--- /dev/null
+From 0cdc6f44e9fdc2d20d720145bf99a39f611f6d61 Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruenba@redhat.com>
+Date: Thu, 2 Nov 2023 20:52:30 +0100
+Subject: gfs2: don't withdraw if init_threads() got interrupted
+
+From: Andreas Gruenbacher <agruenba@redhat.com>
+
+commit 0cdc6f44e9fdc2d20d720145bf99a39f611f6d61 upstream.
+
+In gfs2_fill_super(), when mounting a gfs2 filesystem is interrupted,
+kthread_create() can return -EINTR. When that happens, we roll back
+what has already been done and abort the mount.
+
+Since commit 62dd0f98a0e5 ("gfs2: Flag a withdraw if init_threads()
+fails), we are calling gfs2_withdraw_delayed() in gfs2_fill_super();
+first via gfs2_make_fs_rw(), then directly. But gfs2_withdraw_delayed()
+only marks the filesystem as withdrawing and relies on a caller further
+up the stack to do the actual withdraw, which doesn't exist in the
+gfs2_fill_super() case. Because the filesystem is marked as withdrawing
+/ withdrawn, function gfs2_lm_unmount() doesn't release the dlm
+lockspace, so when we try to mount that filesystem again, we get:
+
+ gfs2: fsid=gohan:gohan0: Trying to join cluster "lock_dlm", "gohan:gohan0"
+ gfs2: fsid=gohan:gohan0: dlm_new_lockspace error -17
+
+Since commit b77b4a4815a9 ("gfs2: Rework freeze / thaw logic"), the
+deadlock this gfs2_withdraw_delayed() call was supposed to work around
+cannot occur anymore because freeze_go_callback() won't take the
+sb->s_umount semaphore unconditionally anymore, so we can get rid of the
+gfs2_withdraw_delayed() in gfs2_fill_super() entirely.
+
+Reported-by: Alexander Aring <aahringo@redhat.com>
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Cc: stable@vger.kernel.org # v6.5+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/gfs2/ops_fstype.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/fs/gfs2/ops_fstype.c
++++ b/fs/gfs2/ops_fstype.c
+@@ -1259,10 +1259,8 @@ static int gfs2_fill_super(struct super_
+
+ if (!sb_rdonly(sb)) {
+ error = init_threads(sdp);
+- if (error) {
+- gfs2_withdraw_delayed(sdp);
++ if (error)
+ goto fail_per_node;
+- }
+ }
+
+ error = gfs2_freeze_lock_shared(sdp, &sdp->sd_freeze_gh, 0);
--- /dev/null
+From 52954b750958dcab9e44935f0c32643279091c85 Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruenba@redhat.com>
+Date: Mon, 11 Sep 2023 20:00:28 +0200
+Subject: gfs2: Fix another freeze/thaw hang
+
+From: Andreas Gruenbacher <agruenba@redhat.com>
+
+commit 52954b750958dcab9e44935f0c32643279091c85 upstream.
+
+On a thawed filesystem, the freeze glock is held in shared mode. In
+order to initiate a cluster-wide freeze, the node initiating the freeze
+drops the freeze glock and grabs it in exclusive mode. The other nodes
+recognize this as contention on the freeze glock; function
+freeze_go_callback is invoked. This indicates to them that they must
+freeze the filesystem locally, drop the freeze glock, and then
+re-acquire it in shared mode before being able to unfreeze the
+filesystem locally.
+
+While a node is trying to re-acquire the freeze glock in shared mode,
+additional contention can occur. In that case, the node must behave in
+the same way as above.
+
+Unfortunately, freeze_go_callback() contains a check that causes it to
+bail out when the freeze glock isn't held in shared mode. Fix that to
+allow the glock to be unlocked or held in shared mode.
+
+In addition, update a reference to trylock_super() which has been
+renamed to super_trylock_shared() in the meantime.
+
+Fixes: b77b4a4815a9 ("gfs2: Rework freeze / thaw logic")
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/gfs2/glops.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/fs/gfs2/glops.c
++++ b/fs/gfs2/glops.c
+@@ -566,15 +566,16 @@ static void freeze_go_callback(struct gf
+ struct super_block *sb = sdp->sd_vfs;
+
+ if (!remote ||
+- gl->gl_state != LM_ST_SHARED ||
++ (gl->gl_state != LM_ST_SHARED &&
++ gl->gl_state != LM_ST_UNLOCKED) ||
+ gl->gl_demote_state != LM_ST_UNLOCKED)
+ return;
+
+ /*
+ * Try to get an active super block reference to prevent racing with
+- * unmount (see trylock_super()). But note that unmount isn't the only
+- * place where a write lock on s_umount is taken, and we can fail here
+- * because of things like remount as well.
++ * unmount (see super_trylock_shared()). But note that unmount isn't
++ * the only place where a write lock on s_umount is taken, and we can
++ * fail here because of things like remount as well.
+ */
+ if (down_read_trylock(&sb->s_umount)) {
+ atomic_inc(&sb->s_active);
--- /dev/null
+From bbacb395ac5c57290cdfd02389788cbce64c237e Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruenba@redhat.com>
+Date: Fri, 1 Sep 2023 21:39:26 +0200
+Subject: gfs2: Remove freeze_go_demote_ok
+
+From: Andreas Gruenbacher <agruenba@redhat.com>
+
+commit bbacb395ac5c57290cdfd02389788cbce64c237e upstream.
+
+Before commit b77b4a4815a9 ("gfs2: Rework freeze / thaw logic"), the
+freeze glock was kept around in the glock cache in shared mode without
+being actively held while a filesystem is in thawed state. In that
+state, memory pressure could have eventually evicted the freeze glock,
+and the freeze_go_demote_ok callback was needed to prevent that from
+happening.
+
+With the freeze / thaw rework, the freeze glock is now always actively
+held in shared mode while a filesystem is thawed, and the
+freeze_go_demote_ok hack is no longer needed.
