Fixes for 6.1

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-6.1/nvme-pci-always-return-an-err_ptr-from-nvme_pci_allo.patch b/queue-6.1/nvme-pci-always-return-an-err_ptr-from-nvme_pci_allo.patch
new file mode 100644 (file)
index 0000000..2633dee
--- /dev/null
+++ b/queue-6.1/nvme-pci-always-return-an-err_ptr-from-nvme_pci_allo.patch
@@ -0,0 +1,47 @@
+From 3fb308d1e265d2caf1b7f3e86a10f6c380631725 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Feb 2023 17:43:57 -0300
+Subject: nvme-pci: always return an ERR_PTR from nvme_pci_alloc_dev
+
+From: Irvin Cote <irvin.cote@insa-lyon.fr>
+
+[ Upstream commit dc785d69d753a3894c93afc23b91404652382ead ]
+
+Don't mix NULL and ERR_PTR returns.
+
+Fixes: 2e87570be9d2 ("nvme-pci: factor out a nvme_pci_alloc_dev helper")
+Signed-off-by: Irvin Cote <irvin.cote@insa-lyon.fr>
+Reviewed-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/pci.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index f28f50ea273a9..64990a2cfd0a7 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -3117,7 +3117,7 @@ static struct nvme_dev *nvme_pci_alloc_dev(struct pci_dev *pdev,
+ 
+       dev = kzalloc_node(sizeof(*dev), GFP_KERNEL, node);
+       if (!dev)
+-              return NULL;
++              return ERR_PTR(-ENOMEM);
+       INIT_WORK(&dev->ctrl.reset_work, nvme_reset_work);
+       INIT_WORK(&dev->remove_work, nvme_remove_dead_ctrl_work);
+       mutex_init(&dev->shutdown_lock);
+@@ -3162,8 +3162,8 @@ static int nvme_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+       int result = -ENOMEM;
+ 
+       dev = nvme_pci_alloc_dev(pdev, id);
+-      if (!dev)
+-              return -ENOMEM;
++      if (IS_ERR(dev))
++              return PTR_ERR(dev);
+ 
+       result = nvme_dev_map(dev);
+       if (result)
+-- 
+2.40.1
+

diff --git a/queue-6.1/scsi-qla2xxx-fix-null-pointer-dereference-in-target-.patch b/queue-6.1/scsi-qla2xxx-fix-null-pointer-dereference-in-target-.patch
new file mode 100644 (file)
index 0000000..e9d0fc7
--- /dev/null
+++ b/queue-6.1/scsi-qla2xxx-fix-null-pointer-dereference-in-target-.patch
@@ -0,0 +1,94 @@
+From 74fa6c17226ae629751478c13dd3726702d4e7bb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 May 2023 11:22:35 +0300
+Subject: scsi: qla2xxx: Fix NULL pointer dereference in target mode
+
+From: Gleb Chesnokov <gleb.chesnokov@scst.dev>
+
+[ Upstream commit d54820b22e404b06b2b65877ff802cc7b31688bc ]
+
+When target mode is enabled, the pci_irq_get_affinity() function may return
+a NULL value in qla_mapq_init_qp_cpu_map() due to the qla24xx_enable_msix()
+code that handles IRQ settings for target mode. This leads to a crash due
+to a NULL pointer dereference.
+
+This patch fixes the issue by adding a check for the NULL value returned by
+pci_irq_get_affinity() and introducing a 'cpu_mapped' boolean flag to the
+qla_qpair structure, ensuring that the qpair's CPU affinity is updated when
+it has not been mapped to a CPU.
