--- /dev/null
+From 1d8c070b469fcfd1b5974e7a599c3fde83702770 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 07:53:02 +0200
+Subject: iavf: Fix an error handling path in 'iavf_probe()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit af30cbd2f4d6d66a9b6094e0aa32420bc8b20e08 ]
+
+If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it
+must be undone by a corresponding 'pci_disable_pcie_error_reporting()'
+call, as already done in the remove function.
+
+Fixes: 5eae00c57f5e ("i40evf: main driver core")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40evf/i40evf_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/intel/i40evf/i40evf_main.c b/drivers/net/ethernet/intel/i40evf/i40evf_main.c
+index 5f03ab3dfa19..8fdbc24b3cba 100644
+--- a/drivers/net/ethernet/intel/i40evf/i40evf_main.c
++++ b/drivers/net/ethernet/intel/i40evf/i40evf_main.c
+@@ -2503,6 +2503,7 @@ static int i40evf_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+ err_ioremap:
+ free_netdev(netdev);
+ err_alloc_etherdev:
++ pci_disable_pcie_error_reporting(pdev);
+ pci_release_regions(pdev);
+ err_pci_reg:
+ err_dma:
+--
+2.30.2
+
--- /dev/null
+From 9f1ea0062934f0742a38abf10b94b69b6cc5a096 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Apr 2021 10:19:23 +0000
+Subject: igb: Check if num of q_vectors is smaller than max before array
+ access
+
+From: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+
+[ Upstream commit 6c19d772618fea40d9681f259368f284a330fd90 ]
+
+Ensure that the adapter->q_vector[MAX_Q_VECTORS] array isn't accessed
+beyond its size. It was fixed by using a local variable num_q_vectors
+as a limit for loop index, and ensure that num_q_vectors is not bigger
+than MAX_Q_VECTORS.
+
+Fixes: 047e0030f1e6 ("igb: add new data structure for handling interrupts and NAPI")
+Signed-off-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Reviewed-by: Grzegorz Siwik <grzegorz.siwik@intel.com>
+Reviewed-by: Arkadiusz Kubalewski <arkadiusz.kubalewski@intel.com>
+Reviewed-by: Slawomir Laba <slawomirx.laba@intel.com>
+Reviewed-by: Sylwester Dziedziuch <sylwesterx.dziedziuch@intel.com>
+Reviewed-by: Mateusz Palczewski <mateusz.placzewski@intel.com>
+Tested-by: Tony Brelinski <tonyx.brelinski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/igb_main.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
+index 682f52760898..6ccbf21547d0 100644
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -945,6 +945,7 @@ static void igb_configure_msix(struct igb_adapter *adapter)
+ **/
+ static int igb_request_msix(struct igb_adapter *adapter)
+ {
++ unsigned int num_q_vectors = adapter->num_q_vectors;
+ struct net_device *netdev = adapter->netdev;
+ int i, err = 0, vector = 0, free_vector = 0;
+
+@@ -953,7 +954,13 @@ static int igb_request_msix(struct igb_adapter *adapter)
+ if (err)
+ goto err_out;
+
+- for (i = 0; i < adapter->num_q_vectors; i++) {
++ if (num_q_vectors > MAX_Q_VECTORS) {
++ num_q_vectors = MAX_Q_VECTORS;
++ dev_warn(&adapter->pdev->dev,
++ "The number of queue vectors (%d) is higher than max allowed (%d)\n",
++ adapter->num_q_vectors, MAX_Q_VECTORS);
++ }
++ for (i = 0; i < num_q_vectors; i++) {
+ struct igb_q_vector *q_vector = adapter->q_vector[i];
+
+ vector++;
+--
+2.30.2
+
--- /dev/null
+From cc6405eb698ea85307ef5c3ac5a858790771398e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Jul 2021 17:13:20 +0800
+Subject: net: decnet: Fix sleeping inside in af_decnet
+
+From: Yajun Deng <yajun.deng@linux.dev>
+
+[ Upstream commit 5f119ba1d5771bbf46d57cff7417dcd84d3084ba ]
+
+The release_sock() is blocking function, it would change the state
+after sleeping. use wait_woken() instead.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Yajun Deng <yajun.deng@linux.dev>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/decnet/af_decnet.c | 27 ++++++++++++---------------
+ 1 file changed, 12 insertions(+), 15 deletions(-)
+
+diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c
+index 9d8fcdefefc0..ee297964fcd2 100644
+--- a/net/decnet/af_decnet.c
++++ b/net/decnet/af_decnet.c
+@@ -823,7 +823,7 @@ static int dn_auto_bind(struct socket *sock)
+ static int dn_confirm_accept(struct sock *sk, long *timeo, gfp_t allocation)
+ {
+ struct dn_scp *scp = DN_SK(sk);
+- DEFINE_WAIT(wait);
++ DEFINE_WAIT_FUNC(wait, woken_wake_function);
+ int err;
+
+ if (scp->state != DN_CR)
+@@ -833,11 +833,11 @@ static int dn_confirm_accept(struct sock *sk, long *timeo, gfp_t allocation)
+ scp->segsize_loc = dst_metric_advmss(__sk_dst_get(sk));
+ dn_send_conn_conf(sk, allocation);
+
+- prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE);
++ add_wait_queue(sk_sleep(sk), &wait);
+ for(;;) {
+ release_sock(sk);
+ if (scp->state == DN_CC)
+- *timeo = schedule_timeout(*timeo);
++ *timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, *timeo);
+ lock_sock(sk);
+ err = 0;
+ if (scp->state == DN_RUN)
+@@ -851,9 +851,8 @@ static int dn_confirm_accept(struct sock *sk, long *timeo, gfp_t allocation)
