We found that a panic can occur when a vsyscall is made while LBR sampling
is active. If the vsyscall is interrupted (NMI) for perf sampling, this
call sequence can occur (most recent at top):

    __insn_get_emulate_prefix()
    insn_get_emulate_prefix()
    insn_get_prefixes()
    insn_get_opcode()
    decode_branch_type()
    get_branch_type()
    intel_pmu_lbr_filter()
    intel_pmu_handle_irq()
    perf_event_nmi_handler()

Within __insn_get_emulate_prefix() at frame 0, a macro is called:

    peek_nbyte_next(insn_byte_t, insn, i)

Within this macro, this dereference occurs:

    (insn)->next_byte

Inspecting registers at this point, the value of the next_byte field is the
address of the vsyscall made, for example the location of the vsyscall
version of gettimeofday() at 0xffffffffff600000. The access to an address
in the vsyscall region will trigger an oops due to an unhandled page fault.

To fix the bug, filtering for vsyscalls can be done when
determining the branch type. This patch will return
a "none" branch if a kernel address if found to lie in the
vsyscall region.
Suggested-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: JP Kobryn <inwardvessel@gmail.com>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Cc: stable@vger.kernel.org

Pull parisc fixes from Helge Deller:

 - fix random faults in mmap'd memory on pre PA8800 processors

 - fix boot crash with nr_cpus=1 on kernel command line

* tag 'parisc-for-6.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux:
  parisc: Restore __ldcw_align for PA-RISC 2.0 processors
  parisc: Fix crash with nr_cpus=1 option

Back in 2005, Kyle McMartin removed the 16-byte alignment for
ldcw semaphores on PA 2.0 machines (CONFIG_PA20). This broke
spinlocks on pre PA8800 processors. The main symptom was random
faults in mmap'd memory (e.g., gcc compilations, etc).

Unfortunately, the errata for this ldcw change is lost.

The issue is the 16-byte alignment required for ldcw semaphore
instructions can only be reduced to natural alignment when the
ldcw operation can be handled coherently in cache. Only PA8800
and PA8900 processors actually support doing the operation in
cache.

Aligning the spinlock dynamically adds two integer instructions
to each spinlock.

Tested on rp3440, c8000 and a500.
Signed-off-by: John David Anglin <dave.anglin@bell.net>
Link: https://lore.kernel.org/linux-parisc/6b332788-2227-127f-ba6d-55e99ecf4ed8@bell.net/T/#t
Link: https://lore.kernel.org/linux-parisc/20050609050702.GB4641@roadwarrior.mcmartin.ca/
Cc: stable@vger.kernel.org
Signed-off-by: Helge Deller <deller@gmx.de>

John David Anglin reported that giving "nr_cpus=1" on the command
line causes a crash, while "maxcpus=1" works.
Reported-by: John David Anglin <dave.anglin@bell.net>
Signed-off-by: Helge Deller <deller@gmx.de>
Cc: stable@vger.kernel.org # v5.18+

Pull smb client fixes from Steve French:

 - protect cifs/smb3 socket connect from BPF address overwrite

 - fix case when directory leases disabled but wasting resources with
   unneeded thread on each mount

* tag '6.6-rc4-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6:
  smb: client: do not start laundromat thread on nohandlecache
  smb: use kernel_connect() and kernel_bind()

Pull xfs fixes from Chandan Babu:

 - Prevent filesystem hang when executing fstrim operations on large and
   slow storage

* tag 'xfs-6.6-fixes-3' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux:
  xfs: abort fstrim if kernel is suspending
  xfs: reduce AGF hold times during fstrim operations
  xfs: move log discard work to xfs_discard.c

Merge tag 'for-6.6/dm-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm

Pull device mapper fixes from Mike Snitzer:

 - Fix memory leak when freeing dm zoned target device

 - Update dm-devel mailing list address in MAINTAINERS

* tag 'for-6.6/dm-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm:
  MAINTAINERS: update the dm-devel mailing list
  dm zoned: free dmz->ddev array in dmz_put_zoned_devices

Pull media fixes from Mauro Carvalho Chehab:

 - two Kconfig build fixes under randconfig

 - pxa_camera: Fix an error handling path

 - mediatek: vcodec: Fix a NULL-access pointer

 - tegra-video: fix an infinite recursion regression

* tag 'media/v6.6-3' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media:
  media: mediatek: vcodec: Fix encoder access NULL pointer
  staging: media: tegra-video: fix infinite recursion regression
  media: pci: intel: ivsc: select V4L2_FWNODE
  media: ipu-bridge: Fix Kconfig dependencies
  media: pxa_camera: Fix an error handling path in pxa_camera_probe()

