From: Greg Kroah-Hartman Date: Tue, 27 Aug 2024 13:42:34 +0000 (+0200) Subject: 6.1-stable patches X-Git-Tag: v6.1.107~15 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b85bb42c28f04d487b22adc8a70af1c89ddce468;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: gfs2-don-t-withdraw-if-init_threads-got-interrupted.patch gfs2-fix-another-freeze-thaw-hang.patch gfs2-remove-freeze_go_demote_ok.patch gfs2-remove-lm_flag_priority-flag.patch ice-fix-w-1-headers-mismatch.patch igc-fix-qbv-tx-latency-by-setting-gtxoffset.patch net-change-maximum-number-of-udp-segments-to-128.patch revert-jfs-fix-shift-out-of-bounds-in-dbjoin.patch selftests-net-more-strict-check-in-net_helper.patch selftests-net-remove-executable-bits-from-library-scripts.patch udp-fix-receiving-fraglist-gso-packets.patch wifi-cfg80211-fix-receiving-mesh-packets-without-rfc1042-header.patch wifi-mac80211-add-documentation-for-amsdu_mesh_control.patch wifi-mac80211-drop-bogus-static-keywords-in-a-msdu-rx.patch wifi-mac80211-fix-flow-dissection-for-forwarded-packets.patch wifi-mac80211-fix-mesh-forwarding.patch wifi-mac80211-fix-mesh-path-discovery-based-on-unicast-packets.patch wifi-mac80211-fix-potential-null-pointer-dereference.patch wifi-mac80211-fix-receiving-mesh-packets-in-forwarding-0-networks.patch --- diff --git a/queue-6.1/gfs2-don-t-withdraw-if-init_threads-got-interrupted.patch b/queue-6.1/gfs2-don-t-withdraw-if-init_threads-got-interrupted.patch new file mode 100644 index 00000000000..423f883cc3f --- /dev/null +++ b/queue-6.1/gfs2-don-t-withdraw-if-init_threads-got-interrupted.patch @@ -0,0 +1,53 @@ +From 0cdc6f44e9fdc2d20d720145bf99a39f611f6d61 Mon Sep 17 00:00:00 2001 +From: Andreas Gruenbacher +Date: Thu, 2 Nov 2023 20:52:30 +0100 +Subject: gfs2: don't withdraw if init_threads() got interrupted + +From: Andreas Gruenbacher + +commit 0cdc6f44e9fdc2d20d720145bf99a39f611f6d61 upstream. + +In gfs2_fill_super(), when mounting a gfs2 filesystem is interrupted, +kthread_create() can return -EINTR. When that happens, we roll back +what has already been done and abort the mount. + +Since commit 62dd0f98a0e5 ("gfs2: Flag a withdraw if init_threads() +fails), we are calling gfs2_withdraw_delayed() in gfs2_fill_super(); +first via gfs2_make_fs_rw(), then directly. But gfs2_withdraw_delayed() +only marks the filesystem as withdrawing and relies on a caller further +up the stack to do the actual withdraw, which doesn't exist in the +gfs2_fill_super() case. Because the filesystem is marked as withdrawing +/ withdrawn, function gfs2_lm_unmount() doesn't release the dlm +lockspace, so when we try to mount that filesystem again, we get: + + gfs2: fsid=gohan:gohan0: Trying to join cluster "lock_dlm", "gohan:gohan0" + gfs2: fsid=gohan:gohan0: dlm_new_lockspace error -17 + +Since commit b77b4a4815a9 ("gfs2: Rework freeze / thaw logic"), the +deadlock this gfs2_withdraw_delayed() call was supposed to work around +cannot occur anymore because freeze_go_callback() won't take the +sb->s_umount semaphore unconditionally anymore, so we can get rid of the +gfs2_withdraw_delayed() in gfs2_fill_super() entirely. + +Reported-by: Alexander Aring +Signed-off-by: Andreas Gruenbacher +Cc: stable@vger.kernel.org # v6.5+ +Signed-off-by: Greg Kroah-Hartman +--- + fs/gfs2/ops_fstype.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/fs/gfs2/ops_fstype.c ++++ b/fs/gfs2/ops_fstype.c +@@ -1259,10 +1259,8 @@ static int gfs2_fill_super(struct super_ + + if (!sb_rdonly(sb)) { + error = init_threads(sdp); +- if (error) { +- gfs2_withdraw_delayed(sdp); ++ if (error) + goto fail_per_node; +- } + } + + error = gfs2_freeze_lock_shared(sdp, &sdp->sd_freeze_gh, 0); diff --git a/queue-6.1/gfs2-fix-another-freeze-thaw-hang.patch b/queue-6.1/gfs2-fix-another-freeze-thaw-hang.patch new file mode 100644 index 00000000000..0085e1c0b6b --- /dev/null +++ b/queue-6.1/gfs2-fix-another-freeze-thaw-hang.patch @@ -0,0 +1,59 @@ +From 52954b750958dcab9e44935f0c32643279091c85 Mon Sep 17 00:00:00 2001 +From: Andreas Gruenbacher +Date: Mon, 11 Sep 2023 20:00:28 +0200 +Subject: gfs2: Fix another freeze/thaw hang + +From: Andreas Gruenbacher + +commit 52954b750958dcab9e44935f0c32643279091c85 upstream. + +On a thawed filesystem, the freeze glock is held in shared mode. In +order to initiate a cluster-wide freeze, the node initiating the freeze +drops the freeze glock and grabs it in exclusive mode. The other nodes +recognize this as contention on the freeze glock; function +freeze_go_callback is invoked. This indicates to them that they must +freeze the filesystem locally, drop the freeze glock, and then +re-acquire it in shared mode before being able to unfreeze the +filesystem locally. + +While a node is trying to re-acquire the freeze glock in shared mode, +additional contention can occur. In that case, the node must behave in +the same way as above. + +Unfortunately, freeze_go_callback() contains a check that causes it to +bail out when the freeze glock isn't held in shared mode. Fix that to +allow the glock to be unlocked or held in shared mode. + +In addition, update a reference to trylock_super() which has been +renamed to super_trylock_shared() in the meantime. + +Fixes: b77b4a4815a9 ("gfs2: Rework freeze / thaw logic") +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Greg Kroah-Hartman +--- + fs/gfs2/glops.