In unprivileged Xen guests event handling can cause a deadlock with
Xen console handling. The evtchn_rwlock and the hvc_lock are taken in
opposite sequence in __hvc_poll() and in Xen console IRQ handling.
Normally this is no problem, as the evtchn_rwlock is taken as a reader
in both paths, but as soon as an event channel is being closed, the
lock will be taken as a writer, which will cause read_lock() to block:

CPU0                     CPU1                CPU2
(IRQ handling)           (__hvc_poll())      (closing event channel)

read_lock(evtchn_rwlock)
                         spin_lock(hvc_lock)
                                             write_lock(evtchn_rwlock)
                                                 [blocks]
spin_lock(hvc_lock)
    [blocks]
                        read_lock(evtchn_rwlock)
                            [blocks due to writer waiting,
                             and not in_interrupt()]

This issue can be avoided by replacing evtchn_rwlock with RCU in
xen_free_irq(). Note that RCU is used only to delay freeing of the
irq_info memory. There is no RCU based dereferencing or replacement of
pointers involved.

In order to avoid potential races between removing the irq_info
reference and handling of interrupts, set the irq_info pointer to NULL
only when freeing its memory. The IRQ itself must be freed at that
time, too, as otherwise the same IRQ number could be allocated again
before handling of the old instance would have been finished.

This is XSA-441 / CVE-2023-34324.

Fixes: 54c9de89 ("xen/events: add a new "late EOI" evtchn framework")
Reported-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Julien Grall <jgrall@amazon.com>
Signed-off-by: Juergen Gross <jgross@suse.com>

Pull smb server fixes from Steve French:
 "Six SMB3 server fixes for various races found by RO0T Lab of Huawei:

   - Fix oops when racing between oplock break ack and freeing file

   - Simultaneous request fixes for parallel logoffs, and for parallel
     lock requests

   - Fixes for tree disconnect race, session expire race, and close/open
     race"

* tag '6.6-rc4-ksmbd-server-fixes' of git://git.samba.org/ksmbd:
  ksmbd: fix race condition between tree conn lookup and disconnect
  ksmbd: fix race condition from parallel smb2 lock requests
  ksmbd: fix race condition from parallel smb2 logoff requests
  ksmbd: fix uaf in smb20_oplock_break_ack
  ksmbd: fix race condition with fp
  ksmbd: fix race condition between session lookup and expire

Pull misc scheduler fixes from Ingo Molnar:

 - Two EEVDF fixes: one to fix sysctl_sched_base_slice propagation, and
   to fix an avg_vruntime() corner-case.

 - A cpufreq frequency scaling fix

* tag 'sched-urgent-2023-10-08' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  cpufreq: schedutil: Update next_freq when cpufreq_limits change
  sched/eevdf: Fix avg_vruntime()
  sched/eevdf: Also update slice on placement

Pull misc x86 fixes from Ingo Molnar:

 - Fix SEV-SNP guest crashes that may happen on NMIs

 - Fix a potential SEV platform memory setup overflow

* tag 'x86-urgent-2023-10-08' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  x86/sev: Change npages to unsigned long in snp_accept_memory()
  x86/sev: Use the GHCB protocol when available for SNP CPUID requests

Pull parisc fixes from Helge Deller:

 - fix random faults in mmap'd memory on pre PA8800 processors

 - fix boot crash with nr_cpus=1 on kernel command line

* tag 'parisc-for-6.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux:
  parisc: Restore __ldcw_align for PA-RISC 2.0 processors
  parisc: Fix crash with nr_cpus=1 option

Back in 2005, Kyle McMartin removed the 16-byte alignment for
ldcw semaphores on PA 2.0 machines (CONFIG_PA20). This broke
spinlocks on pre PA8800 processors. The main symptom was random
faults in mmap'd memory (e.g., gcc compilations, etc).

Unfortunately, the errata for this ldcw change is lost.

The issue is the 16-byte alignment required for ldcw semaphore
instructions can only be reduced to natural alignment when the
ldcw operation can be handled coherently in cache. Only PA8800
and PA8900 processors actually support doing the operation in
cache.