+ err = -EAGAIN;
+ if (!*timeo)
+ break;
+- prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE);
+ }
+- finish_wait(sk_sleep(sk), &wait);
++ remove_wait_queue(sk_sleep(sk), &wait);
+ if (err == 0) {
+ sk->sk_socket->state = SS_CONNECTED;
+ } else if (scp->state != DN_CC) {
+@@ -865,7 +864,7 @@ static int dn_confirm_accept(struct sock *sk, long *timeo, gfp_t allocation)
+ static int dn_wait_run(struct sock *sk, long *timeo)
+ {
+ struct dn_scp *scp = DN_SK(sk);
+- DEFINE_WAIT(wait);
++ DEFINE_WAIT_FUNC(wait, woken_wake_function);
+ int err = 0;
+
+ if (scp->state == DN_RUN)
+@@ -874,11 +873,11 @@ static int dn_wait_run(struct sock *sk, long *timeo)
+ if (!*timeo)
+ return -EALREADY;
+
+- prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE);
++ add_wait_queue(sk_sleep(sk), &wait);
+ for(;;) {
+ release_sock(sk);
+ if (scp->state == DN_CI || scp->state == DN_CC)
+- *timeo = schedule_timeout(*timeo);
++ *timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, *timeo);
+ lock_sock(sk);
+ err = 0;
+ if (scp->state == DN_RUN)
+@@ -892,9 +891,8 @@ static int dn_wait_run(struct sock *sk, long *timeo)
+ err = -ETIMEDOUT;
+ if (!*timeo)
+ break;
+- prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE);
+ }
+- finish_wait(sk_sleep(sk), &wait);
++ remove_wait_queue(sk_sleep(sk), &wait);
+ out:
+ if (err == 0) {
+ sk->sk_socket->state = SS_CONNECTED;
+@@ -1039,16 +1037,16 @@ static void dn_user_copy(struct sk_buff *skb, struct optdata_dn *opt)
+
+ static struct sk_buff *dn_wait_for_connect(struct sock *sk, long *timeo)
+ {
+- DEFINE_WAIT(wait);
++ DEFINE_WAIT_FUNC(wait, woken_wake_function);
+ struct sk_buff *skb = NULL;
+ int err = 0;
+
+- prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE);
++ add_wait_queue(sk_sleep(sk), &wait);
+ for(;;) {
+ release_sock(sk);
+ skb = skb_dequeue(&sk->sk_receive_queue);
+ if (skb == NULL) {
+- *timeo = schedule_timeout(*timeo);
++ *timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, *timeo);
+ skb = skb_dequeue(&sk->sk_receive_queue);
+ }
+ lock_sock(sk);
+@@ -1063,9 +1061,8 @@ static struct sk_buff *dn_wait_for_connect(struct sock *sk, long *timeo)
+ err = -EAGAIN;
+ if (!*timeo)
+ break;
+- prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE);
+ }
+- finish_wait(sk_sleep(sk), &wait);
++ remove_wait_queue(sk_sleep(sk), &wait);
+
+ return skb == NULL ? ERR_PTR(err) : skb;
+ }
+--
+2.30.2
+
--- /dev/null
+From f7b8271149975a9f2fdc8ece8f5435b796a75324 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 20:22:04 +0800
+Subject: net: fix uninit-value in caif_seqpkt_sendmsg
+
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+
+[ Upstream commit 991e634360f2622a683b48dfe44fe6d9cb765a09 ]
+
+When nr_segs equal to zero in iovec_from_user, the object
+msg->msg_iter.iov is uninit stack memory in caif_seqpkt_sendmsg
+which is defined in ___sys_sendmsg. So we cann't just judge
+msg->msg_iter.iov->base directlly. We can use nr_segs to judge
+msg in caif_seqpkt_sendmsg whether has data buffers.
+
+=====================================================
+BUG: KMSAN: uninit-value in caif_seqpkt_sendmsg+0x693/0xf60 net/caif/caif_socket.c:542
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x1c9/0x220 lib/dump_stack.c:118
+ kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118
+ __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215
+ caif_seqpkt_sendmsg+0x693/0xf60 net/caif/caif_socket.c:542
+ sock_sendmsg_nosec net/socket.c:652 [inline]
+ sock_sendmsg net/socket.c:672 [inline]
+ ____sys_sendmsg+0x12b6/0x1350 net/socket.c:2343
+ ___sys_sendmsg net/socket.c:2397 [inline]
+ __sys_sendmmsg+0x808/0xc90 net/socket.c:2480
+ __compat_sys_sendmmsg net/compat.c:656 [inline]
+
+Reported-by: syzbot+09a5d591c1f98cf5efcb@syzkaller.appspotmail.com
+Link: https://syzkaller.appspot.com/bug?id=1ace85e8fc9b0d5a45c08c2656c3e91762daa9b8
+Fixes: bece7b2398d0 ("caif: Rewritten socket implementation")
+Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/caif/caif_socket.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c
+index aa209b1066c9..3cfd413aa2c8 100644
+--- a/net/caif/caif_socket.c
++++ b/net/caif/caif_socket.c
+@@ -539,7 +539,8 @@ static int caif_seqpkt_sendmsg(struct socket *sock, struct msghdr *msg,
+ goto err;
+
+ ret = -EINVAL;
+- if (unlikely(msg->msg_iter.iov->iov_base == NULL))
++ if (unlikely(msg->msg_iter.nr_segs == 0) ||
++ unlikely(msg->msg_iter.iov->iov_base == NULL))
+ goto err;
+ noblock = msg->msg_flags & MSG_DONTWAIT;
+
+--
+2.30.2
+
--- /dev/null
+From 75b196e1fbb3ebc5d8804daf5f66ca6340829cb3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 18 Jul 2021 22:40:13 +0800
+Subject: netrom: Decrease sock refcount when sock timers expire
+
+From: Nguyen Dinh Phi <phind.uet@gmail.com>
+
+[ Upstream commit 517a16b1a88bdb6b530f48d5d153478b2552d9a8 ]
+
+Commit 63346650c1a9 ("netrom: switch to sock timer API") switched to use
+sock timer API. It replaces mod_timer() by sk_reset_timer(), and
+del_timer() by sk_stop_timer().