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/fs/gfs2/glops.c ++++ b/fs/gfs2/glops.c +@@ -566,15 +566,16 @@ static void freeze_go_callback(struct gf + struct super_block *sb = sdp->sd_vfs; + + if (!remote || +- gl->gl_state != LM_ST_SHARED || ++ (gl->gl_state != LM_ST_SHARED && ++ gl->gl_state != LM_ST_UNLOCKED) || + gl->gl_demote_state != LM_ST_UNLOCKED) + return; + + /* + * Try to get an active super block reference to prevent racing with +- * unmount (see trylock_super()). But note that unmount isn't the only +- * place where a write lock on s_umount is taken, and we can fail here +- * because of things like remount as well. ++ * unmount (see super_trylock_shared()). But note that unmount isn't ++ * the only place where a write lock on s_umount is taken, and we can ++ * fail here because of things like remount as well. + */ + if (down_read_trylock(&sb->s_umount)) { + atomic_inc(&sb->s_active); diff --git a/queue-6.1/gfs2-remove-freeze_go_demote_ok.patch b/queue-6.1/gfs2-remove-freeze_go_demote_ok.patch new file mode 100644 index 00000000000..d3eea8cf30b --- /dev/null +++ b/queue-6.1/gfs2-remove-freeze_go_demote_ok.patch @@ -0,0 +1,55 @@ +From bbacb395ac5c57290cdfd02389788cbce64c237e Mon Sep 17 00:00:00 2001 +From: Andreas Gruenbacher +Date: Fri, 1 Sep 2023 21:39:26 +0200 +Subject: gfs2: Remove freeze_go_demote_ok + +From: Andreas Gruenbacher + +commit bbacb395ac5c57290cdfd02389788cbce64c237e upstream. + +Before commit b77b4a4815a9 ("gfs2: Rework freeze / thaw logic"), the +freeze glock was kept around in the glock cache in shared mode without +being actively held while a filesystem is in thawed state. In that +state, memory pressure could have eventually evicted the freeze glock, +and the freeze_go_demote_ok callback was needed to prevent that from +happening. + +With the freeze / thaw rework, the freeze glock is now always actively +held in shared mode while a filesystem is thawed, and the +freeze_go_demote_ok hack is no longer needed. + +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Greg Kroah-Hartman +--- + fs/gfs2/glops.c | 13 ------------- + 1 file changed, 13 deletions(-) + +--- a/fs/gfs2/glops.c ++++ b/fs/gfs2/glops.c +@@ -613,18 +613,6 @@ static int freeze_go_xmote_bh(struct gfs + } + + /** +- * freeze_go_demote_ok +- * @gl: the glock +- * +- * Always returns 0 +- */ +- +-static int freeze_go_demote_ok(const struct gfs2_glock *gl) +-{ +- return 0; +-} +- +-/** + * iopen_go_callback - schedule the dcache entry for the inode to be deleted + * @gl: the glock + * @remote: true if this came from a different cluster node +@@ -748,7 +736,6 @@ const struct gfs2_glock_operations gfs2_ + + const struct gfs2_glock_operations gfs2_freeze_glops = { + .go_xmote_bh = freeze_go_xmote_bh, +- .go_demote_ok = freeze_go_demote_ok, + .go_callback = freeze_go_callback, + .go_type = LM_TYPE_NONDISK, + .go_flags = GLOF_NONDISK, diff --git a/queue-6.1/gfs2-remove-lm_flag_priority-flag.patch b/queue-6.1/gfs2-remove-lm_flag_priority-flag.patch new file mode 100644 index 00000000000..a1f8ea488db --- /dev/null +++ b/queue-6.1/gfs2-remove-lm_flag_priority-flag.patch @@ -0,0 +1,135 @@ +From 0b93bac2271e11beb980fca037a34a9819c7dc37 Mon Sep 17 00:00:00 2001 +From: Andreas Gruenbacher +Date: Tue, 8 Aug 2023 20:27:46 +0200 +Subject: gfs2: Remove LM_FLAG_PRIORITY flag + +From: Andreas Gruenbacher + +commit 0b93bac2271e11beb980fca037a34a9819c7dc37 upstream. + +The last user of this flag was removed in commit b77b4a4815a9 ("gfs2: +Rework freeze / thaw logic"). + +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/filesystems/gfs2-glocks.rst | 3 +-- + fs/gfs2/glock.c | 23 ++++++----------------- + fs/gfs2/glock.h | 9 --------- + fs/gfs2/lock_dlm.c | 5 ----- + 4 files changed, 7 insertions(+), 33 deletions(-) + +--- a/Documentation/filesystems/gfs2-glocks.rst ++++ b/Documentation/filesystems/gfs2-glocks.rst +@@ -20,8 +20,7 @@ The gl_holders list contains all the que + just the holders) associated with the glock. If there are any + held locks, then they will be contiguous entries at the head + of the list. Locks are granted in strictly the order that they +-are queued, except for those marked LM_FLAG_PRIORITY which are +-used only during recovery, and even then only for journal locks. ++are queued. + + There are three lock states that users of the glock layer can request, + namely shared (SH), deferred (DF) and exclusive (EX). Those translate +--- a/fs/gfs2/glock.c ++++ b/fs/gfs2/glock.c +@@ -661,8 +661,7 @@ static void finish_xmote(struct gfs2_glo + if (gh && !test_bit(GLF_DEMOTE_IN_PROGRESS, &gl->gl_flags)) { + /* move to back of queue and try next entry */ + if (ret & LM_OUT_CANCELED) { +- if ((gh->gh_flags & LM_FLAG_PRIORITY) == 0) +- list_move_tail(&gh->gh_list, &gl->gl_holders); ++ list_move_tail(&gh->gh_list, &gl->gl_holders); + gh = find_first_waiter(gl); + gl->gl_target = gh->gh_state; + goto retry; +@@ -749,8 +748,7 @@ __acquires(&gl->gl_lockref.lock) + gh && !(gh->gh_flags & LM_FLAG_NOEXP)) + goto skip_inval; + +- lck_flags &= (LM_FLAG_TRY | LM_FLAG_TRY_1CB | LM_FLAG_NOEXP | +- LM_FLAG_PRIORITY); ++ lck_flags &= (LM_FLAG_TRY | LM_FLAG_TRY_1CB | LM_FLAG_NOEXP); + GLOCK_BUG_ON(gl, gl->gl_state == target); + GLOCK_BUG_ON(gl, gl->gl_state == gl->gl_target); + if ((target == LM_ST_UNLOCKED || target == LM_ST_DEFERRED) && +@@ -1528,27 +1526,20 @@ fail: + } + if (test_bit(HIF_HOLDER, &gh2->gh_iflags)) + continue; +- if (unlikely((gh->gh_flags & LM_FLAG_PRIORITY) && !insert_pt)) +- insert_pt = &gh2->gh_list; + } + trace_gfs2_glock_queue(gh, 1); + gfs2_glstats_inc(gl, GFS2_LKS_QCOUNT); + gfs2_sbstats_inc(gl, GFS2_LKS_QCOUNT); + if (likely(insert_pt == NULL)) { + list_add_tail(&gh->gh_list, &gl->gl_holders); +- if (unlikely(gh->gh_flags & LM_FLAG_PRIORITY)) +- goto do_cancel; + return; + } + list_add_tail(&gh->gh_list, insert_pt); +-do_cancel: + gh = list_first_entry(&gl->gl_holders, struct gfs2_holder, gh_list); +- if (!