[Deepin-Kernel-SIG] [linux 6.6-y] [Upstream] Update kernel base to 6.6.84-part2

[opsiff]

finish #677 ,because of github bug.

[sourcery-ai]

Reviewer's Guide by Sourcery

This pull request updates the kernel base to 6.6.84-part2. It includes several bug fixes and improvements across various subsystems, including io_uring, Bluetooth, i8042, NVMe-TCP, AMD display driver, iqs7222, USB serial, ksmbd, netfilter, and more. The most significant changes involve refactoring io_uring memory management, removing unnecessary locking in L2CAP, and improving security checks in remap_file_pages.

Sequence diagram for io_uring mmap

sequenceDiagram
  participant User
  participant io_uring_mmap
  participant io_uring_validate_mmap_request
  participant io_uring_mmap_pages
  participant vm_insert_pages

  User->>io_uring_mmap: mmap(offset, size)
  io_uring_mmap->>io_uring_validate_mmap_request: ptr = io_uring_validate_mmap_request(offset, size)
  alt IS_ERR(ptr)
    io_uring_mmap->>User: return PTR_ERR(ptr)
  else
    io_uring_mmap->>io_uring_mmap_pages: io_uring_mmap_pages(ctx, vma, pages, npages)
    io_uring_mmap_pages->>vm_insert_pages: vm_insert_pages(vma, vma->vm_start, pages, nr_pages)
    vm_insert_pages-->>io_uring_mmap_pages: return
    io_uring_mmap_pages-->>io_uring_mmap: return
  end
  io_uring_mmap-->>User: return