+
+Fixes: 1d201c81d4cc ("scsi: qla2xxx: Select qpair depending on which CPU post_cmd() gets called")
+Signed-off-by: Gleb Chesnokov <gleb.chesnokov@scst.dev>
+Link: https://lore.kernel.org/r/56b416f2-4e0f-b6cf-d6d5-b7c372e3c6a2@scst.dev
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_def.h    | 1 +
+ drivers/scsi/qla2xxx/qla_init.c   | 3 +++
+ drivers/scsi/qla2xxx/qla_inline.h | 3 +++
+ drivers/scsi/qla2xxx/qla_isr.c    | 3 +++
+ 4 files changed, 10 insertions(+)
+
+diff --git a/drivers/scsi/qla2xxx/qla_def.h b/drivers/scsi/qla2xxx/qla_def.h
+index 817efdd32ad63..1713588f671f3 100644
+--- a/drivers/scsi/qla2xxx/qla_def.h
++++ b/drivers/scsi/qla2xxx/qla_def.h
+@@ -3805,6 +3805,7 @@ struct qla_qpair {
+       uint64_t retry_term_jiff;
+       struct qla_tgt_counters tgt_counters;
+       uint16_t cpuid;
++      bool cpu_mapped;
+       struct qla_fw_resources fwres ____cacheline_aligned;
+       u32     cmd_cnt;
+       u32     cmd_completion_cnt;
+diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c
+index 79de31e7e8b2a..884ed77259f85 100644
+--- a/drivers/scsi/qla2xxx/qla_init.c
++++ b/drivers/scsi/qla2xxx/qla_init.c
+@@ -9759,6 +9759,9 @@ struct qla_qpair *qla2xxx_create_qpair(struct scsi_qla_host *vha, int qos,
+               qpair->rsp->req = qpair->req;
+               qpair->rsp->qpair = qpair;
+ 
++              if (!qpair->cpu_mapped)
++                      qla_cpu_update(qpair, raw_smp_processor_id());
++
+               if (IS_T10_PI_CAPABLE(ha) && ql2xenabledif) {
+                       if (ha->fw_attributes & BIT_4)
+                               qpair->difdix_supported = 1;
+diff --git a/drivers/scsi/qla2xxx/qla_inline.h b/drivers/scsi/qla2xxx/qla_inline.h
+index e66441355f7ae..a4a56ab0ba747 100644
+--- a/drivers/scsi/qla2xxx/qla_inline.h
++++ b/drivers/scsi/qla2xxx/qla_inline.h
+@@ -597,11 +597,14 @@ qla_mapq_init_qp_cpu_map(struct qla_hw_data *ha,
+       if (!ha->qp_cpu_map)
+               return;
+       mask = pci_irq_get_affinity(ha->pdev, msix->vector_base0);
++      if (!mask)
++              return;
+       qpair->cpuid = cpumask_first(mask);
+       for_each_cpu(cpu, mask) {
+               ha->qp_cpu_map[cpu] = qpair;
+       }
+       msix->cpuid = qpair->cpuid;
++      qpair->cpu_mapped = true;
+ }
+ 
+ static inline void
+diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c
+index cf1025c917267..db65dbab3a9fa 100644
+--- a/drivers/scsi/qla2xxx/qla_isr.c
++++ b/drivers/scsi/qla2xxx/qla_isr.c
+@@ -3819,6 +3819,9 @@ void qla24xx_process_response_queue(struct scsi_qla_host *vha,
+ 
+       if (rsp->qpair->cpuid != raw_smp_processor_id() || !rsp->qpair->rcv_intr) {
+               rsp->qpair->rcv_intr = 1;
++
++              if (!rsp->qpair->cpu_mapped)
++                      qla_cpu_update(rsp->qpair, raw_smp_processor_id());
+       }
+ 
+ #define __update_rsp_in(_is_shadow_hba, _rsp, _rsp_in)                        \
+-- 
+2.40.1
+

diff --git a/queue-6.1/series b/queue-6.1/series
index 5d282d4e91886c35eedbc487b1ac7f39c737705b..8bf385378125b601b07659163253fc2f3e39cab4 100644 (file)
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -200,3 +200,6 @@ perf-build-define-yynomem-as-yynoabort-for-bison-3.8.patch
 nvme-pci-factor-the-iod-mempool-creation-into-a-help.patch