(gh->gh_flags & LM_FLAG_PRIORITY)) { +- spin_unlock(&gl->gl_lockref.lock); +- if (sdp->sd_lockstruct.ls_ops->lm_cancel) +- sdp->sd_lockstruct.ls_ops->lm_cancel(gl); +- spin_lock(&gl->gl_lockref.lock); +- } ++ spin_unlock(&gl->gl_lockref.lock); ++ if (sdp->sd_lockstruct.ls_ops->lm_cancel) ++ sdp->sd_lockstruct.ls_ops->lm_cancel(gl); ++ spin_lock(&gl->gl_lockref.lock); + return; + + trap_recursive: +@@ -2296,8 +2287,6 @@ static const char *hflags2str(char *buf, + *p++ = 'e'; + if (flags & LM_FLAG_ANY) + *p++ = 'A'; +- if (flags & LM_FLAG_PRIORITY) +- *p++ = 'p'; + if (flags & LM_FLAG_NODE_SCOPE) + *p++ = 'n'; + if (flags & GL_ASYNC) +--- a/fs/gfs2/glock.h ++++ b/fs/gfs2/glock.h +@@ -68,14 +68,6 @@ enum { + * also be granted in SHARED. The preferred state is whichever is compatible + * with other granted locks, or the specified state if no other locks exist. + * +- * LM_FLAG_PRIORITY +- * Override fairness considerations. Suppose a lock is held in a shared state +- * and there is a pending request for the deferred state. A shared lock +- * request with the priority flag would be allowed to bypass the deferred +- * request and directly join the other shared lock. A shared lock request +- * without the priority flag might be forced to wait until the deferred +- * requested had acquired and released the lock. +- * + * LM_FLAG_NODE_SCOPE + * This holder agrees to share the lock within this node. In other words, + * the glock is held in EX mode according to DLM, but local holders on the +@@ -86,7 +78,6 @@ enum { + #define LM_FLAG_TRY_1CB 0x0002 + #define LM_FLAG_NOEXP 0x0004 + #define LM_FLAG_ANY 0x0008 +-#define LM_FLAG_PRIORITY 0x0010 + #define LM_FLAG_NODE_SCOPE 0x0020 + #define GL_ASYNC 0x0040 + #define GL_EXACT 0x0080 +--- a/fs/gfs2/lock_dlm.c ++++ b/fs/gfs2/lock_dlm.c +@@ -222,11 +222,6 @@ static u32 make_flags(struct gfs2_glock + lkf |= DLM_LKF_NOQUEUEBAST; + } + +- if (gfs_flags & LM_FLAG_PRIORITY) { +- lkf |= DLM_LKF_NOORDER; +- lkf |= DLM_LKF_HEADQUE; +- } +- + if (gfs_flags & LM_FLAG_ANY) { + if (req == DLM_LOCK_PR) + lkf |= DLM_LKF_ALTCW; diff --git a/queue-6.1/ice-fix-w-1-headers-mismatch.patch b/queue-6.1/ice-fix-w-1-headers-mismatch.patch new file mode 100644 index 00000000000..03506e1193d --- /dev/null +++ b/queue-6.1/ice-fix-w-1-headers-mismatch.patch @@ -0,0 +1,56 @@ +From 66ceaa4c4507f2b598d37b528796dd34158d31bf Mon Sep 17 00:00:00 2001 +From: Jesse Brandeburg +Date: Mon, 13 Mar 2023 13:36:07 -0700 +Subject: ice: fix W=1 headers mismatch + +From: Jesse Brandeburg + +commit 66ceaa4c4507f2b598d37b528796dd34158d31bf upstream. + +make modules W=1 returns: +.../ice/ice_txrx_lib.c:448: warning: Function parameter or member 'first_idx' not described in 'ice_finalize_xdp_rx' +.../ice/ice_txrx.c:948: warning: Function parameter or member 'ntc' not described in 'ice_get_rx_buf' +.../ice/ice_txrx.c:1038: warning: Excess function parameter 'rx_buf' description in 'ice_construct_skb' + +Fix these warnings by adding and deleting the deviant arguments. + +Fixes: 2fba7dc5157b ("ice: Add support for XDP multi-buffer on Rx side") +Fixes: d7956d81f150 ("ice: Pull out next_to_clean bump out of ice_put_rx_buf()") +CC: Maciej Fijalkowski +Signed-off-by: Jesse Brandeburg +Reviewed-by: Piotr Raczynski +Signed-off-by: Tony Nguyen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/ice/ice_txrx.c | 2 +- + drivers/net/ethernet/intel/ice/ice_txrx_lib.c | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/intel/ice/ice_txrx.c ++++ b/drivers/net/ethernet/intel/ice/ice_txrx.c +@@ -892,6 +892,7 @@ ice_reuse_rx_page(struct ice_rx_ring *rx + * ice_get_rx_buf - Fetch Rx buffer and synchronize data for use + * @rx_ring: Rx descriptor ring to transact packets on + * @size: size of buffer to add to skb ++ * @ntc: index of next to clean element + * + * This function will pull an Rx buffer from the ring and synchronize it + * for use by the CPU. +@@ -973,7 +974,6 @@ ice_build_skb(struct ice_rx_ring *rx_rin + /** + * ice_construct_skb - Allocate skb and populate it + * @rx_ring: Rx descriptor ring to transact packets on +- * @rx_buf: Rx buffer to pull data from + * @xdp: xdp_buff pointing to the data + * + * This function allocates an skb. It then populates it with the page +--- a/drivers/net/ethernet/intel/ice/ice_txrx_lib.c ++++ b/drivers/net/ethernet/intel/ice/ice_txrx_lib.c +@@ -349,6 +349,7 @@ int ice_xmit_xdp_buff(struct xdp_buff *x + * ice_finalize_xdp_rx - Bump XDP Tx tail and/or flush redirect map + * @xdp_ring: XDP ring + * @xdp_res: Result of the receive batch ++ * @first_idx: index to write from caller + * + * This function bumps XDP Tx tail and/or flush redirect map, and + * should be called when a batch of packets has been processed in the diff --git a/queue-6.1/igc-fix-qbv-tx-latency-by-setting-gtxoffset.patch b/queue-6.1/igc-fix-qbv-tx-latency-by-setting-gtxoffset.patch new file mode 100644 index 00000000000..256fb7f5bcc --- /dev/null +++ b/queue-6.1/igc-fix-qbv-tx-latency-by-setting-gtxoffset.patch @@ -0,0 +1,90 @@ +From 6c3fc0b1c3d073bd6fc3bf43dbd0e64240537464 Mon Sep 17 00:00:00 2001 +From: Faizal Rahim +Date: Sun, 7 Jul 2024 08:53:18 -0400 +Subject: igc: Fix qbv tx latency by setting gtxoffset + +From: Faizal Rahim + +commit 6c3fc0b1c3d073bd6fc3bf43dbd0e64240537464 upstream. + +A large tx latency issue was discovered during testing when only QBV was +enabled. The issue occurs because gtxoffset was not set when QBV is +active, it was only set when launch time is active. + +The patch "igc: Correct the launchtime offset" only sets gtxoffset when +the launchtime_enable field is set by the user. Enabling launchtime_enable +ultimately sets the register IGC_TXQCTL_QUEUE_MODE_LAUNCHT (referred to as +LaunchT in the SW user manual). + +Section 7.5.2.6 of the IGC i225/6 SW User Manual Rev 1.2.4 states: +"The latency between transmission scheduling (launch time) and the +time the packet is transmitted to the network is listed in Table 7-61." + +However, the patch misinterprets the phrase "launch time" in that section +by assuming it specifically refers to the LaunchT register, whereas it +actually denotes the generic term for when a packet is released from the +internal buffer to the MAC transmit logic. + +This launch time, as per that section, also implicitly refers to the QBV +gate open time, where a packet waits in the buffer for the QBV gate to +open. Therefore, latency applies whenever QBV is in use. TSN features