+
+Function sk_reset_timer() will increase the refcount of sock if it is
+called on an inactive timer, hence, in case the timer expires, we need to
+decrease the refcount ourselves in the handler, otherwise, the sock
+refcount will be unbalanced and the sock will never be freed.
+
+Signed-off-by: Nguyen Dinh Phi <phind.uet@gmail.com>
+Reported-by: syzbot+10f1194569953b72f1ae@syzkaller.appspotmail.com
+Fixes: 63346650c1a9 ("netrom: switch to sock timer API")
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netrom/nr_timer.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/net/netrom/nr_timer.c b/net/netrom/nr_timer.c
+index f0ecaec1ff3d..d1a0b7056743 100644
+--- a/net/netrom/nr_timer.c
++++ b/net/netrom/nr_timer.c
+@@ -125,11 +125,9 @@ static void nr_heartbeat_expiry(unsigned long param)
+ is accepted() it isn't 'dead' so doesn't get removed. */
+ if (sock_flag(sk, SOCK_DESTROY) ||
+ (sk->sk_state == TCP_LISTEN && sock_flag(sk, SOCK_DEAD))) {
+- sock_hold(sk);
+ bh_unlock_sock(sk);
+ nr_destroy_socket(sk);
+- sock_put(sk);
+- return;
++ goto out;
+ }
+ break;
+
+@@ -150,6 +148,8 @@ static void nr_heartbeat_expiry(unsigned long param)
+
+ nr_start_heartbeat(sk);
+ bh_unlock_sock(sk);
++out:
++ sock_put(sk);
+ }
+
+ static void nr_t2timer_expiry(unsigned long param)
+@@ -163,6 +163,7 @@ static void nr_t2timer_expiry(unsigned long param)
+ nr_enquiry_response(sk);
+ }
+ bh_unlock_sock(sk);
++ sock_put(sk);
+ }
+
+ static void nr_t4timer_expiry(unsigned long param)
+@@ -172,6 +173,7 @@ static void nr_t4timer_expiry(unsigned long param)
+ bh_lock_sock(sk);
+ nr_sk(sk)->condition &= ~NR_COND_PEER_RX_BUSY;
+ bh_unlock_sock(sk);
++ sock_put(sk);
+ }
+
+ static void nr_idletimer_expiry(unsigned long param)
+@@ -200,6 +202,7 @@ static void nr_idletimer_expiry(unsigned long param)
+ sock_set_flag(sk, SOCK_DEAD);
+ }
+ bh_unlock_sock(sk);
++ sock_put(sk);
+ }
+
+ static void nr_t1timer_expiry(unsigned long param)
+@@ -212,8 +215,7 @@ static void nr_t1timer_expiry(unsigned long param)
+ case NR_STATE_1:
+ if (nr->n2count == nr->n2) {
+ nr_disconnect(sk, ETIMEDOUT);
+- bh_unlock_sock(sk);
+- return;
++ goto out;
+ } else {
+ nr->n2count++;
+ nr_write_internal(sk, NR_CONNREQ);
+@@ -223,8 +225,7 @@ static void nr_t1timer_expiry(unsigned long param)
+ case NR_STATE_2:
+ if (nr->n2count == nr->n2) {
+ nr_disconnect(sk, ETIMEDOUT);
+- bh_unlock_sock(sk);
+- return;
++ goto out;
+ } else {
+ nr->n2count++;
+ nr_write_internal(sk, NR_DISCREQ);
+@@ -234,8 +235,7 @@ static void nr_t1timer_expiry(unsigned long param)
+ case NR_STATE_3:
+ if (nr->n2count == nr->n2) {
+ nr_disconnect(sk, ETIMEDOUT);
+- bh_unlock_sock(sk);
+- return;
++ goto out;
+ } else {
+ nr->n2count++;
+ nr_requeue_frames(sk);
+@@ -244,5 +244,7 @@ static void nr_t1timer_expiry(unsigned long param)
+ }
+
+ nr_start_t1timer(sk);
++out:
+ bh_unlock_sock(sk);
++ sock_put(sk);
+ }
+--
+2.30.2
+
--- /dev/null
+From bddc1c9a3beec7aa940a77c36c72f51087b13964 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 18:07:25 +0200
+Subject: perf probe-file: Delete namelist in del_events() on the error path
+
+From: Riccardo Mancini <rickyman7@gmail.com>
+
+[ Upstream commit e0fa7ab42232e742dcb3de9f3c1f6127b5adc019 ]
+
+ASan reports some memory leaks when running:
+
+ # perf test "42: BPF filter"
+
+This second leak is caused by a strlist not being dellocated on error
+inside probe_file__del_events.
+
+This patch adds a goto label before the deallocation and makes the error
+path jump to it.
