--- /dev/null
+From 8da3a0b87f4f1c3a3bbc4bfb78cf68476e97d183 Mon Sep 17 00:00:00 2001
+From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Date: Tue, 13 Apr 2021 13:21:03 -0300
+Subject: Bluetooth: cmtp: fix file refcount when cmtp_attach_device fails
+
+From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+
+commit 8da3a0b87f4f1c3a3bbc4bfb78cf68476e97d183 upstream.
+
+When cmtp_attach_device fails, cmtp_add_connection returns the error value
+which leads to the caller to doing fput through sockfd_put. But
+cmtp_session kthread, which is stopped in this path will also call fput,
+leading to a potential refcount underflow or a use-after-free.
+
+Add a refcount before we signal the kthread to stop. The kthread will try
+to grab the cmtp_session_sem mutex before doing the fput, which is held
+when get_file is called, so there should be no races there.
+
+Reported-by: Ryota Shiga
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/cmtp/core.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/bluetooth/cmtp/core.c
++++ b/net/bluetooth/cmtp/core.c
+@@ -392,6 +392,11 @@ int cmtp_add_connection(struct cmtp_conn
+ if (!(session->flags & BIT(CMTP_LOOPBACK))) {
+ err = cmtp_attach_device(session);
+ if (err < 0) {
++ /* Caller will call fput in case of failure, and so
++ * will cmtp_session kthread.
++ */
++ get_file(session->sock->file);
++
+ atomic_inc(&session->terminate);
+ wake_up_interruptible(sk_sleep(session->sock->sk));
+ up_write(&cmtp_session_sem);
--- /dev/null
+From db825feefc6868896fed5e361787ba3bee2fd906 Mon Sep 17 00:00:00 2001
+From: Vladyslav Tarasiuk <vladyslavt@nvidia.com>
+Date: Sun, 9 May 2021 09:43:18 +0300
+Subject: net/mlx4: Fix EEPROM dump support
+
+From: Vladyslav Tarasiuk <vladyslavt@nvidia.com>
+
+commit db825feefc6868896fed5e361787ba3bee2fd906 upstream.
+
+Fix SFP and QSFP* EEPROM queries by setting i2c_address, offset and page
+number correctly. For SFP set the following params:
+- I2C address for offsets 0-255 is 0x50. For 256-511 - 0x51.
+- Page number is zero.
+- Offset is 0-255.
+
+At the same time, QSFP* parameters are different:
+- I2C address is always 0x50.
+- Page number is not limited to zero.
+- Offset is 0-255 for page zero and 128-255 for others.
+
+To set parameters accordingly to cable used, implement function to query
+module ID and implement respective helper functions to set parameters
+correctly.
+
+Fixes: 135dd9594f12 ("net/mlx4_en: ethtool, Remove unsupported SFP EEPROM high pages query")
+Signed-off-by: Vladyslav Tarasiuk <vladyslavt@nvidia.com>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 4
+ drivers/net/ethernet/mellanox/mlx4/port.c | 107 +++++++++++++++++++++++-
+ 2 files changed, 104 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
++++ b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
+@@ -1907,8 +1907,6 @@ static int mlx4_en_set_tunable(struct ne
+ return ret;
+ }
+
+-#define MLX4_EEPROM_PAGE_LEN 256
+-
+ static int mlx4_en_get_module_info(struct net_device *dev,
+ struct ethtool_modinfo *modinfo)
+ {
+@@ -1943,7 +1941,7 @@ static int mlx4_en_get_module_info(struc