Aligning the spinlock dynamically adds two integer instructions
to each spinlock.

Tested on rp3440, c8000 and a500.
Signed-off-by: John David Anglin <dave.anglin@bell.net>
Link: https://lore.kernel.org/linux-parisc/6b332788-2227-127f-ba6d-55e99ecf4ed8@bell.net/T/#t
Link: https://lore.kernel.org/linux-parisc/20050609050702.GB4641@roadwarrior.mcmartin.ca/
Cc: stable@vger.kernel.org
Signed-off-by: Helge Deller <deller@gmx.de>

John David Anglin reported that giving "nr_cpus=1" on the command
line causes a crash, while "maxcpus=1" works.
Reported-by: John David Anglin <dave.anglin@bell.net>
Signed-off-by: Helge Deller <deller@gmx.de>
Cc: stable@vger.kernel.org # v5.18+

Pull smb client fixes from Steve French:

 - protect cifs/smb3 socket connect from BPF address overwrite

 - fix case when directory leases disabled but wasting resources with
   unneeded thread on each mount

* tag '6.6-rc4-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6:
  smb: client: do not start laundromat thread on nohandlecache
  smb: use kernel_connect() and kernel_bind()

Pull xfs fixes from Chandan Babu:

 - Prevent filesystem hang when executing fstrim operations on large and
   slow storage

* tag 'xfs-6.6-fixes-3' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux:
  xfs: abort fstrim if kernel is suspending
  xfs: reduce AGF hold times during fstrim operations
  xfs: move log discard work to xfs_discard.c

Merge tag 'for-6.6/dm-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm

Pull device mapper fixes from Mike Snitzer:

 - Fix memory leak when freeing dm zoned target device

 - Update dm-devel mailing list address in MAINTAINERS

* tag 'for-6.6/dm-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm:
  MAINTAINERS: update the dm-devel mailing list
  dm zoned: free dmz->ddev array in dmz_put_zoned_devices

Pull media fixes from Mauro Carvalho Chehab:

 - two Kconfig build fixes under randconfig

 - pxa_camera: Fix an error handling path

 - mediatek: vcodec: Fix a NULL-access pointer

 - tegra-video: fix an infinite recursion regression

* tag 'media/v6.6-3' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media:
  media: mediatek: vcodec: Fix encoder access NULL pointer
  staging: media: tegra-video: fix infinite recursion regression
  media: pci: intel: ivsc: select V4L2_FWNODE
  media: ipu-bridge: Fix Kconfig dependencies
  media: pxa_camera: Fix an error handling path in pxa_camera_probe()

Pull devicetree fixes from Rob Herring:

 - Fix potential memory leak in of_changeset_action()

 - Fix some i.MX binding warnings

 - Fix typo in renesas,vin binding field-even-active property

 - Fix andestech,ax45mp-cache example unit-address

 - Add missing additionalProperties on RiscV CPU interrupt-controller
   node

 - Add missing unevaluatedProperties on media bindings

 - Fix brcm,iproc-pcie binding 'msi' child node schema

 - Fix MEMSIC MXC4005 compatible string

* tag 'devicetree-fixes-for-6.6-2' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux:
  dt-bindings: trivial-devices: Fix MEMSIC MXC4005 compatible string
  dt-bindings: PCI: brcm,iproc-pcie: Fix 'msi' child node schema
  dt-bindings: PCI: brcm,iproc-pcie: Drop common pci-bus properties
  dt-bindings: PCI: brcm,iproc-pcie: Fix example indentation
  media: dt-bindings: Add missing unevaluatedProperties on child node schemas
  dt-bindings: bus: fsl,imx8qxp-pixel-link-msi-bus: Drop child 'reg' property
  media: dt-bindings: imx7-csi: Make power-domains not required for imx8mq
  dt-bindings: media: renesas,vin: Fix field-even-active spelling
  dt-bindings: cache: andestech,ax45mp-cache: Fix unit address in example
  of: overlay: Reorder struct fragment fields kerneldoc
  dt-bindings: display: fsl,imx6-hdmi: Change to 'unevaluatedProperties: false'
  dt-bindings: riscv: cpus: Add missing additionalProperties on interrupt-controller node
  of: dynamic: Fix potential memory leak in of_changeset_action()