+
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/gfs2/glops.c | 13 -------------
+ 1 file changed, 13 deletions(-)
+
+--- a/fs/gfs2/glops.c
++++ b/fs/gfs2/glops.c
+@@ -613,18 +613,6 @@ static int freeze_go_xmote_bh(struct gfs
+ }
+
+ /**
+- * freeze_go_demote_ok
+- * @gl: the glock
+- *
+- * Always returns 0
+- */
+-
+-static int freeze_go_demote_ok(const struct gfs2_glock *gl)
+-{
+- return 0;
+-}
+-
+-/**
+ * iopen_go_callback - schedule the dcache entry for the inode to be deleted
+ * @gl: the glock
+ * @remote: true if this came from a different cluster node
+@@ -748,7 +736,6 @@ const struct gfs2_glock_operations gfs2_
+
+ const struct gfs2_glock_operations gfs2_freeze_glops = {
+ .go_xmote_bh = freeze_go_xmote_bh,
+- .go_demote_ok = freeze_go_demote_ok,
+ .go_callback = freeze_go_callback,
+ .go_type = LM_TYPE_NONDISK,
+ .go_flags = GLOF_NONDISK,
--- /dev/null
+From 0b93bac2271e11beb980fca037a34a9819c7dc37 Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruenba@redhat.com>
+Date: Tue, 8 Aug 2023 20:27:46 +0200
+Subject: gfs2: Remove LM_FLAG_PRIORITY flag
+
+From: Andreas Gruenbacher <agruenba@redhat.com>
+
+commit 0b93bac2271e11beb980fca037a34a9819c7dc37 upstream.
+
+The last user of this flag was removed in commit b77b4a4815a9 ("gfs2:
+Rework freeze / thaw logic").
+
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/filesystems/gfs2-glocks.rst | 3 +--
+ fs/gfs2/glock.c | 23 ++++++-----------------
+ fs/gfs2/glock.h | 9 ---------
+ fs/gfs2/lock_dlm.c | 5 -----
+ 4 files changed, 7 insertions(+), 33 deletions(-)
+
+--- a/Documentation/filesystems/gfs2-glocks.rst
++++ b/Documentation/filesystems/gfs2-glocks.rst
+@@ -20,8 +20,7 @@ The gl_holders list contains all the que
+ just the holders) associated with the glock. If there are any
+ held locks, then they will be contiguous entries at the head
+ of the list. Locks are granted in strictly the order that they
+-are queued, except for those marked LM_FLAG_PRIORITY which are
+-used only during recovery, and even then only for journal locks.
++are queued.
+
+ There are three lock states that users of the glock layer can request,
+ namely shared (SH), deferred (DF) and exclusive (EX). Those translate
+--- a/fs/gfs2/glock.c
++++ b/fs/gfs2/glock.c
+@@ -661,8 +661,7 @@ static void finish_xmote(struct gfs2_glo
+ if (gh && !test_bit(GLF_DEMOTE_IN_PROGRESS, &gl->gl_flags)) {
+ /* move to back of queue and try next entry */
+ if (ret & LM_OUT_CANCELED) {
+- if ((gh->gh_flags & LM_FLAG_PRIORITY) == 0)
+- list_move_tail(&gh->gh_list, &gl->gl_holders);
++ list_move_tail(&gh->gh_list, &gl->gl_holders);
+ gh = find_first_waiter(gl);
+ gl->gl_target = gh->gh_state;
+ goto retry;
+@@ -749,8 +748,7 @@ __acquires(&gl->gl_lockref.lock)
+ gh && !(gh->gh_flags & LM_FLAG_NOEXP))
+ goto skip_inval;
+
+- lck_flags &= (LM_FLAG_TRY | LM_FLAG_TRY_1CB | LM_FLAG_NOEXP |
+- LM_FLAG_PRIORITY);
++ lck_flags &= (LM_FLAG_TRY | LM_FLAG_TRY_1CB | LM_FLAG_NOEXP);
+ GLOCK_BUG_ON(gl, gl->gl_state == target);
+ GLOCK_BUG_ON(gl, gl->gl_state == gl->gl_target);
+ if ((target == LM_ST_UNLOCKED || target == LM_ST_DEFERRED) &&
+@@ -1528,27 +1526,20 @@ fail:
+ }
+ if (test_bit(HIF_HOLDER, &gh2->gh_iflags))
+ continue;
+- if (unlikely((gh->gh_flags & LM_FLAG_PRIORITY) && !insert_pt))
+- insert_pt = &gh2->gh_list;
+ }
+ trace_gfs2_glock_queue(gh, 1);
+ gfs2_glstats_inc(gl, GFS2_LKS_QCOUNT);
+ gfs2_sbstats_inc(gl, GFS2_LKS_QCOUNT);
+ if (likely(insert_pt == NULL)) {
+ list_add_tail(&gh->gh_list, &gl->gl_holders);
+- if (unlikely(gh->gh_flags & LM_FLAG_PRIORITY))
+- goto do_cancel;
+ return;
+ }
+ list_add_tail(&gh->gh_list, insert_pt);
+-do_cancel:
+ gh = list_first_entry(&gl->gl_holders, struct gfs2_holder, gh_list);
+- if (!(gh->gh_flags & LM_FLAG_PRIORITY)) {
+- spin_unlock(&gl->gl_lockref.lock);
+- if (sdp->sd_lockstruct.ls_ops->lm_cancel)
+- sdp->sd_lockstruct.ls_ops->lm_cancel(gl);
+- spin_lock(&gl->gl_lockref.lock);
+- }
++ spin_unlock(&gl->gl_lockref.lock);
++ if (sdp->sd_lockstruct.ls_ops->lm_cancel)
++ sdp->sd_lockstruct.ls_ops->lm_cancel(gl);
++ spin_lock(&gl->gl_lockref.lock);
+ return;
+
+ trap_recursive:
+@@ -2296,8 +2287,6 @@ static const char *hflags2str(char *buf,
+ *p++ = 'e';
+ if (flags & LM_FLAG_ANY)
+ *p++ = 'A';
+- if (flags & LM_FLAG_PRIORITY)
+- *p++ = 'p';
+ if (flags & LM_FLAG_NODE_SCOPE)
+ *p++ = 'n';
+ if (flags & GL_ASYNC)
+--- a/fs/gfs2/glock.h
++++ b/fs/gfs2/glock.h
+@@ -68,14 +68,6 @@ enum {
+ * also be granted in SHARED. The preferred state is whichever is compatible
+ * with other granted locks, or the specified state if no other locks exist.
