, eth->h_dest);
 
         hopopt = (u8 *)(ip6h + 1);
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index 84122472656c..dec4f3817133 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -62,6 +62,15 @@ static int brnf_filter_pppoe_tagged __read_mostly = 0;
 #define brnf_filter_pppoe_tagged 0
 #endif
 
+#define IS_IP(skb) \
+        (!vlan_tx_tag_present(skb) && skb->protocol == htons(ETH_P_IP))
+
+#define IS_IPV6(skb) \
+        (!vlan_tx_tag_present(skb) && skb->protocol == htons(ETH_P_IPV6))
+
+#define IS_ARP(skb) \
+        (!vlan_tx_tag_present(skb) && skb->protocol == htons(ETH_P_ARP))
+
 static inline __be16 vlan_proto(const struct sk_buff *skb)
 {
         if (vlan_tx_tag_present(skb))
@@ -639,8 +648,7 @@ static unsigned int br_nf_pre_routing(unsigned int hook, struct sk_buff *skb,
                 return NF_DROP;
         br = p->br;
 
-        if (skb->protocol == htons(ETH_P_IPV6) || IS_VLAN_IPV6(skb) ||
-            IS_PPPOE_IPV6(skb)) {
+        if (IS_IPV6(skb) || IS_VLAN_IPV6(skb) || IS_PPPOE_IPV6(skb)) {
                 if (!brnf_call_ip6tables && !br->nf_call_ip6tables)
                         return NF_ACCEPT;
 
@@ -651,8 +659,7 @@ static unsigned int br_nf_pre_routing(unsigned int hook, struct sk_buff *skb,
         if (!brnf_call_iptables && !br->nf_call_iptables)
                 return NF_ACCEPT;
 
-        if (skb->protocol != htons(ETH_P_IP) && !IS_VLAN_IP(skb) &&
-            !IS_PPPOE_IP(skb))
+        if (!IS_IP(skb) && !IS_VLAN_IP(skb) && !IS_PPPOE_IP(skb))
                 return NF_ACCEPT;
 
         nf_bridge_pull_encap_header_rcsum(skb);
@@ -701,7 +708,7 @@ static int br_nf_forward_finish(struct sk_buff *skb)
         struct nf_bridge_info *nf_bridge = skb->nf_bridge;
         struct net_device *in;
 
-        if (skb->protocol != htons(ETH_P_ARP) && !IS_VLAN_ARP(skb)) {
+        if (!IS_ARP(skb) && !IS_VLAN_ARP(skb)) {
                 in = nf_bridge->physindev;
                 if (nf_bridge->mask & BRNF_PKT_TYPE) {
                         skb->pkt_type = PACKET_OTHERHOST;
@@ -718,6 +725,7 @@ static int br_nf_forward_finish(struct sk_buff *skb)
         return 0;
 }
 
+
 /* This is the 'purely bridged' case.  For IP, we pass the packet to
  * netfilter with indev and outdev set to the bridge device,
  * but we are still able to filter on the 'real' indev/outdev
@@ -744,11 +752,9 @@ static unsigned int br_nf_forward_ip(unsigned int hook, struct sk_buff *skb,
         if (!parent)
                 return NF_DROP;
 
-        if (skb->protocol == htons(ETH_P_IP) || IS_VLAN_IP(skb) ||
-            IS_PPPOE_IP(skb))
+        if (IS_IP(skb) || IS_VLAN_IP(skb) || IS_PPPOE_IP(skb))
                 pf = PF_INET;
-        else if (skb->protocol == htons(ETH_P_IPV6) || IS_VLAN_IPV6(skb) ||
-                 IS_PPPOE_IPV6(skb))
+        else if (IS_IPV6(skb) || IS_VLAN_IPV6(skb) || IS_PPPOE_IPV6(skb))
                 pf = PF_INET6;
         else
                 return NF_ACCEPT;
@@ -795,7 +801,7 @@ static unsigned int br_nf_forward_arp(unsigned int hook, struct sk_buff *skb,
         if (!brnf_call_arptables && !br->nf_call_arptables)
                 return NF_ACCEPT;
 
-        if (skb->protocol != htons(ETH_P_ARP)) {
+        if (!IS_ARP(skb)) {
                 if (!IS_VLAN_ARP(skb))
                         return NF_ACCEPT;
                 nf_bridge_pull_encap_header(skb);
@@ -853,11 +859,9 @@ static unsigned int br_nf_post_routing(unsigned int hook, struct sk_buff *skb,
         if (!realoutdev)
                 return NF_DROP;
 
-        if (skb->protocol == htons(ETH_P_IP) || IS_VLAN_IP(skb) ||
-            IS_PPPOE_IP(skb))
+        if (IS_IP(skb) || IS_VLAN_IP(skb) || IS_PPPOE_IP(skb))
                 pf = PF_INET;
-        else if (skb->protocol == htons(ETH_P_IPV6) || IS_VLAN_IPV6(skb) ||
-                 IS_PPPOE_IPV6(skb))
+        else if (IS_IPV6(skb) || IS_VLAN_IPV6(skb) || IS_PPPOE_IPV6(skb))
                 pf = PF_INET6;
         else
                 return NF_ACCEPT;
diff --git a/net/bridge/br_stp.c b/net/bridge/br_stp.c
index dd147d78a588..8c836d96ba76 100644
--- a/net/bridge/br_stp.c
+++ b/net/bridge/br_stp.c
@@ -17,9 +17,9 @@
 #include "br_private_stp.h"
 