Loading

File-Level Changes

Change	Details	Files
Refactors io_uring memory management to use pages instead of folios, improving flexibility and potentially performance.	Replaces folio_put with io_pages_unmap for freeing memory. Introduces io_pin_pages to pin user pages. Uses vmap to map pages into kernel space. Removes io_mem_free and io_mem_alloc and introduces io_pages_map. Updates io_rings_free to unmap pages correctly. Modifies io_uring_validate_mmap_request to return the mapped address directly. Updates io_uring_mmap to use io_uring_mmap_pages for mapping. Updates io_allocate_scq_urings to use io_pages_map. Removes io_kbuf_mmap_list_free.	io_uring/io_uring.c io_uring/kbuf.c io_uring/rsrc.c io_uring/io_uring.h
Removes unnecessary locking in L2CAP channel management, improving performance.	Removes mutex_lock and mutex_unlock calls around __l2cap_get_chan_by_scid and __l2cap_get_chan_by_dcid. Removes mutex_lock and mutex_unlock calls around channel list iteration in l2cap_conn_update_id_addr. Removes mutex_lock and mutex_unlock calls around channel list iteration in l2cap_conn_start. Removes mutex_lock and mutex_unlock calls around channel list iteration in l2cap_conn_ready. Removes mutex_lock and mutex_unlock calls around channel list iteration in l2cap_conn_unreliable. Removes mutex_lock and mutex_unlock calls around channel list iteration in l2cap_conn_del. Removes mutex_lock and mutex_unlock calls around channel list iteration in l2cap_raw_recv. Removes mutex_lock and mutex_unlock calls around channel list iteration in l2cap_ecred_conn_rsp. Removes mutex_lock and mutex_unlock calls around channel list iteration in l2cap_le_command_rej. Removes mutex_lock and mutex_unlock calls around channel list iteration in l2cap_security_cfm. Removes mutex_lock and mutex_unlock calls in l2cap_chan_connect. Adds mutex_lock and mutex_unlock around l2cap_conn_start in l2cap_info_timeout. Adds mutex_lock and mutex_unlock around l2cap_recv_frame in process_pending_rx. Adds mutex_lock and mutex_unlock around l2cap_conn_del.	net/bluetooth/l2cap_core.c net/bluetooth/l2cap_sock.c
Updates the i8042 driver to use SERIO_QUIRK_FORCENORESTORE instead of a combination of other quirks for certain Clevo barebones, simplifying the code and potentially improving reliability.	Replaces `SERIO_QUIRK_NOMUX	SERIO_QUIRK_RESET_ALWAYS
Fixes a security issue in remap_file_pages by adding security checks and preventing changes underneath us.	Adds mmap_read_lock_killable to protect against signals. Looks up VMA under read lock first to perform security checks without holding locks. Saves vm_flags and file and rechecks them later under write lock. Calls security_mmap_file outside mmap_lock. Adds checks to ensure things didn't change under us before proceeding.	mm/mmap.c
Improves NVMe-TCP controller connectivity loss handling by simplifying the reset process.	Removes the switch statement based on nvme_ctrl_state in nvme_fc_ctrl_connectivity_loss. Directly calls nvme_reset_ctrl after setting the ASSOC_FAILED flag. Adds a check for ASSOC_FAILED in nvme_fc_create_association to return an error if the association failed.	drivers/nvme/host/fc.c
Improves HPD interrupt handling in the AMD display driver by explicitly clearing interrupts and managing interrupt references.	Clears all HPD and HPD_RX interrupts during initialization. Gets a base driver IRQ reference for HPD interrupts. Falls back to dc_interrupt_set for HPD sources beyond mode_info.num_hpd. Releases HPD interrupt references during finalization. Adds a TODO comment regarding a mismatch between mode_info.num_hpd and the number of connectors with HPD sources.	drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_irq.c
Fixes and improves the iqs7222 touchscreen driver by correcting register access and initialization.	Fixes the register length for filter registers. Removes unnecessary filter setup code. Updates the burst read and write functions to use the correct value length. Updates the report function to use the correct number of status registers.	drivers/input/misc/iqs7222.c