+
+Signed-off-by: Riccardo Mancini <rickyman7@gmail.com>
+Fixes: e7895e422e4da63d ("perf probe: Split del_perf_probe_events()")
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lore.kernel.org/lkml/174963c587ae77fa108af794669998e4ae558338.1626343282.git.rickyman7@gmail.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/probe-file.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/perf/util/probe-file.c b/tools/perf/util/probe-file.c
+index e3b3b92e4458..7476757680ed 100644
+--- a/tools/perf/util/probe-file.c
++++ b/tools/perf/util/probe-file.c
+@@ -318,10 +318,10 @@ int probe_file__del_events(int fd, struct strfilter *filter)
+
+ ret = probe_file__get_events(fd, filter, namelist);
+ if (ret < 0)
+- return ret;
++ goto out;
+
+ ret = probe_file__del_strlist(fd, namelist);
++out:
+ strlist__delete(namelist);
+-
+ return ret;
+ }
+--
+2.30.2
+
--- /dev/null
+From 35dd90d8be9c6bec2f1fa6ed65ccdece29a9f6a6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 18:07:24 +0200
+Subject: perf test bpf: Free obj_buf
+
+From: Riccardo Mancini <rickyman7@gmail.com>
+
+[ Upstream commit 937654ce497fb6e977a8c52baee5f7d9616302d9 ]
+
+ASan reports some memory leaks when running:
+
+ # perf test "42: BPF filter"
+
+The first of these leaks is caused by obj_buf never being deallocated in
+__test__bpf.
+
+This patch adds the missing free.
+
+Signed-off-by: Riccardo Mancini <rickyman7@gmail.com>
+Fixes: ba1fae431e74bb42 ("perf test: Add 'perf test BPF'")
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Wang Nan <wangnan0@huawei.com>
+Link: http://lore.kernel.org/lkml/60f3ca935fe6672e7e866276ce6264c9e26e4c87.1626343282.git.rickyman7@gmail.com
+[ Added missing stdlib.h include ]
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/tests/bpf.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/perf/tests/bpf.c b/tools/perf/tests/bpf.c
+index 6ebfdee3e2c6..661cca25ae5d 100644
+--- a/tools/perf/tests/bpf.c
++++ b/tools/perf/tests/bpf.c
+@@ -1,4 +1,5 @@
+ #include <stdio.h>
++#include <stdlib.h>
+ #include <sys/epoll.h>
+ #include <util/bpf-loader.h>
+ #include <util/evlist.h>
+@@ -176,6 +177,7 @@ static int __test__bpf(int idx)
+ bpf_testcase_table[idx].target_func,
+ bpf_testcase_table[idx].expect_result);
+ out:
++ free(obj_buf);
+ bpf__clear();
+ return ret;
+ }
+--
+2.30.2
+
--- /dev/null
+From 5828d07535ec935471ee4353ff1998355fe705bc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 18:07:08 +0200
+Subject: perf test session_topology: Delete session->evlist
+
+From: Riccardo Mancini <rickyman7@gmail.com>
+
+[ Upstream commit 233f2dc1c284337286f9a64c0152236779a42f6c ]
+
+ASan reports a memory leak related to session->evlist while running:
+
+ # perf test "41: Session topology".
+
+When perf_data is in write mode, session->evlist is owned by the caller,
+which should also take care of deleting it.
+
+This patch adds the missing evlist__delete().
+
+Signed-off-by: Riccardo Mancini <rickyman7@gmail.com>
+Fixes: c84974ed9fb67293 ("perf test: Add entry to test cpu topology")
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Kan Liang <kan.liang@intel.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lore.kernel.org/lkml/822f741f06eb25250fb60686cf30a35f447e9e91.1626343282.git.rickyman7@gmail.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/tests/topology.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/perf/tests/topology.c b/tools/perf/tests/topology.c
+index bf67343c7795..39cb6cb6f359 100644
+--- a/tools/perf/tests/topology.c
++++ b/tools/perf/tests/topology.c
+@@ -49,6 +49,7 @@ static int session_write_header(char *path)
+ TEST_ASSERT_VAL("failed to write header",
+ !perf_session__write_header(session, session->evlist, file.fd, true));
+
++ evlist__delete(session->evlist);
+ perf_session__delete(session);
+
+ return 0;
+--
+2.30.2
+
--- /dev/null
+From 94674484bc475ff742c5cb84e40627846a8ac3a6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Jun 2021 18:54:38 -0700
+Subject: proc: Avoid mixing integer types in mem_rw()
+
+From: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
+
+[ Upstream commit d238692b4b9f2c36e35af4c6e6f6da36184aeb3e ]
+
+Use size_t when capping the count argument received by mem_rw(). Since
+count is size_t, using min_t(int, ...) can lead to a negative value
+that will later be passed to access_remote_vm(), which can cause
+unexpected behavior.
+
+Since we are capping the value to at maximum PAGE_SIZE, the conversion
+from size_t to int when passing it to access_remote_vm() as "len"
+shouldn't be a problem.
+
+Link: https://lkml.kernel.org/r/20210512125215.3348316-1-marcelo.cerri@canonical.com
+Reviewed-by: David Disseldorp <ddiss@suse.de>
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
+Cc: Alexey Dobriyan <adobriyan@gmail.com>
+Cc: Souza Cascardo <cascardo@canonical.com>
+Cc: Christian Brauner <christian.brauner@ubuntu.com>
+Cc: Michel Lespinasse <walken@google.com>
+Cc: Helge Deller <deller@gmx.de>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Cc: Lorenzo Stoakes <lstoakes@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/proc/base.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/proc/base.c b/fs/proc/base.c
+index b1ff8eb61802..4d68f5a9e4aa 100644
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -887,7 +887,7 @@ static ssize_t mem_rw(struct file *file, char __user *buf,
+ flags |= FOLL_WRITE;
+
+ while (count > 0) {
+- int this_len = min_t(int, count, PAGE_SIZE);
++ size_t this_len = min_t(size_t, count, PAGE_SIZE);
+
+ if (write && copy_from_user(page, buf, this_len)) {
+ copied = -EFAULT;
+--
+2.30.2
+
--- /dev/null
+From 74aaa8d52ce24320fd38d6ef58b649fe14898f6e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Jul 2021 11:25:16 +0200
+Subject: Revert "USB: quirks: ignore remote wake-up on Fibocom L850-GL LTE
+ modem"
+
+From: Vincent Palatin <vpalatin@chromium.org>
+
+[ Upstream commit f3a1a937f7b240be623d989c8553a6d01465d04f ]
+
+This reverts commit 0bd860493f81eb2a46173f6f5e44cc38331c8dbd.