Pull gpio fixes from Bartosz Golaszewski:
 "Another round of driver one-liners from the GPIO subsystem:

   - disable pin control on MMP GPIOs in gpio-pxa

   - fix the GPIO number passed to one of the pinctrl callbacks in
     gpio-aspeed"

* tag 'gpio-fixes-for-v6.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux:
  gpio: aspeed: fix the GPIO number passed to pinctrl_gpio_set_config()
  gpio: pxa: disable pinctrl calls for MMP_GPIO

Pull rdma fixes from Jason Gunthorpe:
 "This includes a fix for a significant security miss in checking the
  RDMA_NLDEV_CMD_SYS_SET operation.

  Summary:

   - UAF in SRP

   - Error unwind failure in siw connection management

   - Missing error checks

   - NULL/ERR_PTR confusion in erdma

   - Possible string truncation in CMA configfs and mlx4

   - Data ordering issue in bnxt_re

   - Missing stats decrement on object destroy in bnxt_re

   - Mlx5 bugs in this merge window:
      * Incorrect access_flag in the new mkey cache
      * Missing unlock on error in flow steering
      * lockdep possible deadlock on new mkey cache destruction (Plus a
        fix for this too)

   - Don't leak kernel stack memory to userspace in the CM

   - Missing permission validation for RDMA_NLDEV_CMD_SYS_SET"

* tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
  RDMA/core: Require admin capabilities to set system parameters
  RDMA/mlx5: Remove not-used cache disable flag
  RDMA/cma: Initialize ib_sa_multicast structure to 0 when join
  RDMA/mlx5: Fix mkey cache possible deadlock on cleanup
  RDMA/mlx5: Fix NULL string error
  RDMA/mlx5: Fix mutex unlocking on error flow for steering anchor creation
  RDMA/mlx5: Fix assigning access flags to cache mkeys
  IB/mlx4: Fix the size of a buffer in add_port_entries()
  RDMA/bnxt_re: Decrement resource stats correctly
  RDMA/bnxt_re: Fix the handling of control path response data
  RDMA/cma: Fix truncation compilation warning in make_cma_ports
  RDMA/erdma: Fix NULL pointer access in regmr_cmd
  RDMA/erdma: Fix error code in erdma_create_scatter_mtt()
  RDMA/uverbs: Fix typo of sizeof argument
  RDMA/cxgb4: Check skb value for failure to allocate
  RDMA/siw: Fix connection failure handling
  RDMA/srp: Do not call scsi_done() from srp_abort()

dm-devel@redhat.com has migrated to dm-devel@lists.linux.dev
Signed-off-by: Mike Snitzer <snitzer@kernel.org>

Pull power management fix from Rafael Wysocki:
 "Fix a recently introduced hibernation crash (Pavankumar Kondeti)"

* tag 'pm-6.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
  PM: hibernate: Fix copying the zero bitmap to safe pages

Pull block fixes from Jens Axboe:
 "Just two minor fixes, for nbd and md"

* tag 'block-6.6-2023-10-06' of git://git.kernel.dk/linux:
  nbd: don't call blk_mark_disk_dead nbd_clear_sock_ioctl
  md/raid5: release batch_last before waiting for another stripe_head

Pull io_uring fixes from Jens Axboe:

 - syzbot report on a crash on 32-bit arm with highmem, and went digging
   to check for potentially similar issues and found one more (me)

 - Fix a syzbot report with PROVE_LOCKING=y and setting up the ring in a
   disabled state (me)

 - Fix for race with CPU hotplut and io-wq init (Jeff)

* tag 'io_uring-6.6-2023-10-06' of git://git.kernel.dk/linux:
  io-wq: fully initialize wqe before calling cpuhp_state_add_instance_nocalls()
  io_uring: don't allow IORING_SETUP_NO_MMAP rings on highmem pages
  io_uring: ensure io_lockdep_assert_cq_locked() handles disabled rings
  io_uring/kbuf: don't allow registered buffer rings on highmem pages