Adds support for new Telit and other USB devices to the option serial driver.	Adds new USB device IDs for Telit FE990B, FN990B, and other devices. Updates the driver info for some Telit devices.	drivers/usb/serial/option.c drivers/usb/serial/ftdi_sio.c drivers/usb/serial/ftdi_sio_ids.h
Improves oplock break notification handling in ksmbd, fixing a potential deadlock and improving performance.	Removes the interim list and sends interim responses directly in oplock_break. Increments and decrements the connection request count to prevent deadlocks. Removes unnecessary list operations.	fs/smb/server/oplock.c fs/smb/server/ksmbd_work.c fs/smb/server/oplock.h
Fixes a race condition in DP MST topology probing and improves handling of connection status notifications.	Adds a check to skip connection status notifications received before topology probing is complete. Moves drm_dp_mst_topology_put_mstb to ensure it's always called. Removes unnecessary code related to handling connection status notifications before probing is complete.	drivers/gpu/drm/display/drm_dp_mst_topology.c
Adds support for new Xbox controllers and fixes device identification in the xpad driver.	Adds new device IDs for ThrustMaster, Mad Catz, PDP, Hori, Turtle Beach, 8BitDo, and other Xbox controllers. Fixes a device identification issue with QH Electronics controllers.	drivers/input/joystick/xpad.c
Fixes a potential memory leak in netfilter by using GFP_ATOMIC in nft_limit_clone.	Changes GFP_KERNEL to GFP_ATOMIC in nft_limit_clone to prevent blocking in atomic contexts.	net/netfilter/nft_limit.c
Fixes a potential memory leak in netfilter by using GFP_ATOMIC in nft_connlimit_clone.	Changes GFP_KERNEL to GFP_ATOMIC in nft_connlimit_clone to prevent blocking in atomic contexts.	net/netfilter/nft_connlimit.c
Fixes a potential memory leak in netfilter by using GFP_ATOMIC in nft_counter_clone.	Changes GFP_KERNEL to GFP_ATOMIC in nft_counter_clone to prevent blocking in atomic contexts.	net/netfilter/nft_counter.c
Fixes a potential memory leak in netfilter by using GFP_ATOMIC in nft_last_clone.	Changes GFP_KERNEL to GFP_ATOMIC in nft_last_clone to prevent blocking in atomic contexts.	net/netfilter/nft_last.c
Fixes a potential memory leak in netfilter by using GFP_ATOMIC in nft_quota_clone.	Changes GFP_KERNEL to GFP_ATOMIC in nft_quota_clone to prevent blocking in atomic contexts.	net/netfilter/nft_quota.c
Fixes a potential memory leak in netfilter by using GFP_ATOMIC in nft_dynset_clone.	Changes GFP_KERNEL to GFP_ATOMIC in nft_dynset_clone to prevent blocking in atomic contexts.	net/netfilter/nft_dynset.c
Fixes a potential memory leak in the i2c-ali1535 driver by releasing the region on probe failure.	Adds a goto statement to release the region on probe failure.	drivers/i2c/busses/i2c-ali1535.c
Fixes a potential memory leak in the i2c-ali15x3 driver by releasing the region on probe failure.	Adds a goto statement to release the region on probe failure.	drivers/i2c/busses/i2c-ali15x3.c
Fixes a potential memory leak in the i2c-sis630 driver by releasing the region on probe failure.	Adds a goto statement to release the region on probe failure.	drivers/i2c/busses/i2c-sis630.c
Fixes a potential memory leak in the wm0010 driver by releasing the irq on probe failure.	Adds a goto statement to release the irq on probe failure.	sound/soc/codecs/wm0010.c
Fixes a potential memory leak in the qlcnic driver by freeing the vlans on probe failure.	Adds a goto statement to release the vlans on probe failure.	drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c
Fixes a potential integer overflow in snd_soc_put_volsw.	Changes ((int)val + min) > mc->platform_max to val > mc->platform_max.	sound/soc/soc-ops.c
Fixes a potential integer overflow in smb3_fs_context_parse_param.	Changes HZ * result.uint_32 > CIFS_MAX_ACTIMEO to result.uint_32 > CIFS_MAX_ACTIMEO / HZ.	fs/smb/client/fs_context.c
Fixes a potential integer overflow in clk-pll.c.	Changes PLL lock time to use PLL142XX_LOCK_FACTOR for pll_142xx.	drivers/clk/samsung/clk-pll.c
Fixes a potential integer overflow in dc_resource.c.	Adds COLOR_DEPTH_141414 and COLOR_DEPTH_161616 to get_norm_pix_clk.	drivers/gpu/drm/amd/display/dc/core/dc_resource.c