+
+While the patch was working as stated,ie preventing the L850-GL LTE modem
+from crashing on some U3 wake-ups due to a race condition between the
+host wake-up and the modem-side wake-up, when using the MBIM interface,
+this would force disabling the USB runtime PM on the device.
+
+The increased power consumption is significant for LTE laptops,
+and given that with decently recent modem firmwares, when the modem hits
+the bug, it automatically recovers (ie it drops from the bus, but
+automatically re-enumerates after less than half a second, rather than being
+stuck until a power cycle as it was doing with ancient firmware), for
+most people, the trade-off now seems in favor of re-enabling it by
+default.
+
+For people with access to the platform code, the bug can also be worked-around
+successfully by changing the USB3 LFPM polling off-time for the XHCI
+controller in the BIOS code.
+
+Signed-off-by: Vincent Palatin <vpalatin@chromium.org>
+Link: https://lore.kernel.org/r/20210721092516.2775971-1-vpalatin@chromium.org
+Fixes: 0bd860493f81 ("USB: quirks: ignore remote wake-up on Fibocom L850-GL LTE modem")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/core/quirks.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c
+index 3dfd584a1ef3..2ca6ed207e26 100644
+--- a/drivers/usb/core/quirks.c
++++ b/drivers/usb/core/quirks.c
+@@ -325,10 +325,6 @@ static const struct usb_device_id usb_quirk_list[] = {
+ /* DJI CineSSD */
+ { USB_DEVICE(0x2ca3, 0x0031), .driver_info = USB_QUIRK_NO_LPM },
+
+- /* Fibocom L850-GL LTE Modem */
+- { USB_DEVICE(0x2cb7, 0x0007), .driver_info =
+- USB_QUIRK_IGNORE_REMOTE_WAKEUP },
+-
+ /* INTEL VALUE SSD */
+ { USB_DEVICE(0x8086, 0xf1a5), .driver_info = USB_QUIRK_RESET_RESUME },
+
+--
+2.30.2
+
--- /dev/null
+From 3d839c25d383d9859dc0e7d2b71da0fb00118e2f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 13:57:12 +0100
+Subject: s390/bpf: Perform r1 range checking before accessing
+ jit->seen_reg[r1]
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 91091656252f5d6d8c476e0c92776ce9fae7b445 ]
+
+Currently array jit->seen_reg[r1] is being accessed before the range
+checking of index r1. The range changing on r1 should be performed
+first since it will avoid any potential out-of-range accesses on the
+array seen_reg[] and also it is more optimal to perform checks on r1
+before fetching data from the array. Fix this by swapping the order
+of the checks before the array access.
+
+Fixes: 054623105728 ("s390/bpf: Add s390x eBPF JIT compiler backend")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
+Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
+Link: https://lore.kernel.org/bpf/20210715125712.24690-1-colin.king@canonical.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/net/bpf_jit_comp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c
+index bcf409997d6d..c5c3056f4c4a 100644
+--- a/arch/s390/net/bpf_jit_comp.c
++++ b/arch/s390/net/bpf_jit_comp.c
+@@ -115,7 +115,7 @@ static inline void reg_set_seen(struct bpf_jit *jit, u32 b1)
+ {
+ u32 r1 = reg2hex[b1];
+
+- if (!jit->seen_reg[r1] && r1 >= 6 && r1 <= 15)
++ if (r1 >= 6 && r1 <= 15 && !jit->seen_reg[r1])
+ jit->seen_reg[r1] = 1;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 3093aa501bd9b201c129834a1ada57224f57c3e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Jun 2021 19:25:59 -0500
+Subject: scsi: iscsi: Fix iface sysfs attr detection
+
+From: Mike Christie <michael.christie@oracle.com>
+
+[ Upstream commit e746f3451ec7f91dcc9fd67a631239c715850a34 ]
+
+A ISCSI_IFACE_PARAM can have the same value as a ISCSI_NET_PARAM so when
+iscsi_iface_attr_is_visible tries to figure out the type by just checking
+the value, we can collide and return the wrong type. When we call into the
+driver we might not match and return that we don't want attr visible in
+sysfs. The patch fixes this by setting the type when we figure out what the
+param is.