The correct name of this chip is MXC4005, not MX4005. This is confirmed
both by the manufacturer website and by the title of the original commit,
which added other MXCxxxx devices as well but only this one misses a "c" in
the compatible string.
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Fixes: d9bf5d37 ("dt-bindings:trivial-devices: Add memsic,mxc4005/mxc6255/mxc6655 entries")
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Link: https://lore.kernel.org/r/20231004-mxc4005-device-tree-support-v1-1-e7c0faea72e4@bootlin.comSigned-off-by: Rob Herring <robh@kernel.org>

The 'msi' child node schema is missing constraints on additional properties.
It turns out it is incomplete and properties for it are documented in the
parent node by mistake. Move the reference to msi-controller.yaml and
the custom properties to the 'msi' node. Adding 'unevaluatedProperties'
ensures all the properties in the 'msi' node are documented.

With the schema corrected, a minimal interrupt controller node is needed
to properly decode the interrupt properties since the example has
multiple interrupt parents.
Acked-by: Conor Dooley <conor.dooley@microchip.com>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Fixes: 905b986d ("dt-bindings: pci: Convert iProc PCIe to YAML")
Link: https://lore.kernel.org/r/20230926155613.33904-3-robh@kernel.orgSigned-off-by: Rob Herring <robh@kernel.org>

Drop the unnecessary listing of properties already defined in
pci-bus.yaml. Unless there are additional constraints, it is not
necessary.
Acked-by: Conor Dooley <conor.dooley@microchip.com>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Link: https://lore.kernel.org/r/20230926155351.31117-2-robh@kernel.orgSigned-off-by: Rob Herring <robh@kernel.org>

The example's indentation is off. While fixing this, the 'bus' node
is unnecessary and can be dropped. It is also preferred to split up
unrelated examples to their own entries.
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Acked-by: Conor Dooley <conor.dooley@microchip.com>
Link: https://lore.kernel.org/r/20230926155351.31117-1-robh@kernel.orgSigned-off-by: Rob Herring <robh@kernel.org>

Just as unevaluatedProperties or additionalProperties are required at
the top level of schemas, they should (and will) also be required for
child node schemas. That ensures only documented properties are
present for any node.
Acked-by: Conor Dooley <conor.dooley@microchip.com>
Link: https://lore.kernel.org/r/20230925212803.1976803-1-robh@kernel.orgSigned-off-by: Rob Herring <robh@kernel.org>

A bus schema based on simple-pm-bus shouldn't define how many 'reg' entries
a child device has. That is a property of the device. Drop the 'reg' entry.
Reviewed-by: Liu Ying <victor.liu@nxp.com>
Acked-by: Conor Dooley <conor.dooley@microchip.com>
Link: https://lore.kernel.org/r/20230925212639.1975002-1-robh@kernel.orgSigned-off-by: Rob Herring <robh@kernel.org>

On i.MX8MQ the MIPI CSI block does have an associated power-domain, but
the CSI bridge does not.

Remove the power-domains requirement from the i.MX8MQ CSI bridge
to fix the following schema warning:

imx8mq-librem5-r4.dtb: csi@30a90000: 'power-domains' is a required property
from schema $id: http://devicetree.org/schemas/media/nxp,imx7-csi.yaml#

Fixes: de655386 ("media: dt-bindings: media: imx7-csi: Document i.MX8M power-domains property")
Signed-off-by: Fabio Estevam <festevam@denx.de>
Acked-by: Conor Dooley <conor.dooley@microchip.com>
Reviewed-by: Marek Vasut <marex@denx.de>
Link: https://lore.kernel.org/r/20231004201105.2323758-1-festevam@gmail.comSigned-off-by: Rob Herring <robh@kernel.org>

Pull PCI fixes from Bjorn Helgaas:

 - Fix a qcom register offset that broke IPQ8074 PCIe controller
   enumeration (Sricharan Ramabadhran)

 - Handle interrupt parsing failures when creating a device tree node to
   avoid using uninitialized data (Lizhi Hou)