+ *
+- * LM_FLAG_PRIORITY
+- * Override fairness considerations. Suppose a lock is held in a shared state
+- * and there is a pending request for the deferred state. A shared lock
+- * request with the priority flag would be allowed to bypass the deferred
+- * request and directly join the other shared lock. A shared lock request
+- * without the priority flag might be forced to wait until the deferred
+- * requested had acquired and released the lock.
+- *
+ * LM_FLAG_NODE_SCOPE
+ * This holder agrees to share the lock within this node. In other words,
+ * the glock is held in EX mode according to DLM, but local holders on the
+@@ -86,7 +78,6 @@ enum {
+ #define LM_FLAG_TRY_1CB 0x0002
+ #define LM_FLAG_NOEXP 0x0004
+ #define LM_FLAG_ANY 0x0008
+-#define LM_FLAG_PRIORITY 0x0010
+ #define LM_FLAG_NODE_SCOPE 0x0020
+ #define GL_ASYNC 0x0040
+ #define GL_EXACT 0x0080
+--- a/fs/gfs2/lock_dlm.c
++++ b/fs/gfs2/lock_dlm.c
+@@ -222,11 +222,6 @@ static u32 make_flags(struct gfs2_glock
+ lkf |= DLM_LKF_NOQUEUEBAST;
+ }
+
+- if (gfs_flags & LM_FLAG_PRIORITY) {
+- lkf |= DLM_LKF_NOORDER;
+- lkf |= DLM_LKF_HEADQUE;
+- }
+-
+ if (gfs_flags & LM_FLAG_ANY) {
+ if (req == DLM_LOCK_PR)
+ lkf |= DLM_LKF_ALTCW;
--- /dev/null
+From 66ceaa4c4507f2b598d37b528796dd34158d31bf Mon Sep 17 00:00:00 2001
+From: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Date: Mon, 13 Mar 2023 13:36:07 -0700
+Subject: ice: fix W=1 headers mismatch
+
+From: Jesse Brandeburg <jesse.brandeburg@intel.com>
+
+commit 66ceaa4c4507f2b598d37b528796dd34158d31bf upstream.
+
+make modules W=1 returns:
+.../ice/ice_txrx_lib.c:448: warning: Function parameter or member 'first_idx' not described in 'ice_finalize_xdp_rx'
+.../ice/ice_txrx.c:948: warning: Function parameter or member 'ntc' not described in 'ice_get_rx_buf'
+.../ice/ice_txrx.c:1038: warning: Excess function parameter 'rx_buf' description in 'ice_construct_skb'
+
+Fix these warnings by adding and deleting the deviant arguments.
+
+Fixes: 2fba7dc5157b ("ice: Add support for XDP multi-buffer on Rx side")
+Fixes: d7956d81f150 ("ice: Pull out next_to_clean bump out of ice_put_rx_buf()")
+CC: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Reviewed-by: Piotr Raczynski <piotr.raczynski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/ice/ice_txrx.c | 2 +-
+ drivers/net/ethernet/intel/ice/ice_txrx_lib.c | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/intel/ice/ice_txrx.c
++++ b/drivers/net/ethernet/intel/ice/ice_txrx.c
+@@ -892,6 +892,7 @@ ice_reuse_rx_page(struct ice_rx_ring *rx
+ * ice_get_rx_buf - Fetch Rx buffer and synchronize data for use
+ * @rx_ring: Rx descriptor ring to transact packets on
+ * @size: size of buffer to add to skb
++ * @ntc: index of next to clean element
+ *
+ * This function will pull an Rx buffer from the ring and synchronize it
+ * for use by the CPU.
+@@ -973,7 +974,6 @@ ice_build_skb(struct ice_rx_ring *rx_rin
+ /**
+ * ice_construct_skb - Allocate skb and populate it
+ * @rx_ring: Rx descriptor ring to transact packets on
+- * @rx_buf: Rx buffer to pull data from
+ * @xdp: xdp_buff pointing to the data
+ *
+ * This function allocates an skb. It then populates it with the page
+--- a/drivers/net/ethernet/intel/ice/ice_txrx_lib.c
++++ b/drivers/net/ethernet/intel/ice/ice_txrx_lib.c
+@@ -349,6 +349,7 @@ int ice_xmit_xdp_buff(struct xdp_buff *x
+ * ice_finalize_xdp_rx - Bump XDP Tx tail and/or flush redirect map
+ * @xdp_ring: XDP ring
+ * @xdp_res: Result of the receive batch
++ * @first_idx: index to write from caller
+ *
+ * This function bumps XDP Tx tail and/or flush redirect map, and
+ * should be called when a batch of packets has been processed in the
--- /dev/null
+From 6c3fc0b1c3d073bd6fc3bf43dbd0e64240537464 Mon Sep 17 00:00:00 2001
+From: Faizal Rahim <faizal.abdul.rahim@linux.intel.com>
+Date: Sun, 7 Jul 2024 08:53:18 -0400
+Subject: igc: Fix qbv tx latency by setting gtxoffset
+
+From: Faizal Rahim <faizal.abdul.rahim@linux.intel.com>
+
+commit 6c3fc0b1c3d073bd6fc3bf43dbd0e64240537464 upstream.
+
+A large tx latency issue was discovered during testing when only QBV was
+enabled. The issue occurs because gtxoffset was not set when QBV is
+active, it was only set when launch time is active.
+
+The patch "igc: Correct the launchtime offset" only sets gtxoffset when
+the launchtime_enable field is set by the user. Enabling launchtime_enable
+ultimately sets the register IGC_TXQCTL_QUEUE_MODE_LAUNCHT (referred to as
+LaunchT in the SW user manual).
+
+Section 7.5.2.6 of the IGC i225/6 SW User Manual Rev 1.2.4 states:
+"The latency between transmission scheduling (launch time) and the
+time the packet is transmitted to the network is listed in Table 7-61."
+
+However, the patch misinterprets the phrase "launch time" in that section
+by assuming it specifically refers to the LaunchT register, whereas it
+actually denotes the generic term for when a packet is released from the
+internal buffer to the MAC transmit logic.
+
+This launch time, as per that section, also implicitly refers to the QBV
+gate open time, where a packet waits in the buffer for the QBV gate to
+open. Therefore, latency applies whenever QBV is in use. TSN features such
+as QBU and QAV reuse QBV, making the latency universal to TSN features.