Pull devicetree fixes from Rob Herring:

 - Fix potential memory leak in of_changeset_action()

 - Fix some i.MX binding warnings

 - Fix typo in renesas,vin binding field-even-active property

 - Fix andestech,ax45mp-cache example unit-address

 - Add missing additionalProperties on RiscV CPU interrupt-controller
   node

 - Add missing unevaluatedProperties on media bindings

 - Fix brcm,iproc-pcie binding 'msi' child node schema

 - Fix MEMSIC MXC4005 compatible string

* tag 'devicetree-fixes-for-6.6-2' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux:
  dt-bindings: trivial-devices: Fix MEMSIC MXC4005 compatible string
  dt-bindings: PCI: brcm,iproc-pcie: Fix 'msi' child node schema
  dt-bindings: PCI: brcm,iproc-pcie: Drop common pci-bus properties
  dt-bindings: PCI: brcm,iproc-pcie: Fix example indentation
  media: dt-bindings: Add missing unevaluatedProperties on child node schemas
  dt-bindings: bus: fsl,imx8qxp-pixel-link-msi-bus: Drop child 'reg' property
  media: dt-bindings: imx7-csi: Make power-domains not required for imx8mq
  dt-bindings: media: renesas,vin: Fix field-even-active spelling
  dt-bindings: cache: andestech,ax45mp-cache: Fix unit address in example
  of: overlay: Reorder struct fragment fields kerneldoc
  dt-bindings: display: fsl,imx6-hdmi: Change to 'unevaluatedProperties: false'
  dt-bindings: riscv: cpus: Add missing additionalProperties on interrupt-controller node
  of: dynamic: Fix potential memory leak in of_changeset_action()

Pull gpio fixes from Bartosz Golaszewski:
 "Another round of driver one-liners from the GPIO subsystem:

   - disable pin control on MMP GPIOs in gpio-pxa

   - fix the GPIO number passed to one of the pinctrl callbacks in
     gpio-aspeed"

* tag 'gpio-fixes-for-v6.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux:
  gpio: aspeed: fix the GPIO number passed to pinctrl_gpio_set_config()
  gpio: pxa: disable pinctrl calls for MMP_GPIO

Pull rdma fixes from Jason Gunthorpe:
 "This includes a fix for a significant security miss in checking the
  RDMA_NLDEV_CMD_SYS_SET operation.

  Summary:

   - UAF in SRP

   - Error unwind failure in siw connection management

   - Missing error checks

   - NULL/ERR_PTR confusion in erdma

   - Possible string truncation in CMA configfs and mlx4

   - Data ordering issue in bnxt_re

   - Missing stats decrement on object destroy in bnxt_re

   - Mlx5 bugs in this merge window:
      * Incorrect access_flag in the new mkey cache
      * Missing unlock on error in flow steering
      * lockdep possible deadlock on new mkey cache destruction (Plus a
        fix for this too)

   - Don't leak kernel stack memory to userspace in the CM

   - Missing permission validation for RDMA_NLDEV_CMD_SYS_SET"

* tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
  RDMA/core: Require admin capabilities to set system parameters
  RDMA/mlx5: Remove not-used cache disable flag
  RDMA/cma: Initialize ib_sa_multicast structure to 0 when join
  RDMA/mlx5: Fix mkey cache possible deadlock on cleanup
  RDMA/mlx5: Fix NULL string error
  RDMA/mlx5: Fix mutex unlocking on error flow for steering anchor creation
  RDMA/mlx5: Fix assigning access flags to cache mkeys
  IB/mlx4: Fix the size of a buffer in add_port_entries()
  RDMA/bnxt_re: Decrement resource stats correctly
  RDMA/bnxt_re: Fix the handling of control path response data
  RDMA/cma: Fix truncation compilation warning in make_cma_ports
  RDMA/erdma: Fix NULL pointer access in regmr_cmd
  RDMA/erdma: Fix error code in erdma_create_scatter_mtt()
  RDMA/uverbs: Fix typo of sizeof argument
  RDMA/cxgb4: Check skb value for failure to allocate
  RDMA/siw: Fix connection failure handling
  RDMA/srp: Do not call scsi_done() from srp_abort()

dm-devel@redhat.com has migrated to dm-devel@lists.linux.dev
Signed-off-by: Mike Snitzer <snitzer@kernel.org>