 - Clean up if adding PCI device node fails when creating a device tree
   node to avoid a memory leak (Lizhi Hou)

 - If a link is down, mark all downstream devices as "disconnected" so
   we don't wait for them on resume (Mika Westerberg)

* tag 'pci-v6.6-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/pci/pci:
  PCI/PM: Mark devices disconnected if upstream PCIe link is down on resume
  PCI: of: Destroy changeset when adding PCI device node fails
  PCI: of_property: Handle interrupt parsing failures
  PCI: qcom: Fix IPQ8074 enumeration

Merge tag 'platform-drivers-x86-v6.6-4' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86

Pull x86 platform driver fixes from Hans de Goede:
 "Bug fixes, build warning fixes and DMI quirk additions"

* tag 'platform-drivers-x86-v6.6-4' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86:
  platform/x86: hp-wmi:: Mark driver struct with __refdata to prevent section mismatch warning
  platform/x86: touchscreen_dmi: Add info for the Positivo C4128B
  platform/x86: touchscreen_dmi: Add info for the BUSH Bush Windows tablet
  platform/mellanox: tmfifo: fix kernel-doc warnings
  platform/x86/intel/ifs: release cpus_read_lock()
  platform/x86: hp-bioscfg: Fix reference leak
  platform/x86: think-lmi: Fix reference leak

Pull btrfs fixes from David Sterba:

 - reject unknown mount options

 - adjust transaction abort error message level

 - fix one more build warning with -Wmaybe-uninitialized

 - proper error handling in several COW-related cases

* tag 'for-6.6-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
  btrfs: error out when reallocating block for defrag using a stale transaction
  btrfs: error when COWing block from a root that is being deleted
  btrfs: error out when COWing block using a stale transaction
  btrfs: always print transaction aborted messages with an error level
  btrfs: reject unknown mount options early
  btrfs: fix some -Wmaybe-uninitialized warnings in ioctl.c

Pull arm64 fixes from Will Deacon:
 "A typo fix for a PMU driver, a workround for a side-channel erratum on
  Cortex-A520 and a fix for the local timer save/restore when using ACPI
  with Qualcomm's custom CPUs:

   - Workaround for Cortex-A520 erratum #2966298

   - Fix typo in Arm CMN PMU driver that breaks counter overflow handling

   - Fix timer handling across idle for Qualcomm custom CPUs"

* tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
  cpuidle, ACPI: Evaluate LPI arch_flags for broadcast timer
  arm64: errata: Add Cortex-A520 speculative unprivileged load workaround
  arm64: Add Cortex-A520 CPU part definition
  perf/arm-cmn: Fix the unhandled overflow status of counter 4 to 7

Pull drm fixes from Dave Airlie:
 "Regular weekly pull, all seems pretty normal, i915 and amdgpu mostly.

  There is one small new uAPI addition for nouveau but getting it in now
  avoids a bunch of userspace dances, and it's for a userspace that
  hasn't yet released, so should have no side effects.

  i915:
   - Fix for OpenGL CTS regression on Compute Shaders
   - Fix for default engines initialization
   - Fix TLB invalidation for Multi-GT devices

  amdgpu:
   - Add missing unique_id for GC 11.0.3
   - Fix memory leak in FRU error path
   - Fix PCIe link reporting on some SMU 11 parts
   - Fix ACPI _PR3 detection
   - Fix DISPCLK WDIVIDER handling in OTG code

  tests:
   - Fix kunit release

  panel:
   - panel-orientation: Add quirk for One Mix 25

  nouveau:
   - Report IB limit via getparams
   - Replace some magic numbers with constants
   - small clean up"

* tag 'drm-fixes-2023-10-06' of git://anongit.freedesktop.org/drm/drm:
  drm/amd/display: apply edge-case DISPCLK WDIVIDER changes to master OTG pipes only
  drm/amd: Fix detection of _PR3 on the PCIe root port
  drm/amd: Fix logic error in sienna_cichlid_update_pcie_parameters()
  drm/amdgpu: Fix a memory leak
  drm/amd/pm: add unique_id for gc 11.0.3
  drm/i915: Invalidate the TLBs on each GT
  drm/i915: Register engines early to avoid type confusion
  drm/i915: Don't set PIPE_CONTROL_FLUSH_L3 for aux inval
  drm/nouveau: exec: report max pushs through getparam
  drm/nouveau: chan: use channel class definitions
  drm/nouveau: chan: use struct nvif_mclass
  drm: panel-orientation-quirks: Add quirk for One Mix 2S
  drm/tests: Fix kunit_release_action ctx argument