+ break;
+ case MLX4_MODULE_ID_SFP:
+ modinfo->type = ETH_MODULE_SFF_8472;
+- modinfo->eeprom_len = MLX4_EEPROM_PAGE_LEN;
++ modinfo->eeprom_len = ETH_MODULE_SFF_8472_LEN;
+ break;
+ default:
+ return -ENOSYS;
+--- a/drivers/net/ethernet/mellanox/mlx4/port.c
++++ b/drivers/net/ethernet/mellanox/mlx4/port.c
+@@ -1283,6 +1283,7 @@ EXPORT_SYMBOL(mlx4_get_roce_gid_from_sla
+ #define I2C_ADDR_LOW 0x50
+ #define I2C_ADDR_HIGH 0x51
+ #define I2C_PAGE_SIZE 256
++#define I2C_HIGH_PAGE_SIZE 128
+
+ /* Module Info Data */
+ struct mlx4_cable_info {
+@@ -1336,6 +1337,88 @@ static inline const char *cable_info_mad
+ return "Unknown Error";
+ }
+
++static int mlx4_get_module_id(struct mlx4_dev *dev, u8 port, u8 *module_id)
++{
++ struct mlx4_cmd_mailbox *inbox, *outbox;
++ struct mlx4_mad_ifc *inmad, *outmad;
++ struct mlx4_cable_info *cable_info;
++ int ret;
++
++ inbox = mlx4_alloc_cmd_mailbox(dev);
++ if (IS_ERR(inbox))
++ return PTR_ERR(inbox);
++
++ outbox = mlx4_alloc_cmd_mailbox(dev);
++ if (IS_ERR(outbox)) {
++ mlx4_free_cmd_mailbox(dev, inbox);
++ return PTR_ERR(outbox);
++ }
++
++ inmad = (struct mlx4_mad_ifc *)(inbox->buf);
++ outmad = (struct mlx4_mad_ifc *)(outbox->buf);
++
++ inmad->method = 0x1; /* Get */
++ inmad->class_version = 0x1;
++ inmad->mgmt_class = 0x1;
++ inmad->base_version = 0x1;
++ inmad->attr_id = cpu_to_be16(0xFF60); /* Module Info */
++
++ cable_info = (struct mlx4_cable_info *)inmad->data;
++ cable_info->dev_mem_address = 0;
++ cable_info->page_num = 0;
++ cable_info->i2c_addr = I2C_ADDR_LOW;
++ cable_info->size = cpu_to_be16(1);
++
++ ret = mlx4_cmd_box(dev, inbox->dma, outbox->dma, port, 3,
++ MLX4_CMD_MAD_IFC, MLX4_CMD_TIME_CLASS_C,
++ MLX4_CMD_NATIVE);
++ if (ret)
++ goto out;
++
++ if (be16_to_cpu(outmad->status)) {
++ /* Mad returned with bad status */
++ ret = be16_to_cpu(outmad->status);
++ mlx4_warn(dev,
++ "MLX4_CMD_MAD_IFC Get Module ID attr(%x) port(%d) i2c_addr(%x) offset(%d) size(%d): Response Mad Status(%x) - %s\n",
++ 0xFF60, port, I2C_ADDR_LOW, 0, 1, ret,
++ cable_info_mad_err_str(ret));
++ ret = -ret;
++ goto out;
++ }
++ cable_info = (struct mlx4_cable_info *)outmad->data;
++ *module_id = cable_info->data[0];
++out:
++ mlx4_free_cmd_mailbox(dev, inbox);
++ mlx4_free_cmd_mailbox(dev, outbox);
++ return ret;
++}
++
++static void mlx4_sfp_eeprom_params_set(u8 *i2c_addr, u8 *page_num, u16 *offset)
++{
++ *i2c_addr = I2C_ADDR_LOW;
++ *page_num = 0;
++
++ if (*offset < I2C_PAGE_SIZE)
++ return;
++
++ *i2c_addr = I2C_ADDR_HIGH;
++ *offset -= I2C_PAGE_SIZE;
++}
++
++static void mlx4_qsfp_eeprom_params_set(u8 *i2c_addr, u8 *page_num, u16 *offset)
++{
++ /* Offsets 0-255 belong to page 0.
++ * Offsets 256-639 belong to pages 01, 02, 03.
++ * For example, offset 400 is page 02: 1 + (400 - 256) / 128 = 2
++ */
++ if (*offset < I2C_PAGE_SIZE)
++ *page_num = 0;
++ else
++ *page_num = 1 + (*offset - I2C_PAGE_SIZE) / I2C_HIGH_PAGE_SIZE;
++ *i2c_addr = I2C_ADDR_LOW;
++ *offset -= *page_num * I2C_HIGH_PAGE_SIZE;
++}
++
+ /**
+ * mlx4_get_module_info - Read cable module eeprom data
+ * @dev: mlx4_dev.
