From: Sasha Levin Date: Wed, 4 Oct 2023 09:28:32 +0000 (-0400) Subject: Fixes for 6.1 X-Git-Tag: v6.5.6~41 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=11fc891a81e20050ccc0477e2ec8f7efa338ff09;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.1 Signed-off-by: Sasha Levin --- diff --git a/queue-6.1/nvme-pci-always-return-an-err_ptr-from-nvme_pci_allo.patch b/queue-6.1/nvme-pci-always-return-an-err_ptr-from-nvme_pci_allo.patch new file mode 100644 index 00000000000..2633deebdd4 --- /dev/null +++ b/queue-6.1/nvme-pci-always-return-an-err_ptr-from-nvme_pci_allo.patch @@ -0,0 +1,47 @@ +From 3fb308d1e265d2caf1b7f3e86a10f6c380631725 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Feb 2023 17:43:57 -0300 +Subject: nvme-pci: always return an ERR_PTR from nvme_pci_alloc_dev + +From: Irvin Cote + +[ Upstream commit dc785d69d753a3894c93afc23b91404652382ead ] + +Don't mix NULL and ERR_PTR returns. + +Fixes: 2e87570be9d2 ("nvme-pci: factor out a nvme_pci_alloc_dev helper") +Signed-off-by: Irvin Cote +Reviewed-by: Keith Busch +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index f28f50ea273a9..64990a2cfd0a7 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -3117,7 +3117,7 @@ static struct nvme_dev *nvme_pci_alloc_dev(struct pci_dev *pdev, + + dev = kzalloc_node(sizeof(*dev), GFP_KERNEL, node); + if (!dev) +- return NULL; ++ return ERR_PTR(-ENOMEM); + INIT_WORK(&dev->ctrl.reset_work, nvme_reset_work); + INIT_WORK(&dev->remove_work, nvme_remove_dead_ctrl_work); + mutex_init(&dev->shutdown_lock); +@@ -3162,8 +3162,8 @@ static int nvme_probe(struct pci_dev *pdev, const struct pci_device_id *id) + int result = -ENOMEM; + + dev = nvme_pci_alloc_dev(pdev, id); +- if (!dev) +- return -ENOMEM; ++ if (IS_ERR(dev)) ++ return PTR_ERR(dev); + + result = nvme_dev_map(dev); + if (result) +-- +2.40.1 + diff --git a/queue-6.1/scsi-qla2xxx-fix-null-pointer-dereference-in-target-.patch b/queue-6.1/scsi-qla2xxx-fix-null-pointer-dereference-in-target-.patch new file mode 100644 index 00000000000..e9d0fc7348a --- /dev/null +++ b/queue-6.1/scsi-qla2xxx-fix-null-pointer-dereference-in-target-.patch @@ -0,0 +1,94 @@ +From 74fa6c17226ae629751478c13dd3726702d4e7bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 May 2023 11:22:35 +0300 +Subject: scsi: qla2xxx: Fix NULL pointer dereference in target mode + +From: Gleb Chesnokov + +[ Upstream commit d54820b22e404b06b2b65877ff802cc7b31688bc ] + +When target mode is enabled, the pci_irq_get_affinity() function may return +a NULL value in qla_mapq_init_qp_cpu_map() due to the qla24xx_enable_msix() +code that handles IRQ settings for target mode. This leads to a crash due +to a NULL pointer dereference. + +This patch fixes the issue by adding a check for the NULL value returned by +pci_irq_get_affinity() and introducing a 'cpu_mapped' boolean flag to the +qla_qpair structure, ensuring that the qpair's CPU affinity is updated when +it has not been mapped to a CPU. + +Fixes: 1d201c81d4cc ("scsi: qla2xxx: Select qpair depending on which CPU post_cmd() gets called") +Signed-off-by: Gleb Chesnokov +Link: https://lore.kernel.org/r/56b416f2-4e0f-b6cf-d6d5-b7c372e3c6a2@scst.dev +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_def.h | 1 + + drivers/scsi/qla2xxx/qla_init.c | 3 +++ + drivers/scsi/qla2xxx/qla_inline.h | 3 +++ + drivers/scsi/qla2xxx/qla_isr.c | 3 +++ + 4 files changed, 10 insertions(+) + +diff --git a/drivers/scsi/qla2xxx/qla_def.h b/drivers/scsi/qla2xxx/qla_def.h +index 817efdd32ad63..1713588f671f3 100644 +--- a/drivers/scsi/qla2xxx/qla_def.h ++++ b/drivers/scsi/qla2xxx/qla_def.h +@@ -3805,6 +3805,7 @@ struct qla_qpair { + uint64_t retry_term_jiff; + struct qla_tgt_counters tgt_counters; + uint16_t cpuid; ++ bool cpu_mapped; + struct qla_fw_resources fwres ____cacheline_aligned; + u32 cmd_cnt; + u32 cmd_completion_cnt; +diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c +index 79de31e7e8b2a..884ed77259f85 100644 +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -9759,6 +9759,9 @@ struct qla_qpair *qla2xxx_create_qpair(struct scsi_qla_host *vha, int qos, + qpair->rsp->req = qpair->req; + qpair->rsp->qpair = qpair; + ++ if (!qpair->cpu_mapped) ++ qla_cpu_update(qpair, raw_smp_processor_id()); ++ + if (IS_T10_PI_CAPABLE(ha) && ql2xenabledif) { + if (ha->fw_attributes & BIT_4) + qpair->difdix_supported = 1; +diff --git a/drivers/scsi/qla2xxx/qla_inline.h b/drivers/scsi/qla2xxx/qla_inline.h +index e66441355f7ae..a4a56ab0ba747 100644 +--- a/drivers/scsi/qla2xxx/qla_inline.h ++++ b/drivers/scsi/qla2xxx/qla_inline.h +@@ -597,11 +597,14 @@ qla_mapq_init_qp_cpu_map(struct qla_hw_data *ha, + if (!ha->qp_cpu_map) + return; + mask = pci_irq_get_affinity(ha->pdev, msix->vector_base0); ++ if (!mask) ++ return; + qpair->cpuid = cpumask_first(mask); + for_each_cpu(cpu, mask) { + ha->qp_cpu_map[cpu] = qpair; + } + msix->cpuid = qpair->cpuid; ++ qpair->cpu_mapped = true; + } + + static inline void +diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c +index cf1025c917267..db65dbab3a9fa 100644 +--- a/drivers/scsi/qla2xxx/qla_isr.c ++++ b/drivers/scsi/qla2xxx/qla_isr.c +@@ -3819,6 +3819,9 @@ void qla24xx_process_response_queue(struct scsi_qla_host *vha, + + if (rsp->qpair->cpuid != raw_smp_processor_id() || !rsp->qpair->rcv_intr) { + rsp->qpair->rcv_intr = 1; ++ ++ if (!rsp->qpair->cpu_mapped) ++ qla_cpu_update(rsp->qpair, raw_smp_processor_id()); + } + + #define __update_rsp_in(_is_shadow_hba, _rsp, _rsp_in) \ +-- +2.40.1 + diff --git a/queue-6.1/series b/queue-6.1/series index 5d282d4e918..8bf38537812 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -200,3 +200,6 @@ perf-build-define-yynomem-as-yynoabort-for-bison-3.8.patch nvme-pci-factor-the-iod-mempool-creation-into-a-help.patch nvme-pci-factor-out-a-nvme_pci_alloc_dev-helper.patch nvme-pci-do-not-set-the-numa-node-of-device-if-it-ha.patch +wifi-ath11k-don-t-drop-tx_status-when-peer-cannot-be.patch +scsi-qla2xxx-fix-null-pointer-dereference-in-target-.patch +nvme-pci-always-return-an-err_ptr-from-nvme_pci_allo.patch diff --git a/queue-6.1/wifi-ath11k-don-t-drop-tx_status-when-peer-cannot-be.patch b/queue-6.1/wifi-ath11k-don-t-drop-tx_status-when-peer-cannot-be.patch new file mode 100644 index 00000000000..759abd18813 --- /dev/null +++ b/queue-6.1/wifi-ath11k-don-t-drop-tx_status-when-peer-cannot-be.patch @@ -0,0 +1,63 @@ +From 05c2cb1497456a2f5e514763c3d7d1bb3905e5b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Aug 2023 16:42:24 +0300 +Subject: wifi: ath11k: Don't drop tx_status when peer cannot be found + +From: Sven Eckelmann + +[ Upstream commit 400ece6c7f346b0a30867bd00b03b5b2563d4357 ] + +When a station idles for a long time, hostapd will try to send a QoS Null +frame to the station as "poll". NL80211_CMD_PROBE_CLIENT is used for this +purpose. And the skb will be added to ack_status_frame - waiting for a +completion via ieee80211_report_ack_skb(). + +But when the peer was already removed before the tx_complete arrives, the +peer will be missing. And when using dev_kfree_skb_any (instead of going +through mac80211), the entry will stay inside ack_status_frames. This IDR +will therefore run full after 8K request were generated for such clients. +At this point, the access point will then just stall and not allow any new +clients because idr_alloc() for ack_status_frame will fail. + +ieee80211_free_txskb() on the other hand will (when required) call +ieee80211_report_ack_skb() and make sure that (when required) remove the +entry from the ack_status_frame. + +Tested-on: IPQ6018 hw1.0 WLAN.HK.2.5.0.1-01100-QCAHKSWPL_SILICONZ-1 + +Fixes: 6257c702264c ("wifi: ath11k: fix tx status reporting in encap offload mode") +Fixes: 94739d45c388 ("ath11k: switch to using ieee80211_tx_status_ext()") +Cc: stable@vger.kernel.org +Signed-off-by: Sven Eckelmann +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230802-ath11k-ack_status_leak-v2-1-c0af729d6229@narfation.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/dp_tx.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath11k/dp_tx.c b/drivers/net/wireless/ath/ath11k/dp_tx.c +index 64c8ccac22d27..cd24488612454 100644 +--- a/drivers/net/wireless/ath/ath11k/dp_tx.c ++++ b/drivers/net/wireless/ath/ath11k/dp_tx.c +@@ -369,7 +369,7 @@ ath11k_dp_tx_htt_tx_complete_buf(struct ath11k_base *ab, + "dp_tx: failed to find the peer with peer_id %d\n", + ts->peer_id); + spin_unlock_bh(&ab->base_lock); +- dev_kfree_skb_any(msdu); ++ ieee80211_free_txskb(ar->hw, msdu); + return; + } + spin_unlock_bh(&ab->base_lock); +@@ -624,7 +624,7 @@ static void ath11k_dp_tx_complete_msdu(struct ath11k *ar, + "dp_tx: failed to find the peer with peer_id %d\n", + ts->peer_id); + spin_unlock_bh(&ab->base_lock); +- dev_kfree_skb_any(msdu); ++ ieee80211_free_txskb(ar->hw, msdu); + return; + } + arsta = (struct ath11k_sta *)peer->sta->drv_priv; +-- +2.40.1 +