+
+Link: https://lore.kernel.org/r/20210701002559.89533-1-michael.christie@oracle.com
+Fixes: 3e0f65b34cc9 ("[SCSI] iscsi_transport: Additional parameters for network settings")
+Signed-off-by: Mike Christie <michael.christie@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/scsi_transport_iscsi.c | 90 +++++++++++------------------
+ 1 file changed, 34 insertions(+), 56 deletions(-)
+
+diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c
+index e0159e6a1065..39d03300d3d9 100644
+--- a/drivers/scsi/scsi_transport_iscsi.c
++++ b/drivers/scsi/scsi_transport_iscsi.c
+@@ -427,39 +427,10 @@ static umode_t iscsi_iface_attr_is_visible(struct kobject *kobj,
+ struct device *dev = container_of(kobj, struct device, kobj);
+ struct iscsi_iface *iface = iscsi_dev_to_iface(dev);
+ struct iscsi_transport *t = iface->transport;
+- int param;
+- int param_type;
++ int param = -1;
+
+ if (attr == &dev_attr_iface_enabled.attr)
+ param = ISCSI_NET_PARAM_IFACE_ENABLE;
+- else if (attr == &dev_attr_iface_vlan_id.attr)
+- param = ISCSI_NET_PARAM_VLAN_ID;
+- else if (attr == &dev_attr_iface_vlan_priority.attr)
+- param = ISCSI_NET_PARAM_VLAN_PRIORITY;
+- else if (attr == &dev_attr_iface_vlan_enabled.attr)
+- param = ISCSI_NET_PARAM_VLAN_ENABLED;
+- else if (attr == &dev_attr_iface_mtu.attr)
+- param = ISCSI_NET_PARAM_MTU;
+- else if (attr == &dev_attr_iface_port.attr)
+- param = ISCSI_NET_PARAM_PORT;
+- else if (attr == &dev_attr_iface_ipaddress_state.attr)
+- param = ISCSI_NET_PARAM_IPADDR_STATE;
+- else if (attr == &dev_attr_iface_delayed_ack_en.attr)
+- param = ISCSI_NET_PARAM_DELAYED_ACK_EN;
+- else if (attr == &dev_attr_iface_tcp_nagle_disable.attr)
+- param = ISCSI_NET_PARAM_TCP_NAGLE_DISABLE;
+- else if (attr == &dev_attr_iface_tcp_wsf_disable.attr)
+- param = ISCSI_NET_PARAM_TCP_WSF_DISABLE;
+- else if (attr == &dev_attr_iface_tcp_wsf.attr)
+- param = ISCSI_NET_PARAM_TCP_WSF;
+- else if (attr == &dev_attr_iface_tcp_timer_scale.attr)
+- param = ISCSI_NET_PARAM_TCP_TIMER_SCALE;
+- else if (attr == &dev_attr_iface_tcp_timestamp_en.attr)
+- param = ISCSI_NET_PARAM_TCP_TIMESTAMP_EN;
+- else if (attr == &dev_attr_iface_cache_id.attr)
+- param = ISCSI_NET_PARAM_CACHE_ID;
+- else if (attr == &dev_attr_iface_redirect_en.attr)
+- param = ISCSI_NET_PARAM_REDIRECT_EN;
+ else if (attr == &dev_attr_iface_def_taskmgmt_tmo.attr)
+ param = ISCSI_IFACE_PARAM_DEF_TASKMGMT_TMO;
+ else if (attr == &dev_attr_iface_header_digest.attr)
+@@ -496,6 +467,38 @@ static umode_t iscsi_iface_attr_is_visible(struct kobject *kobj,
+ param = ISCSI_IFACE_PARAM_STRICT_LOGIN_COMP_EN;
+ else if (attr == &dev_attr_iface_initiator_name.attr)
+ param = ISCSI_IFACE_PARAM_INITIATOR_NAME;
++
++ if (param != -1)
++ return t->attr_is_visible(ISCSI_IFACE_PARAM, param);
++
++ if (attr == &dev_attr_iface_vlan_id.attr)
++ param = ISCSI_NET_PARAM_VLAN_ID;
++ else if (attr == &dev_attr_iface_vlan_priority.attr)
++ param = ISCSI_NET_PARAM_VLAN_PRIORITY;
++ else if (attr == &dev_attr_iface_vlan_enabled.attr)
++ param = ISCSI_NET_PARAM_VLAN_ENABLED;
++ else if (attr == &dev_attr_iface_mtu.attr)
++ param = ISCSI_NET_PARAM_MTU;
++ else if (attr == &dev_attr_iface_port.attr)
++ param = ISCSI_NET_PARAM_PORT;
++ else if (attr == &dev_attr_iface_ipaddress_state.attr)
++ param = ISCSI_NET_PARAM_IPADDR_STATE;
++ else if (attr == &dev_attr_iface_delayed_ack_en.attr)
++ param = ISCSI_NET_PARAM_DELAYED_ACK_EN;
++ else if (attr == &dev_attr_iface_tcp_nagle_disable.attr)
++ param = ISCSI_NET_PARAM_TCP_NAGLE_DISABLE;
++ else if (attr == &dev_attr_iface_tcp_wsf_disable.attr)
++ param = ISCSI_NET_PARAM_TCP_WSF_DISABLE;
++ else if (attr == &dev_attr_iface_tcp_wsf.attr)
++ param = ISCSI_NET_PARAM_TCP_WSF;
++ else if (attr == &dev_attr_iface_tcp_timer_scale.attr)
++ param = ISCSI_NET_PARAM_TCP_TIMER_SCALE;
++ else if (attr == &dev_attr_iface_tcp_timestamp_en.attr)
++ param = ISCSI_NET_PARAM_TCP_TIMESTAMP_EN;
++ else if (attr == &dev_attr_iface_cache_id.attr)