such +as QBU and QAV reuse QBV, making the latency universal to TSN features. + +Discussed with i226 HW owner (Shalev, Avi) and we were in agreement that +the term "launch time" used in Section 7.5.2.6 is not clear and can be +easily misinterpreted. Avi will update this section to: +"When TQAVCTRL.TRANSMIT_MODE = TSN, the latency between transmission +scheduling and the time the packet is transmitted to the network is listed +in Table 7-61." + +Fix this issue by using igc_tsn_is_tx_mode_in_tsn() as a condition to +write to gtxoffset, aligning with the newly updated SW User Manual. + +Tested: +1. Enrol taprio on talker board + base-time 0 + cycle-time 1000000 + flags 0x2 + index 0 cmd S gatemask 0x1 interval1 + index 0 cmd S gatemask 0x1 interval2 + + Note: + interval1 = interval for a 64 bytes packet to go through + interval2 = cycle-time - interval1 + +2. Take tcpdump on listener board + +3. Use udp tai app on talker to send packets to listener + +4. Check the timestamp on listener via wireshark + +Test Result: +100 Mbps: 113 ~193 ns +1000 Mbps: 52 ~ 84 ns +2500 Mbps: 95 ~ 223 ns + +Note that the test result is similar to the patch "igc: Correct the +launchtime offset". + +Fixes: 790835fcc0cb ("igc: Correct the launchtime offset") +Signed-off-by: Faizal Rahim +Reviewed-by: Simon Horman +Acked-by: Vinicius Costa Gomes +Tested-by: Mor Bar-Gabay +Signed-off-by: Tony Nguyen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/igc/igc_tsn.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/intel/igc/igc_tsn.c ++++ b/drivers/net/ethernet/intel/igc/igc_tsn.c +@@ -54,7 +54,7 @@ void igc_tsn_adjust_txtime_offset(struct + struct igc_hw *hw = &adapter->hw; + u16 txoffset; + +- if (!is_any_launchtime(adapter)) ++ if (!igc_tsn_is_tx_mode_in_tsn(adapter)) + return; + + switch (adapter->link_speed) { diff --git a/queue-6.1/md-fix-overflow-in-is_mddev_idle.patch b/queue-6.1/md-fix-overflow-in-is_mddev_idle.patch deleted file mode 100644 index d1a31fd8296..00000000000 --- a/queue-6.1/md-fix-overflow-in-is_mddev_idle.patch +++ /dev/null @@ -1,104 +0,0 @@ -From 5b4bb06afdccff756d8c31a557d5320841b0fe24 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 17 Jan 2024 11:19:45 +0800 -Subject: md: Fix overflow in is_mddev_idle - -From: Li Nan - -[ Upstream commit 3f9f231236ce7e48780d8a4f1f8cb9fae2df1e4e ] - -UBSAN reports this problem: - - UBSAN: Undefined behaviour in drivers/md/md.c:8175:15 - signed integer overflow: - -2147483291 - 2072033152 cannot be represented in type 'int' - Call trace: - dump_backtrace+0x0/0x310 - show_stack+0x28/0x38 - dump_stack+0xec/0x15c - ubsan_epilogue+0x18/0x84 - handle_overflow+0x14c/0x19c - __ubsan_handle_sub_overflow+0x34/0x44 - is_mddev_idle+0x338/0x3d8 - md_do_sync+0x1bb8/0x1cf8 - md_thread+0x220/0x288 - kthread+0x1d8/0x1e0 - ret_from_fork+0x10/0x18 - -'curr_events' will overflow when stat accum or 'sync_io' is greater than -INT_MAX. - -Fix it by changing sync_io, last_events and curr_events to 64bit. - -Signed-off-by: Li Nan -Reviewed-by: Yu Kuai -Link: https://lore.kernel.org/r/20240117031946.2324519-2-linan666@huaweicloud.com -Signed-off-by: Song Liu -Signed-off-by: Sasha Levin ---- - drivers/md/md.c | 7 ++++--- - drivers/md/md.h | 4 ++-- - include/linux/blkdev.h | 2 +- - 3 files changed, 7 insertions(+), 6 deletions(-) - -diff --git a/drivers/md/md.c b/drivers/md/md.c -index 297c86f5c70b5..a3b0ac0732c94 100644 ---- a/drivers/md/md.c -+++ b/drivers/md/md.c -@@ -8540,14 +8540,15 @@ static int is_mddev_idle(struct mddev *mddev, int init) - { - struct md_rdev *rdev; - int idle; -- int curr_events; -+ long long curr_events; - - idle = 1; - rcu_read_lock(); - rdev_for_each_rcu(rdev, mddev) { - struct gendisk *disk = rdev->bdev->bd_disk; -- curr_events = (int)part_stat_read_accum(disk->part0, sectors) - -- atomic_read(&disk->sync_io); -+ curr_events = -+ (long long)part_stat_read_accum(disk->part0, sectors) - -+ atomic64_read(&disk->sync_io); - /* sync IO will cause sync_io to increase before the disk_stats - * as sync_io is counted when a request starts, and - * disk_stats is counted when it completes. -diff --git a/drivers/md/md.h b/drivers/md/md.h -index 4f0b480974552..5910527514db2 100644 ---- a/drivers/md/md.h -+++ b/drivers/md/md.h -@@ -50,7 +50,7 @@ struct md_rdev { - - sector_t sectors; /* Device size (in 512bytes sectors) */ - struct mddev *mddev; /* RAID array if running */ -- int last_events; /* IO event timestamp */ -+ long long last_events; /* IO event timestamp */ - - /* - * If meta_bdev is non-NULL, it means that a separate device is -@@ -576,7 +576,7 @@ extern void mddev_unlock(struct mddev *mddev); - - static inline void md_sync_acct(struct block_device *bdev, unsigned long nr_sectors) - { -- atomic_add(nr_sectors, &bdev->bd_disk->sync_io); -+ atomic64_add(nr_sectors, &bdev->bd_disk->sync_io); - } - - static inline void md_sync_acct_bio(struct bio *bio, unsigned long nr_sectors) -diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h -index e255674a9ee72..02e55676e0283 100644 ---- a/include/linux/blkdev.h -+++ b/include/linux/blkdev.h -@@ -161,7 +161,7 @@ struct gendisk { - struct list_head slave_bdevs; - #endif - struct timer_rand_state *random; -- atomic_t sync_io; /* RAID */ -+ atomic64_t sync_io; /* RAID */ - struct disk_events *ev; - #ifdef CONFIG_BLK_DEV_INTEGRITY - struct kobject integrity_kobj; --- -2.43.0 - diff --git a/queue-6.1/net-change-maximum-number-of-udp-segments-to-128.patch b/queue-6.1/net-change-maximum-number-of-udp-segments-to-128.patch new file mode 100644 index 00000000000..e09fb1916da --- /dev/null +++ b/queue-6.1/net-change-maximum-number-of-udp-segments-to-128.patch @@ -0,0 +1,64 @@ +From 1382e3b6a3500c245e5278c66d210c02926f804f Mon Sep 17 00:00:00 2001 +From: Yuri Benditovich +Date: Thu, 11 Apr 2024 08:11:24 +0300 +Subject: net: change maximum number of UDP segments to 128 + +From: Yuri Benditovich + +commit 