As described in the added code comment, a reference to .exit.text is ok
for drivers registered via module_platform_driver_probe(). Make this
explicit to prevent a section mismatch warning:

	WARNING: modpost: drivers/platform/x86/hp/hp-wmi: section mismatch in reference: hp_wmi_driver+0x8 (section: .data) -> hp_wmi_bios_remove (section: .exit.text)

Fixes: c165b80c ("hp-wmi: fix handling of platform device")
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Link: https://lore.kernel.org/r/20231004111624.2667753-1-u.kleine-koenig@pengutronix.deReviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>

Pull erofs fixes from Gao Xiang:

 - Fix a memory leak issue when using LZMA global compressed
   deduplication

 - Fix empty device tags in flatdev mode

 - Update documentation for recent new features

* tag 'erofs-for-6.6-rc5-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs:
  erofs: update documentation
  erofs: allow empty device tags in flatdev mode
  erofs: fix memory leak of LZMA global compressed deduplication

Pull HID fixes from Jiri Kosina:

 - power management fix for intel-ish-hid (Srinivas Pandruvada)

 - power management fix for hid-nintendo (Martino Fontana)

 - error handling fixes for nvidia-shield (Christophe JAILLET)

 - memory leak fix for hid-sony (Christophe JAILLET)

 - fix for slab out-of-bound write in hid-holtek (Ma Ke)

 - other assorted smaller fixes and device ID / quirk entry additions

* tag 'for-linus-2023100502' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid:
  HID: Add quirk to ignore the touchscreen battery on HP ENVY 15-eu0556ng
  HID: intel-ish-hid: ipc: Disable and reenable ACPI GPE bit
  HID: sony: remove duplicate NULL check before calling usb_free_urb()
  HID: nintendo: reinitialize USB Pro Controller after resuming from suspend
  HID: nvidia-shield: Fix some missing function calls() in the probe error handling path
  HID: nvidia-shield: Fix a missing led_classdev_unregister() in the probe error handling path
  HID: multitouch: Add required quirk for Synaptics 0xcd7e device
  HID: nvidia-shield: Select POWER_SUPPLY Kconfig option
  HID: holtek: fix slab-out-of-bounds Write in holtek_kbd_input_event
  HID: nvidia-shield: add LEDS_CLASS dependency
  HID: logitech-hidpp: Add Bluetooth ID for the Logitech M720 Triathlon mouse
  HID: steelseries: Fix signedness bug in steelseries_headset_arctis_1_fetch_battery()
  HID: sony: Fix a potential memory leak in sony_probe()

Short summary of fixes pull:

 * test: Fix kunit release
 * panel-orientation: Add quirk for One Mix 25
 * nouveau:
   * Report IB limit via getparams
   * Replace some magic numbers with constants
   * Clean up
Signed-off-by: Dave Airlie <airlied@redhat.com>

From: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://patchwork.freedesktop.org/patch/msgid/20231005092632.GA17332@linux-uq9g

Merge tag 'amd-drm-fixes-6.6-2023-10-04' of https://gitlab.freedesktop.org/agd5f/linux into drm-fixes

amd-drm-fixes-6.6-2023-10-04:

amdgpu:
- Add missing unique_id for GC 11.0.3
- Fix memory leak in FRU error path
- Fix PCIe link reporting on some SMU 11 parts
- Fix ACPI _PR3 detection
- Fix DISPCLK WDIVIDER handling in OTG code
Signed-off-by: Dave Airlie <airlied@redhat.com>

From: Alex Deucher <alexander.deucher@amd.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20231005034358.7824-1-alexander.deucher@amd.com