 nvme-pci-factor-out-a-nvme_pci_alloc_dev-helper.patch
 nvme-pci-do-not-set-the-numa-node-of-device-if-it-ha.patch
+wifi-ath11k-don-t-drop-tx_status-when-peer-cannot-be.patch
+scsi-qla2xxx-fix-null-pointer-dereference-in-target-.patch
+nvme-pci-always-return-an-err_ptr-from-nvme_pci_allo.patch

diff --git a/queue-6.1/wifi-ath11k-don-t-drop-tx_status-when-peer-cannot-be.patch b/queue-6.1/wifi-ath11k-don-t-drop-tx_status-when-peer-cannot-be.patch
new file mode 100644 (file)
index 0000000..759abd1
--- /dev/null
+++ b/queue-6.1/wifi-ath11k-don-t-drop-tx_status-when-peer-cannot-be.patch
@@ -0,0 +1,63 @@
+From 05c2cb1497456a2f5e514763c3d7d1bb3905e5b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Aug 2023 16:42:24 +0300
+Subject: wifi: ath11k: Don't drop tx_status when peer cannot be found
+
+From: Sven Eckelmann <sven@narfation.org>
+
+[ Upstream commit 400ece6c7f346b0a30867bd00b03b5b2563d4357 ]
+
+When a station idles for a long time, hostapd will try to send a QoS Null
+frame to the station as "poll". NL80211_CMD_PROBE_CLIENT is used for this
+purpose. And the skb will be added to ack_status_frame - waiting for a
+completion via ieee80211_report_ack_skb().
+
+But when the peer was already removed before the tx_complete arrives, the
+peer will be missing. And when using dev_kfree_skb_any (instead of going
+through mac80211), the entry will stay inside ack_status_frames. This IDR
+will therefore run full after 8K request were generated for such clients.
+At this point, the access point will then just stall and not allow any new
+clients because idr_alloc() for ack_status_frame will fail.
+
+ieee80211_free_txskb() on the other hand will (when required) call
+ieee80211_report_ack_skb() and make sure that (when required) remove the
+entry from the ack_status_frame.
+
+Tested-on: IPQ6018 hw1.0 WLAN.HK.2.5.0.1-01100-QCAHKSWPL_SILICONZ-1
+
+Fixes: 6257c702264c ("wifi: ath11k: fix tx status reporting in encap offload mode")
+Fixes: 94739d45c388 ("ath11k: switch to using ieee80211_tx_status_ext()")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20230802-ath11k-ack_status_leak-v2-1-c0af729d6229@narfation.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/dp_tx.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/dp_tx.c b/drivers/net/wireless/ath/ath11k/dp_tx.c
+index 64c8ccac22d27..cd24488612454 100644
+--- a/drivers/net/wireless/ath/ath11k/dp_tx.c
++++ b/drivers/net/wireless/ath/ath11k/dp_tx.c
+@@ -369,7 +369,7 @@ ath11k_dp_tx_htt_tx_complete_buf(struct ath11k_base *ab,
+                          "dp_tx: failed to find the peer with peer_id %d\n",
+                           ts->peer_id);
+               spin_unlock_bh(&ab->base_lock);
+-              dev_kfree_skb_any(msdu);
++              ieee80211_free_txskb(ar->hw, msdu);
+               return;
+       }
+       spin_unlock_bh(&ab->base_lock);
+@@ -624,7 +624,7 @@ static void ath11k_dp_tx_complete_msdu(struct ath11k *ar,
+                          "dp_tx: failed to find the peer with peer_id %d\n",
+                           ts->peer_id);
+               spin_unlock_bh(&ab->base_lock);
+-              dev_kfree_skb_any(msdu);
++              ieee80211_free_txskb(ar->hw, msdu);
+               return;
+       }
+       arsta = (struct ath11k_sta *)peer->sta->drv_priv;
+-- 
+2.40.1
+