+
+Discussed with i226 HW owner (Shalev, Avi) and we were in agreement that
+the term "launch time" used in Section 7.5.2.6 is not clear and can be
+easily misinterpreted. Avi will update this section to:
+"When TQAVCTRL.TRANSMIT_MODE = TSN, the latency between transmission
+scheduling and the time the packet is transmitted to the network is listed
+in Table 7-61."
+
+Fix this issue by using igc_tsn_is_tx_mode_in_tsn() as a condition to
+write to gtxoffset, aligning with the newly updated SW User Manual.
+
+Tested:
+1. Enrol taprio on talker board
+ base-time 0
+ cycle-time 1000000
+ flags 0x2
+ index 0 cmd S gatemask 0x1 interval1
+ index 0 cmd S gatemask 0x1 interval2
+
+ Note:
+ interval1 = interval for a 64 bytes packet to go through
+ interval2 = cycle-time - interval1
+
+2. Take tcpdump on listener board
+
+3. Use udp tai app on talker to send packets to listener
+
+4. Check the timestamp on listener via wireshark
+
+Test Result:
+100 Mbps: 113 ~193 ns
+1000 Mbps: 52 ~ 84 ns
+2500 Mbps: 95 ~ 223 ns
+
+Note that the test result is similar to the patch "igc: Correct the
+launchtime offset".
+
+Fixes: 790835fcc0cb ("igc: Correct the launchtime offset")
+Signed-off-by: Faizal Rahim <faizal.abdul.rahim@linux.intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Acked-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Tested-by: Mor Bar-Gabay <morx.bar.gabay@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/igc/igc_tsn.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/intel/igc/igc_tsn.c
++++ b/drivers/net/ethernet/intel/igc/igc_tsn.c
+@@ -54,7 +54,7 @@ void igc_tsn_adjust_txtime_offset(struct
+ struct igc_hw *hw = &adapter->hw;
+ u16 txoffset;
+
+- if (!is_any_launchtime(adapter))
++ if (!igc_tsn_is_tx_mode_in_tsn(adapter))
+ return;
+
+ switch (adapter->link_speed) {
+++ /dev/null
-From 5b4bb06afdccff756d8c31a557d5320841b0fe24 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 17 Jan 2024 11:19:45 +0800
-Subject: md: Fix overflow in is_mddev_idle
-
-From: Li Nan <linan122@huawei.com>
-
-[ Upstream commit 3f9f231236ce7e48780d8a4f1f8cb9fae2df1e4e ]
-
-UBSAN reports this problem:
-
- UBSAN: Undefined behaviour in drivers/md/md.c:8175:15
- signed integer overflow:
- -2147483291 - 2072033152 cannot be represented in type 'int'
- Call trace:
- dump_backtrace+0x0/0x310
- show_stack+0x28/0x38
- dump_stack+0xec/0x15c
- ubsan_epilogue+0x18/0x84
- handle_overflow+0x14c/0x19c
- __ubsan_handle_sub_overflow+0x34/0x44
- is_mddev_idle+0x338/0x3d8
- md_do_sync+0x1bb8/0x1cf8
- md_thread+0x220/0x288
- kthread+0x1d8/0x1e0
- ret_from_fork+0x10/0x18
-
-'curr_events' will overflow when stat accum or 'sync_io' is greater than
-INT_MAX.
-
-Fix it by changing sync_io, last_events and curr_events to 64bit.
-
-Signed-off-by: Li Nan <linan122@huawei.com>
-Reviewed-by: Yu Kuai <yukuai3@huawei.com>
-Link: https://lore.kernel.org/r/20240117031946.2324519-2-linan666@huaweicloud.com
-Signed-off-by: Song Liu <song@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/md/md.c | 7 ++++---
- drivers/md/md.h | 4 ++--
- include/linux/blkdev.h | 2 +-
- 3 files changed, 7 insertions(+), 6 deletions(-)
-
-diff --git a/drivers/md/md.c b/drivers/md/md.c
-index 297c86f5c70b5..a3b0ac0732c94 100644
---- a/drivers/md/md.c
-+++ b/drivers/md/md.c
-@@ -8540,14 +8540,15 @@ static int is_mddev_idle(struct mddev *mddev, int init)
- {
- struct md_rdev *rdev;
- int idle;
-- int curr_events;
-+ long long curr_events;
-
- idle = 1;
- rcu_read_lock();
- rdev_for_each_rcu(rdev, mddev) {
- struct gendisk *disk = rdev->bdev->bd_disk;
-- curr_events = (int)part_stat_read_accum(disk->part0, sectors) -
-- atomic_read(&disk->sync_io);
-+ curr_events =
-+ (long long)part_stat_read_accum(disk->part0, sectors) -
-+ atomic64_read(&disk->sync_io);
- /* sync IO will cause sync_io to increase before the disk_stats
- * as sync_io is counted when a request starts, and
- * disk_stats is counted when it completes.
-diff --git a/drivers/md/md.h b/drivers/md/md.h
-index 4f0b480974552..5910527514db2 100644
---- a/drivers/md/md.h
-+++ b/drivers/md/md.h
-@@ -50,7 +50,7 @@ struct md_rdev {
-
- sector_t sectors; /* Device size (in 512bytes sectors) */
- struct mddev *mddev; /* RAID array if running */
-- int last_events; /* IO event timestamp */
-+ long long last_events; /* IO event timestamp */
-
- /*
- * If meta_bdev is non-NULL, it means that a separate device is
-@@ -576,7 +576,7 @@ extern void mddev_unlock(struct mddev *mddev);
-
- static inline void md_sync_acct(struct block_device *bdev, unsigned long nr_sectors)
- {
-- atomic_add(nr_sectors, &bdev->bd_disk->sync_io);
-+ atomic64_add(nr_sectors, &bdev->bd_disk->sync_io);
- }
-
- static inline void md_sync_acct_bio(struct bio *bio, unsigned long nr_sectors)
-diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
-index e255674a9ee72..02e55676e0283 100644
---- a/include/linux/blkdev.h
-+++ b/include/linux/blkdev.h
-@@ -161,7 +161,7 @@ struct gendisk {
- struct list_head slave_bdevs;
- #endif
- struct timer_rand_state *random;
-- atomic_t sync_io; /* RAID */
-+ atomic64_t sync_io; /* RAID */
- struct disk_events *ev;
- #ifdef CONFIG_BLK_DEV_INTEGRITY
- struct kobject integrity_kobj;
---
-2.43.0
-
--- /dev/null
+From 1382e3b6a3500c245e5278c66d210c02926f804f Mon Sep 17 00:00:00 2001
+From: Yuri Benditovich <yuri.benditovich@daynix.com>
+Date: Thu, 11 Apr 2024 08:11:24 +0300
+Subject: net: change maximum number of UDP segments to 128
+
+From: Yuri Benditovich <yuri.benditovich@daynix.com>
+
+commit 1382e3b6a3500c245e5278c66d210c02926f804f upstream.