++ param = ISCSI_NET_PARAM_CACHE_ID;
++ else if (attr == &dev_attr_iface_redirect_en.attr)
++ param = ISCSI_NET_PARAM_REDIRECT_EN;
+ else if (iface->iface_type == ISCSI_IFACE_TYPE_IPV4) {
+ if (attr == &dev_attr_ipv4_iface_ipaddress.attr)
+ param = ISCSI_NET_PARAM_IPV4_ADDR;
+@@ -586,32 +589,7 @@ static umode_t iscsi_iface_attr_is_visible(struct kobject *kobj,
+ return 0;
+ }
+
+- switch (param) {
+- case ISCSI_IFACE_PARAM_DEF_TASKMGMT_TMO:
+- case ISCSI_IFACE_PARAM_HDRDGST_EN:
+- case ISCSI_IFACE_PARAM_DATADGST_EN:
+- case ISCSI_IFACE_PARAM_IMM_DATA_EN:
+- case ISCSI_IFACE_PARAM_INITIAL_R2T_EN:
+- case ISCSI_IFACE_PARAM_DATASEQ_INORDER_EN:
+- case ISCSI_IFACE_PARAM_PDU_INORDER_EN:
+- case ISCSI_IFACE_PARAM_ERL:
+- case ISCSI_IFACE_PARAM_MAX_RECV_DLENGTH:
+- case ISCSI_IFACE_PARAM_FIRST_BURST:
+- case ISCSI_IFACE_PARAM_MAX_R2T:
+- case ISCSI_IFACE_PARAM_MAX_BURST:
+- case ISCSI_IFACE_PARAM_CHAP_AUTH_EN:
+- case ISCSI_IFACE_PARAM_BIDI_CHAP_EN:
+- case ISCSI_IFACE_PARAM_DISCOVERY_AUTH_OPTIONAL:
+- case ISCSI_IFACE_PARAM_DISCOVERY_LOGOUT_EN:
+- case ISCSI_IFACE_PARAM_STRICT_LOGIN_COMP_EN:
+- case ISCSI_IFACE_PARAM_INITIATOR_NAME:
+- param_type = ISCSI_IFACE_PARAM;
+- break;
+- default:
+- param_type = ISCSI_NET_PARAM;
+- }
+-
+- return t->attr_is_visible(param_type, param);
++ return t->attr_is_visible(ISCSI_NET_PARAM, param);
+ }
+
+ static struct attribute *iscsi_iface_attrs[] = {
+--
+2.30.2
+
--- /dev/null
+From a070756212347dad280e17533fe86a394c7eff66 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Jul 2021 12:16:55 +0300
+Subject: scsi: target: Fix protect handling in WRITE SAME(32)
+
+From: Dmitry Bogdanov <d.bogdanov@yadro.com>
+
+[ Upstream commit 6d8e7e7c932162bccd06872362751b0e1d76f5af ]
+
+WRITE SAME(32) command handling reads WRPROTECT at the wrong offset in 1st
+byte instead of 10th byte.
+
+Link: https://lore.kernel.org/r/20210702091655.22818-1-d.bogdanov@yadro.com
+Fixes: afd73f1b60fc ("target: Perform PROTECT sanity checks for WRITE_SAME")
+Signed-off-by: Dmitry Bogdanov <d.bogdanov@yadro.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/target/target_core_sbc.c | 35 ++++++++++++++++----------------
+ 1 file changed, 17 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/target/target_core_sbc.c b/drivers/target/target_core_sbc.c
+index 608117819366..a2ffa10e5a41 100644
+--- a/drivers/target/target_core_sbc.c
++++ b/drivers/target/target_core_sbc.c
+@@ -37,7 +37,7 @@
+ #include "target_core_alua.h"
+
+ static sense_reason_t
+-sbc_check_prot(struct se_device *, struct se_cmd *, unsigned char *, u32, bool);
++sbc_check_prot(struct se_device *, struct se_cmd *, unsigned char, u32, bool);
+ static sense_reason_t sbc_execute_unmap(struct se_cmd *cmd);
+
+ static sense_reason_t
+@@ -311,14 +311,14 @@ static inline unsigned long long transport_lba_64_ext(unsigned char *cdb)
+ }
+
+ static sense_reason_t
+-sbc_setup_write_same(struct se_cmd *cmd, unsigned char *flags, struct sbc_ops *ops)
++sbc_setup_write_same(struct se_cmd *cmd, unsigned char flags, struct sbc_ops *ops)
+ {
+ struct se_device *dev = cmd->se_dev;
+ sector_t end_lba = dev->transport->get_blocks(dev) + 1;
+ unsigned int sectors = sbc_get_write_same_sectors(cmd);
+ sense_reason_t ret;
+
+- if ((flags[0] & 0x04) || (flags[0] & 0x02)) {
++ if ((flags & 0x04) || (flags & 0x02)) {
+ pr_err("WRITE_SAME PBDATA and LBDATA"
+ " bits not supported for Block Discard"
+ " Emulation\n");
+@@ -340,7 +340,7 @@ sbc_setup_write_same(struct se_cmd *cmd, unsigned char *flags, struct sbc_ops *o
+ }
+
+ /* We always have ANC_SUP == 0 so setting ANCHOR is always an error */
+- if (flags[0] & 0x10) {
++ if (flags & 0x10) {
+ pr_warn("WRITE SAME with ANCHOR not supported\n");
+ return TCM_INVALID_CDB_FIELD;
+ }
+@@ -348,7 +348,7 @@ sbc_setup_write_same(struct se_cmd *cmd, unsigned char *flags, struct sbc_ops *o
+ * Special case for WRITE_SAME w/ UNMAP=1 that ends up getting
+ * translated into block discard requests within backend code.