Pull power management fix from Rafael Wysocki:
 "Fix a recently introduced hibernation crash (Pavankumar Kondeti)"

* tag 'pm-6.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
  PM: hibernate: Fix copying the zero bitmap to safe pages

Pull block fixes from Jens Axboe:
 "Just two minor fixes, for nbd and md"

* tag 'block-6.6-2023-10-06' of git://git.kernel.dk/linux:
  nbd: don't call blk_mark_disk_dead nbd_clear_sock_ioctl
  md/raid5: release batch_last before waiting for another stripe_head

Pull io_uring fixes from Jens Axboe:

 - syzbot report on a crash on 32-bit arm with highmem, and went digging
   to check for potentially similar issues and found one more (me)

 - Fix a syzbot report with PROVE_LOCKING=y and setting up the ring in a
   disabled state (me)

 - Fix for race with CPU hotplut and io-wq init (Jeff)

* tag 'io_uring-6.6-2023-10-06' of git://git.kernel.dk/linux:
  io-wq: fully initialize wqe before calling cpuhp_state_add_instance_nocalls()
  io_uring: don't allow IORING_SETUP_NO_MMAP rings on highmem pages
  io_uring: ensure io_lockdep_assert_cq_locked() handles disabled rings
  io_uring/kbuf: don't allow registered buffer rings on highmem pages

The correct name of this chip is MXC4005, not MX4005. This is confirmed
both by the manufacturer website and by the title of the original commit,
which added other MXCxxxx devices as well but only this one misses a "c" in
the compatible string.
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Fixes: d9bf5d37 ("dt-bindings:trivial-devices: Add memsic,mxc4005/mxc6255/mxc6655 entries")
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Link: https://lore.kernel.org/r/20231004-mxc4005-device-tree-support-v1-1-e7c0faea72e4@bootlin.comSigned-off-by: Rob Herring <robh@kernel.org>

The 'msi' child node schema is missing constraints on additional properties.
It turns out it is incomplete and properties for it are documented in the
parent node by mistake. Move the reference to msi-controller.yaml and
the custom properties to the 'msi' node. Adding 'unevaluatedProperties'
ensures all the properties in the 'msi' node are documented.

With the schema corrected, a minimal interrupt controller node is needed
to properly decode the interrupt properties since the example has
multiple interrupt parents.
Acked-by: Conor Dooley <conor.dooley@microchip.com>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Fixes: 905b986d ("dt-bindings: pci: Convert iProc PCIe to YAML")
Link: https://lore.kernel.org/r/20230926155613.33904-3-robh@kernel.orgSigned-off-by: Rob Herring <robh@kernel.org>

Drop the unnecessary listing of properties already defined in
pci-bus.yaml. Unless there are additional constraints, it is not
necessary.
Acked-by: Conor Dooley <conor.dooley@microchip.com>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Link: https://lore.kernel.org/r/20230926155351.31117-2-robh@kernel.orgSigned-off-by: Rob Herring <robh@kernel.org>

The example's indentation is off. While fixing this, the 'bus' node
is unnecessary and can be dropped. It is also preferred to split up
unrelated examples to their own entries.
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Acked-by: Conor Dooley <conor.dooley@microchip.com>
Link: https://lore.kernel.org/r/20230926155351.31117-1-robh@kernel.orgSigned-off-by: Rob Herring <robh@kernel.org>

Just as unevaluatedProperties or additionalProperties are required at
the top level of schemas, they should (and will) also be required for
child node schemas. That ensures only documented properties are
present for any node.
Acked-by: Conor Dooley <conor.dooley@microchip.com>
Link: https://lore.kernel.org/r/20230925212803.1976803-1-robh@kernel.orgSigned-off-by: Rob Herring <robh@kernel.org>

A bus schema based on simple-pm-bus shouldn't define how many 'reg' entries
a child device has. That is a property of the device. Drop the 'reg' entry.
Reviewed-by: Liu Ying <victor.liu@nxp.com>
Acked-by: Conor Dooley <conor.dooley@microchip.com>
Link: https://lore.kernel.org/r/20230925212639.1975002-1-robh@kernel.orgSigned-off-by: Rob Herring <robh@kernel.org>

On i.MX8MQ the MIPI CSI block does have an associated power-domain, but
the CSI bridge does not.