+
+The commit fc8b2a619469
+("net: more strict VIRTIO_NET_HDR_GSO_UDP_L4 validation")
+adds check of potential number of UDP segments vs
+UDP_MAX_SEGMENTS in linux/virtio_net.h.
+After this change certification test of USO guest-to-guest
+transmit on Windows driver for virtio-net device fails,
+for example with packet size of ~64K and mss of 536 bytes.
+In general the USO should not be more restrictive than TSO.
+Indeed, in case of unreasonably small mss a lot of segments
+can cause queue overflow and packet loss on the destination.
+Limit of 128 segments is good for any practical purpose,
+with minimal meaningful mss of 536 the maximal UDP packet will
+be divided to ~120 segments.
+The number of segments for UDP packets is validated vs
+UDP_MAX_SEGMENTS also in udp.c (v4,v6), this does not affect
+quest-to-guest path but does affect packets sent to host, for
+example.
+It is important to mention that UDP_MAX_SEGMENTS is kernel-only
+define and not available to user mode socket applications.
+In order to request MSS smaller than MTU the applications
+just uses setsockopt with SOL_UDP and UDP_SEGMENT and there is
+no limitations on socket API level.
+
+Fixes: fc8b2a619469 ("net: more strict VIRTIO_NET_HDR_GSO_UDP_L4 validation")
+Signed-off-by: Yuri Benditovich <yuri.benditovich@daynix.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/udp.h | 2 +-
+ tools/testing/selftests/net/udpgso.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/include/linux/udp.h
++++ b/include/linux/udp.h
+@@ -102,7 +102,7 @@ struct udp_sock {
+ #define udp_assign_bit(nr, sk, val) \
+ assign_bit(UDP_FLAGS_##nr, &udp_sk(sk)->udp_flags, val)
+
+-#define UDP_MAX_SEGMENTS (1 << 6UL)
++#define UDP_MAX_SEGMENTS (1 << 7UL)
+
+ static inline struct udp_sock *udp_sk(const struct sock *sk)
+ {
+--- a/tools/testing/selftests/net/udpgso.c
++++ b/tools/testing/selftests/net/udpgso.c
+@@ -34,7 +34,7 @@
+ #endif
+
+ #ifndef UDP_MAX_SEGMENTS
+-#define UDP_MAX_SEGMENTS (1 << 6UL)
++#define UDP_MAX_SEGMENTS (1 << 7UL)
+ #endif
+
+ #define CONST_MTU_TEST 1500
--- /dev/null
+From e42e29cc442395d62f1a8963ec2dfb700ba6a5d7 Mon Sep 17 00:00:00 2001
+From: Dave Kleikamp <dave.kleikamp@oracle.com>
+Date: Mon, 29 Jan 2024 08:40:23 -0600
+Subject: Revert "jfs: fix shift-out-of-bounds in dbJoin"
+
+From: Dave Kleikamp <dave.kleikamp@oracle.com>
+
+commit e42e29cc442395d62f1a8963ec2dfb700ba6a5d7 upstream.
+
+This reverts commit cca974daeb6c43ea971f8ceff5a7080d7d49ee30.
+
+The added sanity check is incorrect. BUDMIN is not the wrong value and
+is too small.
+
+Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/jfs/jfs_dmap.c | 8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+--- a/fs/jfs/jfs_dmap.c
++++ b/fs/jfs/jfs_dmap.c
+@@ -2765,9 +2765,7 @@ static int dbBackSplit(dmtree_t *tp, int
+ * leafno - the number of the leaf to be updated.
+ * newval - the new value for the leaf.
+ *
+- * RETURN VALUES:
+- * 0 - success
+- * -EIO - i/o error
++ * RETURN VALUES: none
+ */
+ static int dbJoin(dmtree_t *tp, int leafno, int newval, bool is_ctl)
+ {
+@@ -2794,10 +2792,6 @@ static int dbJoin(dmtree_t *tp, int leaf
+ * get the buddy size (number of words covered) of
+ * the new value.
+ */
+-
+- if ((newval - tp->dmt_budmin) > BUDMIN)
+- return -EIO;
+-
+ budsz = BUDSIZE(newval, tp->dmt_budmin);
+
+ /* try to join.
--- /dev/null
+From a71d0908e32f3dd41e355d83eeadd44d94811fd6 Mon Sep 17 00:00:00 2001
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Mon, 12 Feb 2024 11:19:23 +0100
+Subject: selftests: net: more strict check in net_helper
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+commit a71d0908e32f3dd41e355d83eeadd44d94811fd6 upstream.
+
+The helper waiting for a listener port can match any socket whose
+hexadecimal representation of source or destination addresses
+matches that of the given port.
+
+Additionally, any socket state is accepted.
+
+All the above can let the helper return successfully before the
+relevant listener is actually ready, with unexpected results.
+
+So far I could not find any related failure in the netdev CI, but
+the next patch is going to make the critical event more easily
+reproducible.
+
+Address the issue matching the port hex only vs the relevant socket
+field and additionally checking the socket state for TCP sockets.