 /* since time values in bpdu are in jiffies and then scaled (1/256)
- * before sending, make sure that is at least one.
+ * before sending, make sure that is at least one STP tick.
  */
-#define MESSAGE_AGE_INCR        ((HZ < 256) ? 1 : (HZ/256))
+#define MESSAGE_AGE_INCR        ((HZ / 256) + 1)
 
 static const char *const br_port_state_names[] = {
         [BR_STATE_DISABLED] = "disabled",
@@ -31,7 +31,7 @@ static const char *const br_port_state_names[] = {
 
 void br_log_state(const struct net_bridge_port *p)
 {
-        br_info(p->br, "port %u(%s) entering %s state\n",
+        br_info(p->br, "port %u(%s) entered %s state\n",
                 (unsigned) p->port_no, p->dev->name,
                 br_port_state_names[p->state]);
 }
@@ -186,7 +186,7 @@ static void br_record_config_information(struct net_bridge_port *p,
         p->designated_cost = bpdu->root_path_cost;
         p->designated_bridge = bpdu->bridge_id;
         p->designated_port = bpdu->port_id;
-        p->designated_age = jiffies + bpdu->message_age;
+        p->designated_age = jiffies - bpdu->message_age;
 
         mod_timer(&p->message_age_timer, jiffies
                   + (p->br->max_age - bpdu->message_age));
diff --git a/net/bridge/br_stp_if.c b/net/bridge/br_stp_if.c
index 19308e305d85..f494496373d6 100644
--- a/net/bridge/br_stp_if.c
+++ b/net/bridge/br_stp_if.c
@@ -98,14 +98,13 @@ void br_stp_disable_port(struct net_bridge_port *p)
         struct net_bridge *br = p->br;
         int wasroot;
 
-        br_log_state(p);
-
         wasroot = br_is_root_bridge(br);
         br_become_designated_port(p);
         p->state = BR_STATE_DISABLED;
         p->topology_change_ack = 0;
         p->config_pending = 0;
 
+        br_log_state(p);
         br_ifinfo_notify(RTM_NEWLINK, p);
 
         del_timer(&p->message_age_timer);
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 5864cc491369..5fe2ff3b01ef 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1335,7 +1335,12 @@ static inline int ebt_make_matchname(const struct ebt_entry_match *m,
     const char *base, char __user *ubase)
 {
         char __user *hlp = ubase + ((char *)m - base);
-        if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN))
+        char name[EBT_FUNCTION_MAXNAMELEN] = {};
+
+        /* ebtables expects 32 bytes long names but xt_match names are 29 bytes
+           long. Copy 29 bytes and fill remaining bytes with zeroes. */
+        strncpy(name, m->u.match->name, sizeof(name));
+        if (copy_to_user(hlp, name, EBT_FUNCTION_MAXNAMELEN))
                 return -EFAULT;
         return 0;
 }
@@ -1344,7 +1349,10 @@ static inline int ebt_make_watchername(const struct ebt_entry_watcher *w,
     const char *base, char __user *ubase)
 {
         char __user *hlp = ubase + ((char *)w - base);
-        if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN))
+        char name[EBT_FUNCTION_MAXNAMELEN] = {};
+
+        strncpy(name, w->u.watcher->name, sizeof(name));
+        if (copy_to_user(hlp , name, EBT_FUNCTION_MAXNAMELEN))
                 return -EFAULT;
         return 0;
 }
@@ -1355,6 +1363,7 @@ ebt_make_names(struct ebt_entry *e, const char *base, char __user *ubase)
         int ret;
         char __user *hlp;
         const struct ebt_entry_target *t;
+        char name[EBT_FUNCTION_MAXNAMELEN] = {};
 
         if (e->bitmask == 0)
                 return 0;
@@ -1368,7 +1377,8 @@ ebt_make_names(struct ebt_entry *e, const char *base, char __user *ubase)
         ret = EBT_WATCHER_ITERATE(e, ebt_make_watchername, base, ubase);
         if (ret != 0)
                 return ret;
-        if (copy_to_user(hlp, t->u.target->name, EBT_FUNCTION_MAXNAMELEN))
+        strncpy(name, t->u.target->name, sizeof(name));
+        if (copy_to_user(hlp, name, EBT_FUNCTION_MAXNAMELEN))
                 return -EFAULT;
         return 0;
 }
@@ -1893,10 +1903,7 @@ static int compat_mtw_from_user(struct compat_ebt_entry_mwt *mwt,
 
         switch (compat_mwt) {
         case EBT_COMPAT_MATCH:
-                match = try_then_request_module(xt_find_match(NFPROTO_BRIDGE,
-                                                name, 0), "ebt_%s", name);
-                if (match == NULL)
-                        return -ENOENT;
+                match = xt_request_find_match(NFPROTO_BRIDGE, name, 0);
                 if (IS_ERR(match))
                         return PTR_ERR(match);
 
@@ -1915,10 +1922,7 @@ static int compat_mtw_from_user(struct compat_ebt_entry_mwt *mwt,
                 break;
         case EBT_COMPAT_WATCHER: /* fallthrough */
         case EBT_COMPAT_TARGET:
-                wt = try_then_request_module(xt_find_target(NFPROTO_BRIDGE,
-                                                name, 0), "ebt_%s", name);
-                if (wt == NULL)
-                        return -ENOENT;
+                wt = xt_request_find_target(NFPROTO_BRIDGE, name, 0);
                 if (IS_ERR(wt))
                         return PTR_ERR(wt);
                 off = xt_compat_target_offset(wt);