Remove the power-domains requirement from the i.MX8MQ CSI bridge
to fix the following schema warning:

imx8mq-librem5-r4.dtb: csi@30a90000: 'power-domains' is a required property
from schema $id: http://devicetree.org/schemas/media/nxp,imx7-csi.yaml#

Fixes: de655386 ("media: dt-bindings: media: imx7-csi: Document i.MX8M power-domains property")
Signed-off-by: Fabio Estevam <festevam@denx.de>
Acked-by: Conor Dooley <conor.dooley@microchip.com>
Reviewed-by: Marek Vasut <marex@denx.de>
Link: https://lore.kernel.org/r/20231004201105.2323758-1-festevam@gmail.comSigned-off-by: Rob Herring <robh@kernel.org>

Pull PCI fixes from Bjorn Helgaas:

 - Fix a qcom register offset that broke IPQ8074 PCIe controller
   enumeration (Sricharan Ramabadhran)

 - Handle interrupt parsing failures when creating a device tree node to
   avoid using uninitialized data (Lizhi Hou)

 - Clean up if adding PCI device node fails when creating a device tree
   node to avoid a memory leak (Lizhi Hou)

 - If a link is down, mark all downstream devices as "disconnected" so
   we don't wait for them on resume (Mika Westerberg)

* tag 'pci-v6.6-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/pci/pci:
  PCI/PM: Mark devices disconnected if upstream PCIe link is down on resume
  PCI: of: Destroy changeset when adding PCI device node fails
  PCI: of_property: Handle interrupt parsing failures
  PCI: qcom: Fix IPQ8074 enumeration

Merge tag 'platform-drivers-x86-v6.6-4' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86

Pull x86 platform driver fixes from Hans de Goede:
 "Bug fixes, build warning fixes and DMI quirk additions"

* tag 'platform-drivers-x86-v6.6-4' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86:
  platform/x86: hp-wmi:: Mark driver struct with __refdata to prevent section mismatch warning
  platform/x86: touchscreen_dmi: Add info for the Positivo C4128B
  platform/x86: touchscreen_dmi: Add info for the BUSH Bush Windows tablet
  platform/mellanox: tmfifo: fix kernel-doc warnings
  platform/x86/intel/ifs: release cpus_read_lock()
  platform/x86: hp-bioscfg: Fix reference leak
  platform/x86: think-lmi: Fix reference leak

Pull btrfs fixes from David Sterba:

 - reject unknown mount options

 - adjust transaction abort error message level

 - fix one more build warning with -Wmaybe-uninitialized

 - proper error handling in several COW-related cases

* tag 'for-6.6-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
  btrfs: error out when reallocating block for defrag using a stale transaction
  btrfs: error when COWing block from a root that is being deleted
  btrfs: error out when COWing block using a stale transaction
  btrfs: always print transaction aborted messages with an error level
  btrfs: reject unknown mount options early
  btrfs: fix some -Wmaybe-uninitialized warnings in ioctl.c

Pull arm64 fixes from Will Deacon:
 "A typo fix for a PMU driver, a workround for a side-channel erratum on
  Cortex-A520 and a fix for the local timer save/restore when using ACPI
  with Qualcomm's custom CPUs:

   - Workaround for Cortex-A520 erratum #2966298

   - Fix typo in Arm CMN PMU driver that breaks counter overflow handling

   - Fix timer handling across idle for Qualcomm custom CPUs"

* tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
  cpuidle, ACPI: Evaluate LPI arch_flags for broadcast timer
  arm64: errata: Add Cortex-A520 speculative unprivileged load workaround
  arm64: Add Cortex-A520 CPU part definition
  perf/arm-cmn: Fix the unhandled overflow status of counter 4 to 7

Pull drm fixes from Dave Airlie:
 "Regular weekly pull, all seems pretty normal, i915 and amdgpu mostly.