+
+Fixes: 3bdd9fd29cb0 ("selftests/net: synchronize udpgro tests' tx and rx connection")
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Link: https://lore.kernel.org/r/192b3dbc443d953be32991d1b0ca432bd4c65008.1707731086.git.pabeni@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/net_helper.sh | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/tools/testing/selftests/net/net_helper.sh
++++ b/tools/testing/selftests/net/net_helper.sh
+@@ -8,13 +8,16 @@ wait_local_port_listen()
+ local listener_ns="${1}"
+ local port="${2}"
+ local protocol="${3}"
+- local port_hex
++ local pattern
+ local i
+
+- port_hex="$(printf "%04X" "${port}")"
++ pattern=":$(printf "%04X" "${port}") "
++
++ # for tcp protocol additionally check the socket state
++ [ ${protocol} = "tcp" ] && pattern="${pattern}0A"
+ for i in $(seq 10); do
+- if ip netns exec "${listener_ns}" cat /proc/net/"${protocol}"* | \
+- grep -q "${port_hex}"; then
++ if ip netns exec "${listener_ns}" awk '{print $2" "$4}' \
++ /proc/net/"${protocol}"* | grep -q "${pattern}"; then
+ break
+ fi
+ sleep 0.1
--- /dev/null
+From 9d851dd4dab63e95c1911a2fa847796d1ec5d58d Mon Sep 17 00:00:00 2001
+From: Benjamin Poirier <bpoirier@nvidia.com>
+Date: Wed, 31 Jan 2024 09:08:46 -0500
+Subject: selftests: net: Remove executable bits from library scripts
+
+From: Benjamin Poirier <bpoirier@nvidia.com>
+
+commit 9d851dd4dab63e95c1911a2fa847796d1ec5d58d upstream.
+
+setup_loopback.sh and net_helper.sh are meant to be sourced from other
+scripts, not executed directly. Therefore, remove the executable bits from
+those files' permissions.
+
+This change is similar to commit 49078c1b80b6 ("selftests: forwarding:
+Remove executable bits from lib.sh")
+
+Fixes: 7d1575014a63 ("selftests/net: GRO coalesce test")
+Fixes: 3bdd9fd29cb0 ("selftests/net: synchronize udpgro tests' tx and rx connection")
+Suggested-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Benjamin Poirier <bpoirier@nvidia.com>
+Link: https://lore.kernel.org/r/20240131140848.360618-4-bpoirier@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/net_helper.sh | 0
+ tools/testing/selftests/net/setup_loopback.sh | 0
+ 0 files changed
+ mode change 100755 => 100644 tools/testing/selftests/net/net_helper.sh
+ mode change 100755 => 100644 tools/testing/selftests/net/setup_loopback.sh
+
irqchip-renesas-rzg2l-do-not-set-tien-and-tint-sourc.patch
clocksource-make-watchdog-and-suspend-timing-multipl.patch
platform-x86-lg-laptop-fix-s-null-argument-warning.patch
-md-fix-overflow-in-is_mddev_idle.patch
usb-dwc3-core-skip-setting-event-buffers-for-host-on.patch
fbdev-offb-replace-of_node_put-with-__free-device_no.patch
irqchip-gic-v3-its-remove-bug_on-in-its_vpe_irq_doma.patch
gso-fix-dodgy-bit-handling-for-gso_udp_l4.patch
net-more-strict-virtio_net_hdr_gso_udp_l4-validation.patch
net-drop-bad-gso-csum_start-and-offset-in-virtio_net_hdr.patch
+wifi-mac80211-add-documentation-for-amsdu_mesh_control.patch
+wifi-mac80211-fix-mesh-path-discovery-based-on-unicast-packets.patch
+wifi-mac80211-fix-mesh-forwarding.patch
+wifi-mac80211-fix-flow-dissection-for-forwarded-packets.patch
+wifi-mac80211-fix-receiving-mesh-packets-in-forwarding-0-networks.patch
+wifi-mac80211-drop-bogus-static-keywords-in-a-msdu-rx.patch
+wifi-mac80211-fix-potential-null-pointer-dereference.patch
+wifi-cfg80211-fix-receiving-mesh-packets-without-rfc1042-header.patch
+gfs2-fix-another-freeze-thaw-hang.patch
+gfs2-don-t-withdraw-if-init_threads-got-interrupted.patch
+gfs2-remove-lm_flag_priority-flag.patch
+gfs2-remove-freeze_go_demote_ok.patch
+igc-fix-qbv-tx-latency-by-setting-gtxoffset.patch
+udp-fix-receiving-fraglist-gso-packets.patch
+ice-fix-w-1-headers-mismatch.patch
+revert-jfs-fix-shift-out-of-bounds-in-dbjoin.patch
+net-change-maximum-number-of-udp-segments-to-128.patch
+selftests-net-more-strict-check-in-net_helper.patch
+selftests-net-remove-executable-bits-from-library-scripts.patch
--- /dev/null
+From b128ed5ab27330deeeaf51ea8bb69f1442a96f7f Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@nbd.name>
+Date: Mon, 19 Aug 2024 17:06:21 +0200
+Subject: udp: fix receiving fraglist GSO packets
+
+From: Felix Fietkau <nbd@nbd.name>
+
+commit b128ed5ab27330deeeaf51ea8bb69f1442a96f7f upstream.
+
+When assembling fraglist GSO packets, udp4_gro_complete does not set
+skb->csum_start, which makes the extra validation in __udp_gso_segment fail.
+
+Fixes: 89add40066f9 ("net: drop bad gso csum_start and offset in virtio_net_hdr")
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Link: https://patch.msgid.link/20240819150621.59833-1-nbd@nbd.name
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/udp_offload.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/udp_offload.c
++++ b/net/ipv4/udp_offload.c
+@@ -278,7 +278,8 @@ struct sk_buff *__udp_gso_segment(struct
+ return ERR_PTR(-EINVAL);
+
+ if (unlikely(skb_checksum_start(gso_skb) !=
+- skb_transport_header(gso_skb)))
++ skb_transport_header(gso_skb) &&
++ !(skb_shinfo(gso_skb)->gso_type & SKB_GSO_FRAGLIST)))
+ return ERR_PTR(-EINVAL);
+
+ if (skb_gso_ok(gso_skb, features | NETIF_F_GSO_ROBUST)) {
--- /dev/null
+From fec3ebb5ed299ac3a998f011c380f2ded47f4866 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@nbd.name>
+Date: Tue, 11 Jul 2023 13:50:52 +0200
+Subject: wifi: cfg80211: fix receiving mesh packets without RFC1042 header
+
+From: Felix Fietkau <nbd@nbd.name>
+
+commit fec3ebb5ed299ac3a998f011c380f2ded47f4866 upstream.