Merge tag 'drm-intel-fixes-2023-10-05' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes

- Fix for OpenGL CTS regression on Compute Shaders (Nirmoy)
- Fix for default engines initialization (Mathias)
- Fix TLB invalidation for Multi-GT devices (Chris)
Signed-off-by: Dave Airlie <airlied@redhat.com>

From: Rodrigo Vivi <rodrigo.vivi@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/ZR7EvL+ucWI4uDTX@intel.com

I received a bug report with the following signature:

[ 1759.937637] BUG: unable to handle page fault for address: ffffffffffffffe8
[ 1759.944564] #PF: supervisor read access in kernel mode
[ 1759.949732] #PF: error_code(0x0000) - not-present page
[ 1759.954901] PGD 7ab615067 P4D 7ab615067 PUD 7ab617067 PMD 0
[ 1759.960596] Oops: 0000 1 PREEMPT SMP PTI
[ 1759.964804] CPU: 15 PID: 109 Comm: cpuhp/15 Kdump: loaded Tainted: G X ------- — 5.14.0-362.3.1.el9_3.x86_64 #1
[ 1759.976609] Hardware name: HPE ProLiant DL380 Gen10/ProLiant DL380 Gen10, BIOS U30 06/20/2018
[ 1759.985181] RIP: 0010:io_wq_for_each_worker.isra.0+0x24/0xa0
[ 1759.990877] Code: 90 90 90 90 90 90 0f 1f 44 00 00 41 56 41 55 41 54 55 48 8d 6f 78 53 48 8b 47 78 48 39 c5 74 4f 49 89 f5 49 89 d4 48 8d 58 e8 <8b> 13 85 d2 74 32 8d 4a 01 89 d0 f0 0f b1 0b 75 5c 09 ca 78 3d 48
[ 1760.009758] RSP: 0000:ffffb6f403603e20 EFLAGS: 00010286
[ 1760.015013] RAX: 0000000000000000 RBX: ffffffffffffffe8 RCX: 0000000000000000
[ 1760.022188] RDX: ffffb6f403603e50 RSI: ffffffffb11e95b0 RDI: ffff9f73b09e9400
[ 1760.029362] RBP: ffff9f73b09e9478 R08: 000000000000000f R09: 0000000000000000
[ 1760.036536] R10: ffffffffffffff00 R11: ffffb6f403603d80 R12: ffffb6f403603e50
[ 1760.043712] R13: ffffffffb11e95b0 R14: ffffffffb28531e8 R15: ffff9f7a6fbdf548
[ 1760.050887] FS: 0000000000000000(0000) GS:ffff9f7a6fbc0000(0000) knlGS:0000000000000000
[ 1760.059025] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1760.064801] CR2: ffffffffffffffe8 CR3: 00000007ab610002 CR4: 00000000007706e0
[ 1760.071976] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 1760.079150] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 1760.086325] PKRU: 55555554
[ 1760.089044] Call Trace:
[ 1760.091501] <TASK>
[ 1760.093612] ? show_trace_log_lvl+0x1c4/0x2df
[ 1760.097995] ? show_trace_log_lvl+0x1c4/0x2df
[ 1760.102377] ? __io_wq_cpu_online+0x54/0xb0
[ 1760.106584] ? __die_body.cold+0x8/0xd
[ 1760.110356] ? page_fault_oops+0x134/0x170
[ 1760.114479] ? kernelmode_fixup_or_oops+0x84/0x110
[ 1760.119298] ? exc_page_fault+0xa8/0x150
[ 1760.123247] ? asm_exc_page_fault+0x22/0x30
[ 1760.127458] ? __pfx_io_wq_worker_affinity+0x10/0x10
[ 1760.132453] ? __pfx_io_wq_worker_affinity+0x10/0x10
[ 1760.137446] ? io_wq_for_each_worker.isra.0+0x24/0xa0
[ 1760.142527] __io_wq_cpu_online+0x54/0xb0
[ 1760.146558] cpuhp_invoke_callback+0x109/0x460
[ 1760.151029] ? __pfx_io_wq_cpu_offline+0x10/0x10
[ 1760.155673] ? __pfx_smpboot_thread_fn+0x10/0x10
[ 1760.160320] cpuhp_thread_fun+0x8d/0x140
[ 1760.164266] smpboot_thread_fn+0xd3/0x1a0
[ 1760.168297] kthread+0xdd/0x100
[ 1760.171457] ? __pfx_kthread+0x10/0x10
[ 1760.175225] ret_from_fork+0x29/0x50
[ 1760.178826] </TASK>
[ 1760.181022] Modules linked in: rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs rfkill sunrpc vfat fat dm_multipath intel_rapl_msr intel_rapl_common isst_if_common ipmi_ssif nfit libnvdimm mgag200 i2c_algo_bit ioatdma drm_shmem_helper drm_kms_helper acpi_ipmi syscopyarea x86_pkg_temp_thermal sysfillrect ipmi_si intel_powerclamp sysimgblt ipmi_devintf coretemp acpi_power_meter ipmi_msghandler rapl pcspkr dca intel_pch_thermal intel_cstate ses lpc_ich intel_uncore enclosure hpilo mei_me mei acpi_tad fuse drm xfs sd_mod sg bnx2x nvme nvme_core crct10dif_pclmul crc32_pclmul nvme_common ghash_clmulni_intel smartpqi tg3 t10_pi mdio uas libcrc32c crc32c_intel scsi_transport_sas usb_storage hpwdt wmi dm_mirror dm_region_hash dm_log dm_mod
[ 1760.248623] CR2: ffffffffffffffe8