  There is one small new uAPI addition for nouveau but getting it in now
  avoids a bunch of userspace dances, and it's for a userspace that
  hasn't yet released, so should have no side effects.

  i915:
   - Fix for OpenGL CTS regression on Compute Shaders
   - Fix for default engines initialization
   - Fix TLB invalidation for Multi-GT devices

  amdgpu:
   - Add missing unique_id for GC 11.0.3
   - Fix memory leak in FRU error path
   - Fix PCIe link reporting on some SMU 11 parts
   - Fix ACPI _PR3 detection
   - Fix DISPCLK WDIVIDER handling in OTG code

  tests:
   - Fix kunit release

  panel:
   - panel-orientation: Add quirk for One Mix 25

  nouveau:
   - Report IB limit via getparams
   - Replace some magic numbers with constants
   - small clean up"

* tag 'drm-fixes-2023-10-06' of git://anongit.freedesktop.org/drm/drm:
  drm/amd/display: apply edge-case DISPCLK WDIVIDER changes to master OTG pipes only
  drm/amd: Fix detection of _PR3 on the PCIe root port
  drm/amd: Fix logic error in sienna_cichlid_update_pcie_parameters()
  drm/amdgpu: Fix a memory leak
  drm/amd/pm: add unique_id for gc 11.0.3
  drm/i915: Invalidate the TLBs on each GT
  drm/i915: Register engines early to avoid type confusion
  drm/i915: Don't set PIPE_CONTROL_FLUSH_L3 for aux inval
  drm/nouveau: exec: report max pushs through getparam
  drm/nouveau: chan: use channel class definitions
  drm/nouveau: chan: use struct nvif_mclass
  drm: panel-orientation-quirks: Add quirk for One Mix 2S
  drm/tests: Fix kunit_release_action ctx argument

As described in the added code comment, a reference to .exit.text is ok
for drivers registered via module_platform_driver_probe(). Make this
explicit to prevent a section mismatch warning:

	WARNING: modpost: drivers/platform/x86/hp/hp-wmi: section mismatch in reference: hp_wmi_driver+0x8 (section: .data) -> hp_wmi_bios_remove (section: .exit.text)

Fixes: c165b80c ("hp-wmi: fix handling of platform device")
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Link: https://lore.kernel.org/r/20231004111624.2667753-1-u.kleine-koenig@pengutronix.deReviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>

Pull erofs fixes from Gao Xiang:

 - Fix a memory leak issue when using LZMA global compressed
   deduplication

 - Fix empty device tags in flatdev mode

 - Update documentation for recent new features

* tag 'erofs-for-6.6-rc5-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs:
  erofs: update documentation
  erofs: allow empty device tags in flatdev mode
  erofs: fix memory leak of LZMA global compressed deduplication

Pull HID fixes from Jiri Kosina:

 - power management fix for intel-ish-hid (Srinivas Pandruvada)

 - power management fix for hid-nintendo (Martino Fontana)

 - error handling fixes for nvidia-shield (Christophe JAILLET)

 - memory leak fix for hid-sony (Christophe JAILLET)

 - fix for slab out-of-bound write in hid-holtek (Ma Ke)

 - other assorted smaller fixes and device ID / quirk entry additions

* tag 'for-linus-2023100502' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid:
  HID: Add quirk to ignore the touchscreen battery on HP ENVY 15-eu0556ng
  HID: intel-ish-hid: ipc: Disable and reenable ACPI GPE bit
  HID: sony: remove duplicate NULL check before calling usb_free_urb()
  HID: nintendo: reinitialize USB Pro Controller after resuming from suspend
  HID: nvidia-shield: Fix some missing function calls() in the probe error handling path
  HID: nvidia-shield: Fix a missing led_classdev_unregister() in the probe error handling path
  HID: multitouch: Add required quirk for Synaptics 0xcd7e device
  HID: nvidia-shield: Select POWER_SUPPLY Kconfig option
  HID: holtek: fix slab-out-of-bounds Write in holtek_kbd_input_event
  HID: nvidia-shield: add LEDS_CLASS dependency
  HID: logitech-hidpp: Add Bluetooth ID for the Logitech M720 Triathlon mouse
  HID: steelseries: Fix signedness bug in steelseries_headset_arctis_1_fetch_battery()
  HID: sony: Fix a potential memory leak in sony_probe()

Short summary of fixes pull:

 * test: Fix kunit release
 * panel-orientation: Add quirk for One Mix 25
 * nouveau:
   * Report IB limit via getparams
   * Replace some magic numbers with constants
   * Clean up
Signed-off-by: Dave Airlie <airlied@redhat.com>

From: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://patchwork.freedesktop.org/patch/msgid/20231005092632.GA17332@linux-uq9g

Merge tag 'amd-drm-fixes-6.6-2023-10-04' of https://gitlab.freedesktop.org/agd5f/linux into drm-fixes

amd-drm-fixes-6.6-2023-10-04:

amdgpu:
- Add missing unique_id for GC 11.0.3
- Fix memory leak in FRU error path
- Fix PCIe link reporting on some SMU 11 parts
- Fix ACPI _PR3 detection
- Fix DISPCLK WDIVIDER handling in OTG code
Signed-off-by: Dave Airlie <airlied@redhat.com>