+
+Fix ethernet header length field after stripping the mesh header
+
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/all/CT5GNZSK28AI.2K6M69OXM9RW5@syracuse/
+Fixes: 986e43b19ae9 ("wifi: mac80211: fix receiving A-MSDU frames on mesh interfaces")
+Reported-and-tested-by: Nicolas Escande <nico.escande@gmail.com>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Link: https://lore.kernel.org/r/20230711115052.68430-1-nbd@nbd.name
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/wireless/util.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/wireless/util.c
++++ b/net/wireless/util.c
+@@ -580,6 +580,8 @@ int ieee80211_strip_8023_mesh_hdr(struct
+ hdrlen += ETH_ALEN + 2;
+ else if (!pskb_may_pull(skb, hdrlen))
+ return -EINVAL;
++ else
++ payload.eth.h_proto = htons(skb->len - hdrlen);
+
+ mesh_addr = skb->data + sizeof(payload.eth) + ETH_ALEN;
+ switch (payload.flags & MESH_FLAGS_AE) {
--- /dev/null
+From 3caf31e7b18a90b74a2709d761a0dfa423f2c2e4 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Wed, 15 Feb 2023 18:30:26 +0100
+Subject: wifi: mac80211: add documentation for amsdu_mesh_control
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 3caf31e7b18a90b74a2709d761a0dfa423f2c2e4 upstream.
+
+This documentation wasn't added in the original patch,
+add it now.
+
+Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
+Fixes: 6e4c0d0460bd ("wifi: mac80211: add a workaround for receiving non-standard mesh A-MSDU")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/sta_info.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/mac80211/sta_info.h
++++ b/net/mac80211/sta_info.h
+@@ -621,6 +621,8 @@ struct link_sta_info {
+ * taken from HT/VHT capabilities or VHT operating mode notification
+ * @cparams: CoDel parameters for this station.
+ * @reserved_tid: reserved TID (if any, otherwise IEEE80211_TID_UNRESERVED)
++ * @amsdu_mesh_control: track the mesh A-MSDU format used by the peer
++ * (-1: not yet known, 0: non-standard [without mesh header], 1: standard)
+ * @fast_tx: TX fastpath information
+ * @fast_rx: RX fastpath information
+ * @tdls_chandef: a TDLS peer can have a wider chandef that is compatible to
--- /dev/null
+From 4d78e032fee5d532e189cdb2c3c76112094e9751 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@nbd.name>
+Date: Thu, 30 Mar 2023 11:00:00 +0200
+Subject: wifi: mac80211: drop bogus static keywords in A-MSDU rx
+
+From: Felix Fietkau <nbd@nbd.name>
+
+commit 4d78e032fee5d532e189cdb2c3c76112094e9751 upstream.
+
+These were unintentional copy&paste mistakes.
+
+Cc: stable@vger.kernel.org
+Fixes: 986e43b19ae9 ("wifi: mac80211: fix receiving A-MSDU frames on mesh interfaces")
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Link: https://lore.kernel.org/r/20230330090001.60750-1-nbd@nbd.name
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/rx.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -2904,7 +2904,7 @@ __ieee80211_rx_h_amsdu(struct ieee80211_
+ struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
+ __le16 fc = hdr->frame_control;
+ struct sk_buff_head frame_list;
+- static ieee80211_rx_result res;
++ ieee80211_rx_result res;
+ struct ethhdr ethhdr;
+ const u8 *check_da = ethhdr.h_dest, *check_sa = ethhdr.h_source;
+
+@@ -3045,7 +3045,7 @@ ieee80211_rx_h_data(struct ieee80211_rx_
+ struct net_device *dev = sdata->dev;
+ struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
+ __le16 fc = hdr->frame_control;
+- static ieee80211_rx_result res;
++ ieee80211_rx_result res;
+ bool port_control;
+ int err;
+
--- /dev/null
+From 899c2c11810cfe38cb01c847d0df98e181ea5728 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@nbd.name>
+Date: Fri, 24 Mar 2023 13:09:23 +0100
+Subject: wifi: mac80211: fix flow dissection for forwarded packets
+
+From: Felix Fietkau <nbd@nbd.name>
+
+commit 899c2c11810cfe38cb01c847d0df98e181ea5728 upstream.
+
+Adjust the network header to point at the correct payload offset
+
+Fixes: 986e43b19ae9 ("wifi: mac80211: fix receiving A-MSDU frames on mesh interfaces")
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Link: https://lore.kernel.org/r/20230324120924.38412-2-nbd@nbd.name
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/rx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -2855,7 +2855,7 @@ ieee80211_rx_mesh_data(struct ieee80211_
+ hdrlen += ETH_ALEN;
+ else
+ fwd_skb->protocol = htons(fwd_skb->len - hdrlen);
+- skb_set_network_header(fwd_skb, hdrlen);
++ skb_set_network_header(fwd_skb, hdrlen + 2);
+
+ info = IEEE80211_SKB_CB(fwd_skb);
+ memset(info, 0, sizeof(*info));
--- /dev/null
+From 8f0149a8ac59c12cd47271ac625c27dac5621d3a Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@nbd.name>
+Date: Fri, 24 Mar 2023 13:09:22 +0100
+Subject: wifi: mac80211: fix mesh forwarding
+
+From: Felix Fietkau <nbd@nbd.name>
+
+commit 8f0149a8ac59c12cd47271ac625c27dac5621d3a upstream.
+
+Linearize packets (needed for forwarding A-MSDU subframes).
+
+Fixes: 986e43b19ae9 ("wifi: mac80211: fix receiving A-MSDU frames on mesh interfaces")
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Link: https://lore.kernel.org/r/20230324120924.38412-1-nbd@nbd.name
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/rx.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -2838,6 +2838,9 @@ ieee80211_rx_mesh_data(struct ieee80211_
+
+ if (skb_cow_head(fwd_skb, hdrlen - sizeof(struct ethhdr)))
+ return RX_DROP_UNUSABLE;
++
++ if (skb_linearize(fwd_skb))
++ return RX_DROP_UNUSABLE;
+ }
+
+ fwd_hdr = skb_push(fwd_skb, hdrlen - sizeof(struct ethhdr));
--- /dev/null
+From f355f70145744518ca1d9799b42f4a8da9aa0d36 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@nbd.name>
+Date: Tue, 14 Mar 2023 10:59:52 +0100
+Subject: wifi: mac80211: fix mesh path discovery based on unicast packets
+
+From: Felix Fietkau <nbd@nbd.name>
+
+commit f355f70145744518ca1d9799b42f4a8da9aa0d36 upstream.