Fixes a potential integer overflow in rt722-sdca-sdw.c.	Adds missing registers to rt722_sdca_mbq_readable_register.	sound/soc/codecs/rt722-sdca-sdw.c
Fixes a potential integer overflow in cs42l43.c.	Changes 0xF, 5 to 0xF, 4 in SOC_DOUBLE_R_SX_TLV.	sound/soc/codecs/cs42l43.c
Fixes a potential integer overflow in amdgpu_dm_hdcp.c.	Adds cancel_delayed_work_sync(&hdcp_work[i].property_validate_dwork).	drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_hdcp.c
Fixes a potential integer overflow in stmmac/dwmac-loongson.c.	Changes pcim_iomap_regions(pdev, BIT(0), pci_name(pdev)) to pcim_iomap_regions(pdev, BIT(0), DRIVER_NAME).	drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c
Fixes a potential integer overflow in ads7846.c.	Changes ts->gpio_pendown = gpiod_get(&spi->dev, "pendown", GPIOD_IN) to ts->gpio_pendown = devm_gpiod_get(&spi->dev, "pendown", GPIOD_IN).	drivers/input/touchscreen/ads7846.c
Fixes a potential integer overflow in apple_input_configured.	Adds apple_is_omoton_kb066(hdev) to if ((asc->quirks & APPLE_HAS_FN) && !asc->fn_found).	drivers/hid/hid-apple.c
Fixes a potential integer overflow in dm_resume.	Adds set the backlight after a reset.	drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
Fixes a potential integer overflow in mid_bios.c.	Adds if (pci_gfx_root == NULL) { WARN_ON(1); return; }.	drivers/gpu/drm/gma500/mid_bios.c
Fixes a potential integer overflow in nouveau_connector.c.	Removes connector->status = connector_status_disconnected.	drivers/gpu/drm/nouveau/nouveau_connector.c
Fixes a potential integer overflow in drm_atomic_connector_commit_dpms.	Adds if (connector->dpms == mode) goto out;.	drivers/gpu/drm/drm_atomic_uapi.c
Fixes a potential integer overflow in dm-flakey.c.	Changes bio_init(clone, fc->dev->bdev, bio->bi_inline_vecs, nr_iovecs, bio->bi_opf) to bio_init(clone, fc->dev->bdev, clone->bi_inline_vecs, nr_iovecs, bio->bi_opf).	drivers/md/dm-flakey.c
Fixes a potential integer overflow in mptcp_do_fallback.	Adds if (WARN_ON_ONCE(!READ_ONCE(msk->allow_infinite_fallback))) return;.	net/mptcp/protocol.h
Fixes a potential integer overflow in __napi_schedule.	Changes __raise_softirq_irqoff(NET_RX_SOFTIRQ) to raise_softirq_irqoff(NET_RX_SOFTIRQ).	net/core/dev.c
Fixes a potential integer overflow in amd.c.	Changes for_each_node(nid) to for_each_node_with_cpus(nid).	arch/x86/kernel/cpu/microcode/amd.c
Fixes a potential integer overflow in irq.c.	Adds #if defined(CONFIG_X86_LOCAL_APIC)
Fixes a potential integer overflow in mmu.c.	Adds WARN_ON_ONCE(end - start > PAGES_PER_SECTION * sizeof(struct page)).	arch/arm64/mm/mmu.c
Fixes a potential integer overflow in init.rs.	Changes pr_info!("a: {}", &*foo.a.lock()); to pr_info!("a: {}\n", &*foo.a.lock());	rust/kernel/init.rs
Fixes a potential integer overflow in macros.rs.	Changes pr_info!("{self:p} is getting dropped."); to pr_info!("{self:p} is getting dropped.\n");	rust/kernel/init/macros.rs
Fixes a potential integer overflow in error.rs.	Changes crate::pr_warn!("attempted to create Error with out of range errno: {}", errno); to crate::pr_warn!("attempted to create Error with out of range errno: {}\n", errno);	rust/kernel/error.rs
Fixes a potential integer overflow in l2cap_sock.c.	Changes chan = l2cap_pi(sk)->chan; l2cap_chan_hold(chan); to chan = l2cap_chan_hold_unless_zero(l2cap_pi(sk)->chan); if (!chan) goto shutdown_already;.	net/bluetooth/l2cap_sock.c
Fixes a potential integer overflow in ksmbd_conn_try_dequeue_request.	Changes atomic_inc(&conn->refcnt); if (!atomic_dec_return(&conn->r_count) && waitqueue_active(&conn->r_count_q)) wake_up(&conn->r_count_q); if (atomic_dec_and_test(&conn->refcnt)) kfree(conn); to ksmbd_conn_r_count_dec(conn);	fs/smb/server/server.c
Fixes a potential integer overflow in buildid.c.	Adds if (vma_is_secretmem(vma)) return -EFAULT;.	lib/buildid.c
Fixes a potential integer overflow in parse_reparse_point.	Adds if (le16_to_cpu(buf->ReparseDataLength) != 0) { cifs_dbg(VFS, "srv returned malformed buffer for reparse point: 0x%08x\n", le32_to_cpu(buf->ReparseTag)); return -EIO; } return 0;.	fs/smb/client/reparse.c