From: Alex Deucher <alexander.deucher@amd.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20231005034358.7824-1-alexander.deucher@amd.com

Merge tag 'drm-intel-fixes-2023-10-05' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes

- Fix for OpenGL CTS regression on Compute Shaders (Nirmoy)
- Fix for default engines initialization (Mathias)
- Fix TLB invalidation for Multi-GT devices (Chris)
Signed-off-by: Dave Airlie <airlied@redhat.com>

From: Rodrigo Vivi <rodrigo.vivi@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/ZR7EvL+ucWI4uDTX@intel.com

I received a bug report with the following signature:

[ 1759.937637] BUG: unable to handle page fault for address: ffffffffffffffe8
[ 1759.944564] #PF: supervisor read access in kernel mode
[ 1759.949732] #PF: error_code(0x0000) - not-present page
[ 1759.954901] PGD 7ab615067 P4D 7ab615067 PUD 7ab617067 PMD 0
[ 1759.960596] Oops: 0000 1 PREEMPT SMP PTI
[ 1759.964804] CPU: 15 PID: 109 Comm: cpuhp/15 Kdump: loaded Tainted: G X ------- — 5.14.0-362.3.1.el9_3.x86_64 #1
[ 1759.976609] Hardware name: HPE ProLiant DL380 Gen10/ProLiant DL380 Gen10, BIOS U30 06/20/2018
[ 1759.985181] RIP: 0010:io_wq_for_each_worker.isra.0+0x24/0xa0
[ 1759.990877] Code: 90 90 90 90 90 90 0f 1f 44 00 00 41 56 41 55 41 54 55 48 8d 6f 78 53 48 8b 47 78 48 39 c5 74 4f 49 89 f5 49 89 d4 48 8d 58 e8 <8b> 13 85 d2 74 32 8d 4a 01 89 d0 f0 0f b1 0b 75 5c 09 ca 78 3d 48
[ 1760.009758] RSP: 0000:ffffb6f403603e20 EFLAGS: 00010286
[ 1760.015013] RAX: 0000000000000000 RBX: ffffffffffffffe8 RCX: 0000000000000000
[ 1760.022188] RDX: ffffb6f403603e50 RSI: ffffffffb11e95b0 RDI: ffff9f73b09e9400
[ 1760.029362] RBP: ffff9f73b09e9478 R08: 000000000000000f R09: 0000000000000000
[ 1760.036536] R10: ffffffffffffff00 R11: ffffb6f403603d80 R12: ffffb6f403603e50
[ 1760.043712] R13: ffffffffb11e95b0 R14: ffffffffb28531e8 R15: ffff9f7a6fbdf548
[ 1760.050887] FS: 0000000000000000(0000) GS:ffff9f7a6fbc0000(0000) knlGS:0000000000000000
[ 1760.059025] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1760.064801] CR2: ffffffffffffffe8 CR3: 00000007ab610002 CR4: 00000000007706e0
[ 1760.071976] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 1760.079150] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 1760.086325] PKRU: 55555554
[ 1760.089044] Call Trace:
[ 1760.091501] <TASK>
[ 1760.093612] ? show_trace_log_lvl+0x1c4/0x2df
[ 1760.097995] ? show_trace_log_lvl+0x1c4/0x2df
[ 1760.102377] ? __io_wq_cpu_online+0x54/0xb0
[ 1760.106584] ? __die_body.cold+0x8/0xd
[ 1760.110356] ? page_fault_oops+0x134/0x170
[ 1760.114479] ? kernelmode_fixup_or_oops+0x84/0x110
[ 1760.119298] ? exc_page_fault+0xa8/0x150
[ 1760.123247] ? asm_exc_page_fault+0x22/0x30
[ 1760.127458] ? __pfx_io_wq_worker_affinity+0x10/0x10
[ 1760.132453] ? __pfx_io_wq_worker_affinity+0x10/0x10
[ 1760.137446] ? io_wq_for_each_worker.isra.0+0x24/0xa0
[ 1760.142527] __io_wq_cpu_online+0x54/0xb0
[ 1760.146558] cpuhp_invoke_callback+0x109/0x460
[ 1760.151029] ? __pfx_io_wq_cpu_offline+0x10/0x10
[ 1760.155673] ? __pfx_smpboot_thread_fn+0x10/0x10
[ 1760.160320] cpuhp_thread_fun+0x8d/0x140
[ 1760.164266] smpboot_thread_fn+0xd3/0x1a0
[ 1760.168297] kthread+0xdd/0x100
[ 1760.171457] ? __pfx_kthread+0x10/0x10
[ 1760.175225] ret_from_fork+0x29/0x50
[ 1760.178826] </TASK>
[ 1760.181022] Modules linked in: rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs rfkill sunrpc vfat fat dm_multipath intel_rapl_msr intel_rapl_common isst_if_common ipmi_ssif nfit libnvdimm mgag200 i2c_algo_bit ioatdma drm_shmem_helper drm_kms_helper acpi_ipmi syscopyarea x86_pkg_temp_thermal sysfillrect ipmi_si intel_powerclamp sysimgblt ipmi_devintf coretemp acpi_power_meter ipmi_msghandler rapl pcspkr dca intel_pch_thermal intel_cstate ses lpc_ich intel_uncore enclosure hpilo mei_me mei acpi_tad fuse drm xfs sd_mod sg bnx2x nvme nvme_core crct10dif_pclmul crc32_pclmul nvme_common ghash_clmulni_intel smartpqi tg3 t10_pi mdio uas libcrc32c crc32c_intel scsi_transport_sas usb_storage hpwdt wmi dm_mirror dm_region_hash dm_log dm_mod
[ 1760.248623] CR2: ffffffffffffffe8