+
+If a packet has reached its intended destination, it was bumped to the code
+that accepts it, without first checking if a mesh_path needs to be created
+based on the discovered source.
+Fix this by moving the destination address check further down.
+
+Cc: stable@vger.kernel.org
+Fixes: 986e43b19ae9 ("wifi: mac80211: fix receiving A-MSDU frames on mesh interfaces")
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Link: https://lore.kernel.org/r/20230314095956.62085-3-nbd@nbd.name
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/rx.c | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -2770,17 +2770,6 @@ ieee80211_rx_mesh_data(struct ieee80211_
+ mesh_rmc_check(sdata, eth->h_source, mesh_hdr))
+ return RX_DROP_MONITOR;
+
+- /* Frame has reached destination. Don't forward */
+- if (ether_addr_equal(sdata->vif.addr, eth->h_dest))
+- goto rx_accept;
+-
+- if (!ifmsh->mshcfg.dot11MeshForwarding) {
+- if (is_multicast_ether_addr(eth->h_dest))
+- goto rx_accept;
+-
+- return RX_DROP_MONITOR;
+- }
+-
+ /* forward packet */
+ if (sdata->crypto_tx_tailroom_needed_cnt)
+ tailroom = IEEE80211_ENCRYPT_TAILROOM;
+@@ -2819,6 +2808,17 @@ ieee80211_rx_mesh_data(struct ieee80211_
+ rcu_read_unlock();
+ }
+
++ /* Frame has reached destination. Don't forward */
++ if (ether_addr_equal(sdata->vif.addr, eth->h_dest))
++ goto rx_accept;
++
++ if (!ifmsh->mshcfg.dot11MeshForwarding) {
++ if (is_multicast_ether_addr(eth->h_dest))
++ goto rx_accept;
++
++ return RX_DROP_MONITOR;
++ }
++
+ skb_set_queue_mapping(skb, ieee802_1d_to_ac[skb->priority]);
+
+ ieee80211_fill_mesh_addresses(&hdr, &hdr.frame_control,
--- /dev/null
+From a16fc38315f2c69c520ee769976ecb9c706b8560 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@nbd.name>
+Date: Thu, 30 Mar 2023 11:00:01 +0200
+Subject: wifi: mac80211: fix potential null pointer dereference
+
+From: Felix Fietkau <nbd@nbd.name>
+
+commit a16fc38315f2c69c520ee769976ecb9c706b8560 upstream.
+
+rx->sta->amsdu_mesh_control is being passed to ieee80211_amsdu_to_8023s
+without checking rx->sta. Since it doesn't make sense to accept A-MSDU
+packets without a sta, simply add a check earlier.
+
+Fixes: 6e4c0d0460bd ("wifi: mac80211: add a workaround for receiving non-standard mesh A-MSDU")
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Link: https://lore.kernel.org/r/20230330090001.60750-2-nbd@nbd.name
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/rx.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -2938,7 +2938,7 @@ __ieee80211_rx_h_amsdu(struct ieee80211_
+ data_offset, true))
+ return RX_DROP_UNUSABLE;
+
+- if (rx->sta && rx->sta->amsdu_mesh_control < 0) {
++ if (rx->sta->amsdu_mesh_control < 0) {
+ bool valid_std = ieee80211_is_valid_amsdu(skb, true);
+ bool valid_nonstd = ieee80211_is_valid_amsdu(skb, false);
+
+@@ -3014,7 +3014,7 @@ ieee80211_rx_h_amsdu(struct ieee80211_rx
+ }
+ }
+
+- if (is_multicast_ether_addr(hdr->addr1))
++ if (is_multicast_ether_addr(hdr->addr1) || !rx->sta)
+ return RX_DROP_UNUSABLE;
+
+ if (rx->key) {
--- /dev/null
+From e26c0946a5c1aa4d27f8dfe78f2a72b4550df91f Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@nbd.name>
+Date: Sun, 26 Mar 2023 17:17:09 +0200
+Subject: wifi: mac80211: fix receiving mesh packets in forwarding=0 networks
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Felix Fietkau <nbd@nbd.name>
+
+commit e26c0946a5c1aa4d27f8dfe78f2a72b4550df91f upstream.
+
+When forwarding is set to 0, frames are typically sent with ttl=1.
+Move the ttl decrement check below the check for local receive in order to
+fix packet drops.
+
+Reported-by: Thomas Hühn <thomas.huehn@hs-nordhausen.de>
+Reported-by: Nick Hainke <vincent@systemli.org>
+Fixes: 986e43b19ae9 ("wifi: mac80211: fix receiving A-MSDU frames on mesh interfaces")
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Link: https://lore.kernel.org/r/20230326151709.17743-1-nbd@nbd.name
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/rx.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -2774,14 +2774,6 @@ ieee80211_rx_mesh_data(struct ieee80211_
+ if (sdata->crypto_tx_tailroom_needed_cnt)
+ tailroom = IEEE80211_ENCRYPT_TAILROOM;
+
+- if (!--mesh_hdr->ttl) {
+- if (multicast)
+- goto rx_accept;
+-
+- IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_ttl);
+- return RX_DROP_MONITOR;
+- }
+-
+ if (mesh_hdr->flags & MESH_FLAGS_AE) {
+ struct mesh_path *mppath;
+ char *proxied_addr;
+@@ -2812,6 +2804,14 @@ ieee80211_rx_mesh_data(struct ieee80211_
+ if (ether_addr_equal(sdata->vif.addr, eth->h_dest))
+ goto rx_accept;
+
++ if (!--mesh_hdr->ttl) {
++ if (multicast)
++ goto rx_accept;
++
++ IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_ttl);
++ return RX_DROP_MONITOR;
++ }
++
+ if (!ifmsh->mshcfg.dot11MeshForwarding) {
+ if (is_multicast_ether_addr(eth->h_dest))
+ goto rx_accept;
projects / thirdparty / kernel / stable-queue.git / commitdiff