1382e3b6a3500c245e5278c66d210c02926f804f upstream. + +The commit fc8b2a619469 +("net: more strict VIRTIO_NET_HDR_GSO_UDP_L4 validation") +adds check of potential number of UDP segments vs +UDP_MAX_SEGMENTS in linux/virtio_net.h. +After this change certification test of USO guest-to-guest +transmit on Windows driver for virtio-net device fails, +for example with packet size of ~64K and mss of 536 bytes. +In general the USO should not be more restrictive than TSO. +Indeed, in case of unreasonably small mss a lot of segments +can cause queue overflow and packet loss on the destination. +Limit of 128 segments is good for any practical purpose, +with minimal meaningful mss of 536 the maximal UDP packet will +be divided to ~120 segments. +The number of segments for UDP packets is validated vs +UDP_MAX_SEGMENTS also in udp.c (v4,v6), this does not affect +quest-to-guest path but does affect packets sent to host, for +example. +It is important to mention that UDP_MAX_SEGMENTS is kernel-only +define and not available to user mode socket applications. +In order to request MSS smaller than MTU the applications +just uses setsockopt with SOL_UDP and UDP_SEGMENT and there is +no limitations on socket API level. + +Fixes: fc8b2a619469 ("net: more strict VIRTIO_NET_HDR_GSO_UDP_L4 validation") +Signed-off-by: Yuri Benditovich +Reviewed-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/udp.h | 2 +- + tools/testing/selftests/net/udpgso.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/include/linux/udp.h ++++ b/include/linux/udp.h +@@ -102,7 +102,7 @@ struct udp_sock { + #define udp_assign_bit(nr, sk, val) \ + assign_bit(UDP_FLAGS_##nr, &udp_sk(sk)->udp_flags, val) + +-#define UDP_MAX_SEGMENTS (1 << 6UL) ++#define UDP_MAX_SEGMENTS (1 << 7UL) + + static inline struct udp_sock *udp_sk(const struct sock *sk) + { +--- a/tools/testing/selftests/net/udpgso.c ++++ b/tools/testing/selftests/net/udpgso.c +@@ -34,7 +34,7 @@ + #endif + + #ifndef UDP_MAX_SEGMENTS +-#define UDP_MAX_SEGMENTS (1 << 6UL) ++#define UDP_MAX_SEGMENTS (1 << 7UL) + #endif + + #define CONST_MTU_TEST 1500 diff --git a/queue-6.1/revert-jfs-fix-shift-out-of-bounds-in-dbjoin.patch b/queue-6.1/revert-jfs-fix-shift-out-of-bounds-in-dbjoin.patch new file mode 100644 index 00000000000..2886a77798f --- /dev/null +++ b/queue-6.1/revert-jfs-fix-shift-out-of-bounds-in-dbjoin.patch @@ -0,0 +1,44 @@ +From e42e29cc442395d62f1a8963ec2dfb700ba6a5d7 Mon Sep 17 00:00:00 2001 +From: Dave Kleikamp +Date: Mon, 29 Jan 2024 08:40:23 -0600 +Subject: Revert "jfs: fix shift-out-of-bounds in dbJoin" + +From: Dave Kleikamp + +commit e42e29cc442395d62f1a8963ec2dfb700ba6a5d7 upstream. + +This reverts commit cca974daeb6c43ea971f8ceff5a7080d7d49ee30. + +The added sanity check is incorrect. BUDMIN is not the wrong value and +is too small. + +Signed-off-by: Dave Kleikamp +Signed-off-by: Greg Kroah-Hartman +--- + fs/jfs/jfs_dmap.c | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +--- a/fs/jfs/jfs_dmap.c ++++ b/fs/jfs/jfs_dmap.c +@@ -2765,9 +2765,7 @@ static int dbBackSplit(dmtree_t *tp, int + * leafno - the number of the leaf to be updated. + * newval - the new value for the leaf. + * +- * RETURN VALUES: +- * 0 - success +- * -EIO - i/o error ++ * RETURN VALUES: none + */ + static int dbJoin(dmtree_t *tp, int leafno, int newval, bool is_ctl) + { +@@ -2794,10 +2792,6 @@ static int dbJoin(dmtree_t *tp, int leaf + * get the buddy size (number of words covered) of + * the new value. + */ +- +- if ((newval - tp->dmt_budmin) > BUDMIN) +- return -EIO; +- + budsz = BUDSIZE(newval, tp->dmt_budmin); + + /* try to join. diff --git a/queue-6.1/selftests-net-more-strict-check-in-net_helper.patch b/queue-6.1/selftests-net-more-strict-check-in-net_helper.patch new file mode 100644 index 00000000000..700353d72ea --- /dev/null +++ b/queue-6.1/selftests-net-more-strict-check-in-net_helper.patch @@ -0,0 +1,57 @@ +From a71d0908e32f3dd41e355d83eeadd44d94811fd6 Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Mon, 12 Feb 2024 11:19:23 +0100 +Subject: selftests: net: more strict check in net_helper + +From: Paolo Abeni + +commit a71d0908e32f3dd41e355d83eeadd44d94811fd6 upstream. + +The helper waiting for a listener port can match any socket whose +hexadecimal representation of source or destination addresses +matches that of the given port. + +Additionally, any socket state is accepted. + +All the above can let the helper return successfully before the +relevant listener is actually ready, with unexpected results. + +So far I could not find any related failure in the netdev CI, but +the next patch is going to make the critical event more easily +reproducible. + +Address the issue matching the port hex only vs the relevant socket +field and additionally checking the socket state for TCP sockets. + +Fixes: 3bdd9fd29cb0 ("selftests/net: synchronize udpgro tests' tx and rx connection") +Signed-off-by: Paolo Abeni +Link: https://lore.kernel.org/r/192b3dbc443d953be32991d1b0ca432bd4c65008.1707731086.git.pabeni@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/net_helper.sh | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/tools/testing/selftests/net/net_helper.sh ++++ b/tools/testing/selftests/net/net_helper.sh +@@ -8,13 +8,16 @@ wait_local_port_listen() + local listener_ns="${1}" + local port="${2}" + local protocol="${3}" +- local port_hex ++ local pattern + local i + +- port_hex="$(printf "%04X" "${port}")" ++ pattern=":$(printf "%04X" "${port}") " ++ ++ # for tcp protocol additionally check the socket state ++ [ ${protocol} = "tcp" ] && pattern="${pattern}0A" + for i in $(seq 10); do +- if ip netns exec "${listener_ns}" cat /proc/net/"${protocol}"* | \ +- grep -q "${port_hex}"; then ++ if ip netns exec "${listener_ns}" awk '{print $2" "$4}' \ ++ /proc/net/"${protocol}"* | grep -q "${pattern}"; then + break + fi + sleep 0.1 diff --git a/queue-6.1/selftests-net-remove-executable-bits-from-library-scripts.patch