+@@ -1355,12 +1438,30 @@ int mlx4_get_module_info(struct mlx4_dev
+ struct mlx4_cmd_mailbox *inbox, *outbox;
+ struct mlx4_mad_ifc *inmad, *outmad;
+ struct mlx4_cable_info *cable_info;
+- u16 i2c_addr;
++ u8 module_id, i2c_addr, page_num;
+ int ret;
+
+ if (size > MODULE_INFO_MAX_READ)
+ size = MODULE_INFO_MAX_READ;
+
++ ret = mlx4_get_module_id(dev, port, &module_id);
++ if (ret)
++ return ret;
++
++ switch (module_id) {
++ case MLX4_MODULE_ID_SFP:
++ mlx4_sfp_eeprom_params_set(&i2c_addr, &page_num, &offset);
++ break;
++ case MLX4_MODULE_ID_QSFP:
++ case MLX4_MODULE_ID_QSFP_PLUS:
++ case MLX4_MODULE_ID_QSFP28:
++ mlx4_qsfp_eeprom_params_set(&i2c_addr, &page_num, &offset);
++ break;
++ default:
++ mlx4_err(dev, "Module ID not recognized: %#x\n", module_id);
++ return -EINVAL;
++ }
++
+ inbox = mlx4_alloc_cmd_mailbox(dev);
+ if (IS_ERR(inbox))
+ return PTR_ERR(inbox);
+@@ -1386,11 +1487,9 @@ int mlx4_get_module_info(struct mlx4_dev
+ */
+ size -= offset + size - I2C_PAGE_SIZE;
+
+- i2c_addr = I2C_ADDR_LOW;
+-
+ cable_info = (struct mlx4_cable_info *)inmad->data;
+ cable_info->dev_mem_address = cpu_to_be16(offset);
+- cable_info->page_num = 0;
++ cable_info->page_num = page_num;
+ cable_info->i2c_addr = i2c_addr;
+ cable_info->size = cpu_to_be16(size);
+
--- /dev/null
+From 0d0ea309357dea0d85a82815f02157eb7fcda39f Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Tue, 25 May 2021 10:40:12 -0400
+Subject: NFS: Don't corrupt the value of pg_bytes_written in nfs_do_recoalesce()
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+commit 0d0ea309357dea0d85a82815f02157eb7fcda39f upstream.
+
+The value of mirror->pg_bytes_written should only be updated after a
+successful attempt to flush out the requests on the list.
+
+Fixes: a7d42ddb3099 ("nfs: add mirroring support to pgio layer")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/pagelist.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+--- a/fs/nfs/pagelist.c
++++ b/fs/nfs/pagelist.c
+@@ -993,17 +993,16 @@ static void nfs_pageio_doio(struct nfs_p
+ {
+ struct nfs_pgio_mirror *mirror = nfs_pgio_current_mirror(desc);
+
+-
+ if (!list_empty(&mirror->pg_list)) {
+ int error = desc->pg_ops->pg_doio(desc);
+ if (error < 0)
+ desc->pg_error = error;
+- else
++ if (list_empty(&mirror->pg_list)) {
+ mirror->pg_bytes_written += mirror->pg_count;
+- }
+- if (list_empty(&mirror->pg_list)) {
+- mirror->pg_count = 0;
+- mirror->pg_base = 0;
++ mirror->pg_count = 0;
++ mirror->pg_base = 0;
++ mirror->pg_recoalesce = 0;
++ }
+ }
+ }
+
+@@ -1089,7 +1088,6 @@ static int nfs_do_recoalesce(struct nfs_
+
+ do {
+ list_splice_init(&mirror->pg_list, &head);
+- mirror->pg_bytes_written -= mirror->pg_count;
+ mirror->pg_count = 0;
+ mirror->pg_base = 0;
+ mirror->pg_recoalesce = 0;
projects / thirdparty / kernel / stable-queue.git / commitdiff