A cpu hotplug callback was issued before wq->all_list was initialized.
This results in a null pointer dereference.  The fix is to fully setup
the io_wq before calling cpuhp_state_add_instance_nocalls().
Signed-off-by: Jeff Moyer <jmoyer@redhat.com>
Link: https://lore.kernel.org/r/x49y1ghnecs.fsf@segfault.boston.devel.redhat.comSigned-off-by: Jens Axboe <axboe@kernel.dk>

Add information for the Positivo C4128B, a notebook/tablet convertible.

Link: https://github.com/onitake/gsl-firmware/pull/217Signed-off-by: Renan Guilherme Lebre Ramos <japareaggae@gmail.com>
Link: https://lore.kernel.org/r/20231004235900.426240-1-japareaggae@gmail.comReviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>

Pull networking fixes from Jakub Kicinski:
 "Including fixes from Bluetooth, netfilter, BPF and WiFi.

  I didn't collect precise data but feels like we've got a lot of 6.5
  fixes here. WiFi fixes are most user-awaited.

  Current release - regressions:

   - Bluetooth: fix hci_link_tx_to RCU lock usage

  Current release - new code bugs:

   - bpf: mprog: fix maximum program check on mprog attachment

   - eth: ti: icssg-prueth: fix signedness bug in prueth_init_tx_chns()

  Previous releases - regressions:

   - ipv6: tcp: add a missing nf_reset_ct() in 3WHS handling

   - vringh: don't use vringh_kiov_advance() in vringh_iov_xfer(), it
     doesn't handle zero length like we expected

   - wifi:
      - cfg80211: fix cqm_config access race, fix crashes with brcmfmac
      - iwlwifi: mvm: handle PS changes in vif_cfg_changed
      - mac80211: fix mesh id corruption on 32 bit systems
      - mt76: mt76x02: fix MT76x0 external LNA gain handling

   - Bluetooth: fix handling of HCI_QUIRK_STRICT_DUPLICATE_FILTER

   - l2tp: fix handling of transhdrlen in __ip{,6}_append_data()

   - dsa: mv88e6xxx: avoid EEPROM timeout when EEPROM is absent

   - eth: stmmac: fix the incorrect parameter after refactoring

  Previous releases - always broken:

   - net: replace calls to sock->ops->connect() with kernel_connect(),
     prevent address rewrite in kernel_bind(); otherwise BPF hooks may
     modify arguments, unexpectedly to the caller

   - tcp: fix delayed ACKs when reads and writes align with MSS

   - bpf:
      - verifier: unconditionally reset backtrack_state masks on global
        func exit
      - s390: let arch_prepare_bpf_trampoline return program size, fix
        struct_ops offsets
      - sockmap: fix accounting of available bytes in presence of PEEKs
      - sockmap: reject sk_msg egress redirects to non-TCP sockets