b/queue-6.1/selftests-net-remove-executable-bits-from-library-scripts.patch new file mode 100644 index 00000000000..3a4c9870ca3 --- /dev/null +++ b/queue-6.1/selftests-net-remove-executable-bits-from-library-scripts.patch @@ -0,0 +1,30 @@ +From 9d851dd4dab63e95c1911a2fa847796d1ec5d58d Mon Sep 17 00:00:00 2001 +From: Benjamin Poirier +Date: Wed, 31 Jan 2024 09:08:46 -0500 +Subject: selftests: net: Remove executable bits from library scripts + +From: Benjamin Poirier + +commit 9d851dd4dab63e95c1911a2fa847796d1ec5d58d upstream. + +setup_loopback.sh and net_helper.sh are meant to be sourced from other +scripts, not executed directly. Therefore, remove the executable bits from +those files' permissions. + +This change is similar to commit 49078c1b80b6 ("selftests: forwarding: +Remove executable bits from lib.sh") + +Fixes: 7d1575014a63 ("selftests/net: GRO coalesce test") +Fixes: 3bdd9fd29cb0 ("selftests/net: synchronize udpgro tests' tx and rx connection") +Suggested-by: Paolo Abeni +Signed-off-by: Benjamin Poirier +Link: https://lore.kernel.org/r/20240131140848.360618-4-bpoirier@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/net_helper.sh | 0 + tools/testing/selftests/net/setup_loopback.sh | 0 + 0 files changed + mode change 100755 => 100644 tools/testing/selftests/net/net_helper.sh + mode change 100755 => 100644 tools/testing/selftests/net/setup_loopback.sh + diff --git a/queue-6.1/series b/queue-6.1/series index da79f8dfd33..9456ea44f29 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -198,7 +198,6 @@ s390-iucv-fix-receive-buffer-virtual-vs-physical-add.patch irqchip-renesas-rzg2l-do-not-set-tien-and-tint-sourc.patch clocksource-make-watchdog-and-suspend-timing-multipl.patch platform-x86-lg-laptop-fix-s-null-argument-warning.patch -md-fix-overflow-in-is_mddev_idle.patch usb-dwc3-core-skip-setting-event-buffers-for-host-on.patch fbdev-offb-replace-of_node_put-with-__free-device_no.patch irqchip-gic-v3-its-remove-bug_on-in-its_vpe_irq_doma.patch @@ -302,3 +301,22 @@ udp-allow-header-check-for-dodgy-gso_udp_l4-packets.patch gso-fix-dodgy-bit-handling-for-gso_udp_l4.patch net-more-strict-virtio_net_hdr_gso_udp_l4-validation.patch net-drop-bad-gso-csum_start-and-offset-in-virtio_net_hdr.patch +wifi-mac80211-add-documentation-for-amsdu_mesh_control.patch +wifi-mac80211-fix-mesh-path-discovery-based-on-unicast-packets.patch +wifi-mac80211-fix-mesh-forwarding.patch +wifi-mac80211-fix-flow-dissection-for-forwarded-packets.patch +wifi-mac80211-fix-receiving-mesh-packets-in-forwarding-0-networks.patch +wifi-mac80211-drop-bogus-static-keywords-in-a-msdu-rx.patch +wifi-mac80211-fix-potential-null-pointer-dereference.patch +wifi-cfg80211-fix-receiving-mesh-packets-without-rfc1042-header.patch +gfs2-fix-another-freeze-thaw-hang.patch +gfs2-don-t-withdraw-if-init_threads-got-interrupted.patch +gfs2-remove-lm_flag_priority-flag.patch +gfs2-remove-freeze_go_demote_ok.patch +igc-fix-qbv-tx-latency-by-setting-gtxoffset.patch +udp-fix-receiving-fraglist-gso-packets.patch +ice-fix-w-1-headers-mismatch.patch +revert-jfs-fix-shift-out-of-bounds-in-dbjoin.patch +net-change-maximum-number-of-udp-segments-to-128.patch +selftests-net-more-strict-check-in-net_helper.patch +selftests-net-remove-executable-bits-from-library-scripts.patch diff --git a/queue-6.1/udp-fix-receiving-fraglist-gso-packets.patch b/queue-6.1/udp-fix-receiving-fraglist-gso-packets.patch new file mode 100644 index 00000000000..bef59ca0fd4 --- /dev/null +++ b/queue-6.1/udp-fix-receiving-fraglist-gso-packets.patch @@ -0,0 +1,34 @@ +From b128ed5ab27330deeeaf51ea8bb69f1442a96f7f Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Mon, 19 Aug 2024 17:06:21 +0200 +Subject: udp: fix receiving fraglist GSO packets + +From: Felix Fietkau + +commit b128ed5ab27330deeeaf51ea8bb69f1442a96f7f upstream. + +When assembling fraglist GSO packets, udp4_gro_complete does not set +skb->csum_start, which makes the extra validation in __udp_gso_segment fail. + +Fixes: 89add40066f9 ("net: drop bad gso csum_start and offset in virtio_net_hdr") +Signed-off-by: Felix Fietkau +Reviewed-by: Willem de Bruijn +Link: https://patch.msgid.link/20240819150621.59833-1-nbd@nbd.name +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/udp_offload.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/ipv4/udp_offload.c ++++ b/net/ipv4/udp_offload.c +@@ -278,7 +278,8 @@ struct sk_buff *__udp_gso_segment(struct + return ERR_PTR(-EINVAL); + + if (unlikely(skb_checksum_start(gso_skb) != +- skb_transport_header(gso_skb))) ++ skb_transport_header(gso_skb) && ++ !(skb_shinfo(gso_skb)->gso_type & SKB_GSO_FRAGLIST))) + return ERR_PTR(-EINVAL); + + if (skb_gso_ok(gso_skb, features | NETIF_F_GSO_ROBUST)) { diff --git a/queue-6.1/wifi-cfg80211-fix-receiving-mesh-packets-without-rfc1042-header.patch b/queue-6.1/wifi-cfg80211-fix-receiving-mesh-packets-without-rfc1042-header.patch new file mode 100644 index 00000000000..1e48aa8809f --- /dev/null +++ b/queue-6.1/wifi-cfg80211-fix-receiving-mesh-packets-without-rfc1042-header.patch @@ -0,0 +1,34 @@ +From fec3ebb5ed299ac3a998f011c380f2ded47f4866 Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Tue, 11 Jul 2023 13:50:52 +0200 +Subject: wifi: cfg80211: fix receiving mesh packets without RFC1042 header + +From: Felix Fietkau + +commit fec3ebb5ed299ac3a998f011c380f2ded47f4866 upstream. + +Fix ethernet header length field after stripping the mesh header + +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/all/CT5GNZSK28AI.2K6M69OXM9RW5@syracuse/ +Fixes: 986e43b19ae9 ("wifi: mac80211: fix receiving A-MSDU frames on mesh interfaces") +Reported-and-tested-by: Nicolas Escande +Signed-off-by: Felix Fietkau +Link: https://lore.kernel.org/r/20230711115052.68430-1-nbd@nbd.name +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/util.