A cpu hotplug callback was issued before wq->all_list was initialized.
This results in a null pointer dereference.  The fix is to fully setup
the io_wq before calling cpuhp_state_add_instance_nocalls().
Signed-off-by: Jeff Moyer <jmoyer@redhat.com>
Link: https://lore.kernel.org/r/x49y1ghnecs.fsf@segfault.boston.devel.redhat.comSigned-off-by: Jens Axboe <axboe@kernel.dk>

When cpufreq's policy is 'single', there is a scenario that will
cause sg_policy's next_freq to be unable to update.

When the CPU's util is always max, the cpufreq will be max,
and then if we change the policy's scaling_max_freq to be a
lower freq, indeed, the sg_policy's next_freq need change to
be the lower freq, however, because the cpu_is_busy, the next_freq
would keep the max_freq.

For example:

The cpu7 is a single CPU:

  unisoc:/sys/devices/system/cpu/cpufreq/policy7 # while true;do done& [1] 4737
  unisoc:/sys/devices/system/cpu/cpufreq/policy7 # taskset -p 80 4737
  pid 4737's current affinity mask: ff
  pid 4737's new affinity mask: 80
  unisoc:/sys/devices/system/cpu/cpufreq/policy7 # cat scaling_max_freq
  2301000
  unisoc:/sys/devices/system/cpu/cpufreq/policy7 # cat scaling_cur_freq
  2301000
  unisoc:/sys/devices/system/cpu/cpufreq/policy7 # echo 2171000 > scaling_max_freq
  unisoc:/sys/devices/system/cpu/cpufreq/policy7 # cat scaling_max_freq
  2171000

At this time, the sg_policy's next_freq would stay at 2301000, which
is wrong.

To fix this, add a check for the ->need_freq_update flag.

[ mingo: Clarified the changelog. ]
Co-developed-by: Guohua Yan <guohua.yan@unisoc.com>
Signed-off-by: Xuewen Yan <xuewen.yan@unisoc.com>
Signed-off-by: Guohua Yan <guohua.yan@unisoc.com>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Acked-by: "Rafael J. Wysocki" <rafael@kernel.org>
Link: https://lore.kernel.org/r/20230719130527.8074-1-xuewen.yan@unisoc.com

Add information for the Positivo C4128B, a notebook/tablet convertible.

Link: https://github.com/onitake/gsl-firmware/pull/217Signed-off-by: Renan Guilherme Lebre Ramos <japareaggae@gmail.com>
Link: https://lore.kernel.org/r/20231004235900.426240-1-japareaggae@gmail.comReviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>