   - ipv4/fib: send netlink notify when delete source address routes

   - ethtool: plca: fix width of reads when parsing netlink commands

   - netfilter: nft_payload: rebuild vlan header on h_proto access

   - Bluetooth: hci_codec: fix leaking memory of local_codecs

   - eth: intel: ice: always add legacy 32byte RXDID in supported_rxdids

   - eth: stmmac:
     - dwmac-stm32: fix resume on STM32 MCU
     - remove buggy and unneeded stmmac_poll_controller, depend on NAPI

   - ibmveth: always recompute TCP pseudo-header checksum, fix use of
     the driver with Open vSwitch

   - wifi:
      - rtw88: rtw8723d: fix MAC address offset in EEPROM
      - mt76: fix lock dependency problem for wed_lock
      - mwifiex: sanity check data reported by the device
      - iwlwifi: ensure ack flag is properly cleared
      - iwlwifi: mvm: fix a memory corruption due to bad pointer arithm
      - iwlwifi: mvm: fix incorrect usage of scan API

  Misc:

   - wifi: mac80211: work around Cisco AP 9115 VHT MPDU length"

* tag 'net-6.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (99 commits)
  MAINTAINERS: update Matthieu's email address
  mptcp: userspace pm allow creating id 0 subflow
  mptcp: fix delegated action races
  net: stmmac: remove unneeded stmmac_poll_controller
  net: lan743x: also select PHYLIB
  net: ethernet: mediatek: disable irq before schedule napi
  net: mana: Fix oversized sge0 for GSO packets
  net: mana: Fix the tso_bytes calculation
  net: mana: Fix TX CQE error handling
  netlink: annotate data-races around sk->sk_err
  sctp: update hb timer immediately after users change hb_interval
  sctp: update transport state when processing a dupcook packet
  tcp: fix delayed ACKs for MSS boundary condition
  tcp: fix quick-ack counting to count actual ACKs of new data
  page_pool: fix documentation typos
  tipc: fix a potential deadlock on &tx->lock
  net: stmmac: dwmac-stm32: fix resume on STM32 MCU
  ipv4: Set offload_failed flag in fibmatch results
  netfilter: nf_tables: nft_set_rbtree: fix spurious insertion failure
  netfilter: nf_tables: Deduplicate nft_register_obj audit logs
  ...

Merge tag 'integrity-v6.6-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity

Pull integrity fixes from Mimi Zohar:
 "Two additional patches to fix the removal of the deprecated
  IMA_TRUSTED_KEYRING Kconfig"

* tag 'integrity-v6.6-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity:
  ima: rework CONFIG_IMA dependency block
  ima: Finish deprecation of IMA_TRUSTED_KEYRING Kconfig

Pull LED fix from Lee Jones:
 "Just the one bug-fix:

   - Fix regression affecting LED_COLOR_ID_MULTI users"

* tag 'leds-fixes-6.6' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/leds:
  leds: Drop BUG_ON check for LED_COLOR_ID_MULTI

Pull MFD fixes from Lee Jones:
 "A couple of small fixes:

   - Potential build failure in CS42L43

   - Device Tree bindings clean-up for a superseded patch"

* tag 'mfd-fixes-6.6' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd:
  dt-bindings: mfd: Revert "dt-bindings: mfd: maxim,max77693: Add USB connector"
  mfd: cs42l43: Fix MFD_CS42L43 dependency on REGMAP_IRQ

Pull overlayfs fixes from Amir Goldstein:

 - Fix for file reference leak regression

 - Fix for NULL pointer deref regression

 - Fixes for RCU-walk race regressions:

   Two of the fixes were taken from Al's RCU pathwalk race fixes series
   with his consent [1].

   Note that unlike most of Al's series, these two patches are not about
   racing with ->kill_sb() and they are also very recent regressions
   from v6.5, so I think it's worth getting them into v6.5.y.

   There is also a fix for an RCU pathwalk race with ->kill_sb(), which
   may have been solved in vfs generic code as you suggested, but it
   also rids overlayfs from a nasty hack, so I think it's worth anyway.

Link: https://lore.kernel.org/linux-fsdevel/20231003204749.GA800259@ZenIV/ [1]

* tag 'ovl-fixes-6.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/overlayfs/vfs:
  ovl: fix NULL pointer defer when encoding non-decodable lower fid
  ovl: make use of ->layers safe in rcu pathwalk
  ovl: fetch inode once in ovl_dentry_revalidate_common()
  ovl: move freeing ovl_entry past rcu delay
  ovl: fix file reference leak when submitting aio