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/wireless/util.c ++++ b/net/wireless/util.c +@@ -580,6 +580,8 @@ int ieee80211_strip_8023_mesh_hdr(struct + hdrlen += ETH_ALEN + 2; + else if (!pskb_may_pull(skb, hdrlen)) + return -EINVAL; ++ else ++ payload.eth.h_proto = htons(skb->len - hdrlen); + + mesh_addr = skb->data + sizeof(payload.eth) + ETH_ALEN; + switch (payload.flags & MESH_FLAGS_AE) { diff --git a/queue-6.1/wifi-mac80211-add-documentation-for-amsdu_mesh_control.patch b/queue-6.1/wifi-mac80211-add-documentation-for-amsdu_mesh_control.patch new file mode 100644 index 00000000000..e62de0a4c3a --- /dev/null +++ b/queue-6.1/wifi-mac80211-add-documentation-for-amsdu_mesh_control.patch @@ -0,0 +1,31 @@ +From 3caf31e7b18a90b74a2709d761a0dfa423f2c2e4 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Wed, 15 Feb 2023 18:30:26 +0100 +Subject: wifi: mac80211: add documentation for amsdu_mesh_control + +From: Johannes Berg + +commit 3caf31e7b18a90b74a2709d761a0dfa423f2c2e4 upstream. + +This documentation wasn't added in the original patch, +add it now. + +Reported-by: Stephen Rothwell +Fixes: 6e4c0d0460bd ("wifi: mac80211: add a workaround for receiving non-standard mesh A-MSDU") +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/sta_info.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/mac80211/sta_info.h ++++ b/net/mac80211/sta_info.h +@@ -621,6 +621,8 @@ struct link_sta_info { + * taken from HT/VHT capabilities or VHT operating mode notification + * @cparams: CoDel parameters for this station. + * @reserved_tid: reserved TID (if any, otherwise IEEE80211_TID_UNRESERVED) ++ * @amsdu_mesh_control: track the mesh A-MSDU format used by the peer ++ * (-1: not yet known, 0: non-standard [without mesh header], 1: standard) + * @fast_tx: TX fastpath information + * @fast_rx: RX fastpath information + * @tdls_chandef: a TDLS peer can have a wider chandef that is compatible to diff --git a/queue-6.1/wifi-mac80211-drop-bogus-static-keywords-in-a-msdu-rx.patch b/queue-6.1/wifi-mac80211-drop-bogus-static-keywords-in-a-msdu-rx.patch new file mode 100644 index 00000000000..1a45f780489 --- /dev/null +++ b/queue-6.1/wifi-mac80211-drop-bogus-static-keywords-in-a-msdu-rx.patch @@ -0,0 +1,41 @@ +From 4d78e032fee5d532e189cdb2c3c76112094e9751 Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Thu, 30 Mar 2023 11:00:00 +0200 +Subject: wifi: mac80211: drop bogus static keywords in A-MSDU rx + +From: Felix Fietkau + +commit 4d78e032fee5d532e189cdb2c3c76112094e9751 upstream. + +These were unintentional copy&paste mistakes. + +Cc: stable@vger.kernel.org +Fixes: 986e43b19ae9 ("wifi: mac80211: fix receiving A-MSDU frames on mesh interfaces") +Signed-off-by: Felix Fietkau +Link: https://lore.kernel.org/r/20230330090001.60750-1-nbd@nbd.name +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/rx.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -2904,7 +2904,7 @@ __ieee80211_rx_h_amsdu(struct ieee80211_ + struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; + __le16 fc = hdr->frame_control; + struct sk_buff_head frame_list; +- static ieee80211_rx_result res; ++ ieee80211_rx_result res; + struct ethhdr ethhdr; + const u8 *check_da = ethhdr.h_dest, *check_sa = ethhdr.h_source; + +@@ -3045,7 +3045,7 @@ ieee80211_rx_h_data(struct ieee80211_rx_ + struct net_device *dev = sdata->dev; + struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data; + __le16 fc = hdr->frame_control; +- static ieee80211_rx_result res; ++ ieee80211_rx_result res; + bool port_control; + int err; + diff --git a/queue-6.1/wifi-mac80211-fix-flow-dissection-for-forwarded-packets.patch b/queue-6.1/wifi-mac80211-fix-flow-dissection-for-forwarded-packets.patch new file mode 100644 index 00000000000..29daa37675c --- /dev/null +++ b/queue-6.1/wifi-mac80211-fix-flow-dissection-for-forwarded-packets.patch @@ -0,0 +1,31 @@ +From 899c2c11810cfe38cb01c847d0df98e181ea5728 Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Fri, 24 Mar 2023 13:09:23 +0100 +Subject: wifi: mac80211: fix flow dissection for forwarded packets + +From: Felix Fietkau + +commit 899c2c11810cfe38cb01c847d0df98e181ea5728 upstream. + +Adjust the network header to point at the correct payload offset + +Fixes: 986e43b19ae9 ("wifi: mac80211: fix receiving A-MSDU frames on mesh interfaces") +Signed-off-by: Felix Fietkau +Link: https://lore.kernel.org/r/20230324120924.38412-2-nbd@nbd.name +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/rx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -2855,7 +2855,7 @@ ieee80211_rx_mesh_data(struct ieee80211_ + hdrlen += ETH_ALEN; + else + fwd_skb->protocol = htons(fwd_skb->len - hdrlen); +- skb_set_network_header(fwd_skb, hdrlen); ++ skb_set_network_header(fwd_skb, hdrlen + 2); + + info = IEEE80211_SKB_CB(fwd_skb); + memset(info, 0, sizeof(*info)); diff --git a/queue-6.1/wifi-mac80211-fix-mesh-forwarding.patch b/queue-6.1/wifi-mac80211-fix-mesh-forwarding.patch new file mode 100644 index 00000000000..dfff3e6c7da --- /dev/null +++ b/queue-6.1/wifi-mac80211-fix-mesh-forwarding.patch @@ -0,0 +1,32 @@ +From 8f0149a8ac59c12cd47271ac625c27dac5621d3a Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Fri, 24 Mar 2023 13:09:22 +0100 +Subject: wifi: mac80211: fix mesh forwarding + +From: Felix Fietkau + +commit 8f0149a8ac59c12cd47271ac625c27dac5621d3a upstream. + +Linearize packets (needed for forwarding A-MSDU subframes). + +Fixes: 986e43b19ae9 ("wifi: mac80211: fix receiving A-MSDU frames on mesh interfaces") +Signed-off-by: Felix Fietkau +Link: https://lore.kernel.org/r/20230324120924.38412-1-nbd@nbd.name +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/rx.