+ */
+- if (flags[0] & 0x08) {
++ if (flags & 0x08) {
+ if (!ops->execute_unmap)
+ return TCM_UNSUPPORTED_SCSI_OPCODE;
+
+@@ -363,7 +363,7 @@ sbc_setup_write_same(struct se_cmd *cmd, unsigned char *flags, struct sbc_ops *o
+ if (!ops->execute_write_same)
+ return TCM_UNSUPPORTED_SCSI_OPCODE;
+
+- ret = sbc_check_prot(dev, cmd, &cmd->t_task_cdb[0], sectors, true);
++ ret = sbc_check_prot(dev, cmd, flags >> 5, sectors, true);
+ if (ret)
+ return ret;
+
+@@ -721,10 +721,9 @@ sbc_set_prot_op_checks(u8 protect, bool fabric_prot, enum target_prot_type prot_
+ }
+
+ static sense_reason_t
+-sbc_check_prot(struct se_device *dev, struct se_cmd *cmd, unsigned char *cdb,
++sbc_check_prot(struct se_device *dev, struct se_cmd *cmd, unsigned char protect,
+ u32 sectors, bool is_write)
+ {
+- u8 protect = cdb[1] >> 5;
+ int sp_ops = cmd->se_sess->sup_prot_ops;
+ int pi_prot_type = dev->dev_attrib.pi_prot_type;
+ bool fabric_prot = false;
+@@ -772,7 +771,7 @@ sbc_check_prot(struct se_device *dev, struct se_cmd *cmd, unsigned char *cdb,
+ /* Fallthrough */
+ default:
+ pr_err("Unable to determine pi_prot_type for CDB: 0x%02x "
+- "PROTECT: 0x%02x\n", cdb[0], protect);
++ "PROTECT: 0x%02x\n", cmd->t_task_cdb[0], protect);
+ return TCM_INVALID_CDB_FIELD;
+ }
+
+@@ -847,7 +846,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops)
+ if (sbc_check_dpofua(dev, cmd, cdb))
+ return TCM_INVALID_CDB_FIELD;
+
+- ret = sbc_check_prot(dev, cmd, cdb, sectors, false);
++ ret = sbc_check_prot(dev, cmd, cdb[1] >> 5, sectors, false);
+ if (ret)
+ return ret;
+
+@@ -861,7 +860,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops)
+ if (sbc_check_dpofua(dev, cmd, cdb))
+ return TCM_INVALID_CDB_FIELD;
+
+- ret = sbc_check_prot(dev, cmd, cdb, sectors, false);
++ ret = sbc_check_prot(dev, cmd, cdb[1] >> 5, sectors, false);
+ if (ret)
+ return ret;
+
+@@ -875,7 +874,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops)
+ if (sbc_check_dpofua(dev, cmd, cdb))
+ return TCM_INVALID_CDB_FIELD;
+
+- ret = sbc_check_prot(dev, cmd, cdb, sectors, false);
++ ret = sbc_check_prot(dev, cmd, cdb[1] >> 5, sectors, false);
+ if (ret)
+ return ret;
+
+@@ -896,7 +895,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops)
+ if (sbc_check_dpofua(dev, cmd, cdb))
+ return TCM_INVALID_CDB_FIELD;
+
+- ret = sbc_check_prot(dev, cmd, cdb, sectors, true);
++ ret = sbc_check_prot(dev, cmd, cdb[1] >> 5, sectors, true);
+ if (ret)
+ return ret;
+
+@@ -910,7 +909,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops)
+ if (sbc_check_dpofua(dev, cmd, cdb))
+ return TCM_INVALID_CDB_FIELD;
+
+- ret = sbc_check_prot(dev, cmd, cdb, sectors, true);
++ ret = sbc_check_prot(dev, cmd, cdb[1] >> 5, sectors, true);
+ if (ret)
+ return ret;
+
+@@ -924,7 +923,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops)
+ if (sbc_check_dpofua(dev, cmd, cdb))
+ return TCM_INVALID_CDB_FIELD;
+
+- ret = sbc_check_prot(dev, cmd, cdb, sectors, true);
++ ret = sbc_check_prot(dev, cmd, cdb[1] >> 5, sectors, true);
+ if (ret)
+ return ret;
+
+@@ -983,7 +982,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops)
+ size = sbc_get_size(cmd, 1);
+ cmd->t_task_lba = get_unaligned_be64(&cdb[12]);
+
+- ret = sbc_setup_write_same(cmd, &cdb[10], ops);
++ ret = sbc_setup_write_same(cmd, cdb[10], ops);
+ if (ret)
+ return ret;
+ break;
+@@ -1076,7 +1075,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops)
+ size = sbc_get_size(cmd, 1);
+ cmd->t_task_lba = get_unaligned_be64(&cdb[2]);
+
+- ret = sbc_setup_write_same(cmd, &cdb[1], ops);
++ ret = sbc_setup_write_same(cmd, cdb[1], ops);
+ if (ret)
+ return ret;
+ break;
+@@ -1094,7 +1093,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops)
+ * Follow sbcr26 with WRITE_SAME (10) and check for the existence
+ * of byte 1 bit 3 UNMAP instead of original reserved field
+ */
+- ret = sbc_setup_write_same(cmd, &cdb[1], ops);
++ ret = sbc_setup_write_same(cmd, cdb[1], ops);
+ if (ret)
+ return ret;
+ break;
+--
+2.30.2
+
net-validate-lwtstate-data-before-returning-from-skb_tunnel_info.patch
tcp-annotate-data-races-around-tp-mtu_info.patch
ipv6-tcp-drop-silly-icmpv6-packet-too-big-messages.patch
+iavf-fix-an-error-handling-path-in-iavf_probe.patch
+igb-check-if-num-of-q_vectors-is-smaller-than-max-be.patch
+perf-test-session_topology-delete-session-evlist.patch
+perf-test-bpf-free-obj_buf.patch
+perf-probe-file-delete-namelist-in-del_events-on-the.patch
+s390-bpf-perform-r1-range-checking-before-accessing-.patch
+net-fix-uninit-value-in-caif_seqpkt_sendmsg.patch
+net-decnet-fix-sleeping-inside-in-af_decnet.patch
+netrom-decrease-sock-refcount-when-sock-timers-expir.patch
+scsi-iscsi-fix-iface-sysfs-attr-detection.patch
+scsi-target-fix-protect-handling-in-write-same-32.patch
+revert-usb-quirks-ignore-remote-wake-up-on-fibocom-l.patch
+proc-avoid-mixing-integer-types-in-mem_rw.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