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -2838,6 +2838,9 @@ ieee80211_rx_mesh_data(struct ieee80211_ + + if (skb_cow_head(fwd_skb, hdrlen - sizeof(struct ethhdr))) + return RX_DROP_UNUSABLE; ++ ++ if (skb_linearize(fwd_skb)) ++ return RX_DROP_UNUSABLE; + } + + fwd_hdr = skb_push(fwd_skb, hdrlen - sizeof(struct ethhdr)); diff --git a/queue-6.1/wifi-mac80211-fix-mesh-path-discovery-based-on-unicast-packets.patch b/queue-6.1/wifi-mac80211-fix-mesh-path-discovery-based-on-unicast-packets.patch new file mode 100644 index 00000000000..bc2c4f38a56 --- /dev/null +++ b/queue-6.1/wifi-mac80211-fix-mesh-path-discovery-based-on-unicast-packets.patch @@ -0,0 +1,62 @@ +From f355f70145744518ca1d9799b42f4a8da9aa0d36 Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Tue, 14 Mar 2023 10:59:52 +0100 +Subject: wifi: mac80211: fix mesh path discovery based on unicast packets + +From: Felix Fietkau + +commit f355f70145744518ca1d9799b42f4a8da9aa0d36 upstream. + +If a packet has reached its intended destination, it was bumped to the code +that accepts it, without first checking if a mesh_path needs to be created +based on the discovered source. +Fix this by moving the destination address check further down. + +Cc: stable@vger.kernel.org +Fixes: 986e43b19ae9 ("wifi: mac80211: fix receiving A-MSDU frames on mesh interfaces") +Signed-off-by: Felix Fietkau +Link: https://lore.kernel.org/r/20230314095956.62085-3-nbd@nbd.name +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/rx.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -2770,17 +2770,6 @@ ieee80211_rx_mesh_data(struct ieee80211_ + mesh_rmc_check(sdata, eth->h_source, mesh_hdr)) + return RX_DROP_MONITOR; + +- /* Frame has reached destination. Don't forward */ +- if (ether_addr_equal(sdata->vif.addr, eth->h_dest)) +- goto rx_accept; +- +- if (!ifmsh->mshcfg.dot11MeshForwarding) { +- if (is_multicast_ether_addr(eth->h_dest)) +- goto rx_accept; +- +- return RX_DROP_MONITOR; +- } +- + /* forward packet */ + if (sdata->crypto_tx_tailroom_needed_cnt) + tailroom = IEEE80211_ENCRYPT_TAILROOM; +@@ -2819,6 +2808,17 @@ ieee80211_rx_mesh_data(struct ieee80211_ + rcu_read_unlock(); + } + ++ /* Frame has reached destination. Don't forward */ ++ if (ether_addr_equal(sdata->vif.addr, eth->h_dest)) ++ goto rx_accept; ++ ++ if (!ifmsh->mshcfg.dot11MeshForwarding) { ++ if (is_multicast_ether_addr(eth->h_dest)) ++ goto rx_accept; ++ ++ return RX_DROP_MONITOR; ++ } ++ + skb_set_queue_mapping(skb, ieee802_1d_to_ac[skb->priority]); + + ieee80211_fill_mesh_addresses(&hdr, &hdr.frame_control, diff --git a/queue-6.1/wifi-mac80211-fix-potential-null-pointer-dereference.patch b/queue-6.1/wifi-mac80211-fix-potential-null-pointer-dereference.patch new file mode 100644 index 00000000000..331fbf2bbcb --- /dev/null +++ b/queue-6.1/wifi-mac80211-fix-potential-null-pointer-dereference.patch @@ -0,0 +1,42 @@ +From a16fc38315f2c69c520ee769976ecb9c706b8560 Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Thu, 30 Mar 2023 11:00:01 +0200 +Subject: wifi: mac80211: fix potential null pointer dereference + +From: Felix Fietkau + +commit a16fc38315f2c69c520ee769976ecb9c706b8560 upstream. + +rx->sta->amsdu_mesh_control is being passed to ieee80211_amsdu_to_8023s +without checking rx->sta. Since it doesn't make sense to accept A-MSDU +packets without a sta, simply add a check earlier. + +Fixes: 6e4c0d0460bd ("wifi: mac80211: add a workaround for receiving non-standard mesh A-MSDU") +Signed-off-by: Felix Fietkau +Link: https://lore.kernel.org/r/20230330090001.60750-2-nbd@nbd.name +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/rx.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -2938,7 +2938,7 @@ __ieee80211_rx_h_amsdu(struct ieee80211_ + data_offset, true)) + return RX_DROP_UNUSABLE; + +- if (rx->sta && rx->sta->amsdu_mesh_control < 0) { ++ if (rx->sta->amsdu_mesh_control < 0) { + bool valid_std = ieee80211_is_valid_amsdu(skb, true); + bool valid_nonstd = ieee80211_is_valid_amsdu(skb, false); + +@@ -3014,7 +3014,7 @@ ieee80211_rx_h_amsdu(struct ieee80211_rx + } + } + +- if (is_multicast_ether_addr(hdr->addr1)) ++ if (is_multicast_ether_addr(hdr->addr1) || !rx->sta) + return RX_DROP_UNUSABLE; + + if (rx->key) { diff --git a/queue-6.1/wifi-mac80211-fix-receiving-mesh-packets-in-forwarding-0-networks.patch b/queue-6.1/wifi-mac80211-fix-receiving-mesh-packets-in-forwarding-0-networks.patch new file mode 100644 index 00000000000..90304245b47 --- /dev/null +++ b/queue-6.1/wifi-mac80211-fix-receiving-mesh-packets-in-forwarding-0-networks.patch @@ -0,0 +1,59 @@ +From e26c0946a5c1aa4d27f8dfe78f2a72b4550df91f Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Sun, 26 Mar 2023 17:17:09 +0200 +Subject: wifi: mac80211: fix receiving mesh packets in forwarding=0 networks +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Felix Fietkau + +commit e26c0946a5c1aa4d27f8dfe78f2a72b4550df91f upstream. + +When forwarding is set to 0, frames are typically sent with ttl=1. +Move the ttl decrement check below the check for local receive in order to +fix packet drops. + +Reported-by: Thomas Hühn +Reported-by: Nick Hainke +Fixes: 986e43b19ae9 ("wifi: mac80211: fix receiving A-MSDU frames on mesh interfaces") +Signed-off-by: Felix Fietkau +Link: https://lore.kernel.org/r/20230326151709.17743-1-nbd@nbd.name +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/rx.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -2774,14 +2774,6 @@ ieee80211_rx_mesh_data(struct ieee80211_ + if (sdata->crypto_tx_tailroom_needed_cnt) + tailroom = IEEE80211_ENCRYPT_TAILROOM; + +- if (!--mesh_hdr->ttl) { +- if (multicast) +- goto rx_accept; +- +- IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_ttl); +- return RX_DROP_MONITOR; +- } +- + if (mesh_hdr->flags & MESH_FLAGS_AE) { + struct mesh_path *mppath; + char *proxied_addr; +@@ -2812,6 +2804,14 @@ ieee80211_rx_mesh_data(struct ieee80211_ + if (ether_addr_equal(sdata->vif.addr, eth->h_dest)) + goto rx_accept; + ++ if (!--mesh_hdr->ttl) { ++ if (multicast) ++ goto rx_accept; ++ ++ IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_ttl); ++ return RX_DROP_MONITOR; ++ } ++ + if (!ifmsh->mshcfg.dot11MeshForwarding) { + if (is_multicast_ether_addr(eth->h_dest)) + goto rx_accept;