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!
• Generate a plan of action for an issue: Comment @sourcery-ai plan on
  an issue to generate a plan of action for it.

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey @opsiff - I've reviewed your changes - here's some feedback:

Overall Comments:

• The i8042 changes are removing several flags and replacing them with SERIO_QUIRK_FORCENORESTORE - it would be good to understand why this single flag is sufficient.

Here's what I looked at during the review

• 🟡 General issues: 2 issues found
• 🟢 Security: all looks good
• 🟢 Testing: all looks good
• 🟡 Complexity: 2 issues found
• 🟢 Documentation: all looks good

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

question (bug_risk): Changed initial locking from write to read in remap_file_pages

Please ensure that performing the security check under a read lock and later upgrading to the write lock does not introduce any race conditions or deadlocks.

[sourcery-ai]

question (bug_risk): Added connection read count management functions

The new functions using atomic operations to manage 'r_count' and 'refcnt' are critical for connection lifecycle. Please ensure that the ordering and wake-up of wait queues are thoroughly verified to avoid premature freeing or leaks.

[sourcery-ai]

issue (complexity): Consider unifying the compound and single page allocation paths into a single function with internal fallback to simplify the allocation logic and reduce code duplication in io_pages_map.

Try unifying the two allocation paths into one routine to reduce the fragmentation of the control flow. For example, instead of splitting into separate functions for compound and single allocations, you could create one helper (e.g. io_mem_alloc_pages()) that first attempts a compound allocation and then falls back internally to a single allocation when needed. This not only centralizes the logic but also simplifies tests and maintenance. For example:

static void *io_mem_alloc_pages(struct page ***pages, int nr_pages, size_t size, gfp_t gfp)
{
    void *ret;
    /* Try compound allocation first */
    if (nr_pages > 1) {
        ret = io_mem_alloc_compound(*pages, nr_pages, size, gfp);
        if (!IS_ERR(ret))
            return ret;
    }
    /* For single page or compound failure, try single allocation */
    ret = io_mem_alloc_single(*pages, nr_pages, size, gfp);
    return ret;
}

void *io_pages_map(struct page ***out_pages, unsigned short *npages, size_t size)
{
    gfp_t gfp = GFP_KERNEL_ACCOUNT | __GFP_ZERO | __GFP_NOWARN;
    struct page **pages;
    int nr_pages;
    void *ret;

    nr_pages = (size + PAGE_SIZE - 1) >> PAGE_SHIFT;
    pages = kvmalloc_array(nr_pages, sizeof(struct page *), gfp);
    if (!pages)
        return ERR_PTR(-ENOMEM);

    ret = io_mem_alloc_pages(&pages, nr_pages, size, gfp);
    if (!IS_ERR(ret)) {
        *out_pages = pages;
        *npages = nr_pages;
        return ret;
    }
    kvfree(pages);
    *out_pages = NULL;
    *npages = 0;
    return ret;
}

Actionable Steps:

1. Combine io_mem_alloc_compound and io_mem_alloc_single into a single function that internally falls back if the first attempt fails.
2. Update io_pages_map() to call the new unified routine.
3. Validate that existing behavior (e.g. handling a single page vs discontiguous pages) remains intact.

This consolidation will simplify the control flow and make the allocation logic easier to follow without altering functionality.

[sourcery-ai]

issue (complexity): Consider extracting the asynchronous handling in 'oplock_break' into its own helper function to reduce cyclomatic complexity and improve code maintainability by isolating the new branch logic from the main synchronous flow, creating separate synchronous and asynchronous paths, and delegating the new asynchronous branch to the new helper function, 'oplock_break_async' to simplify the main function and make each code path easier to follow and maintain, while the synchronous path would call 'oplock_break_sync' and decrement the breaking count if needed, and the main function would call either of these functions based on whether 'in_work' is present or not, respectively, to handle the asynchronous or synchronous paths accordingly, thus simplifying the main function and making each code path easier to follow and maintain, and reducing cyclomatic complexity.

You could reduce the cyclomatic complexity by extracting the asynchronous handling into its own helper function. This isolates the new branch logic from the main synchronous flow without reverting functionality. For example, you might do something like:

static int oplock_break_async(struct oplock_info *brk_opinfo, int req_op_level,
                              struct ksmbd_work *in_work) {
    int err = 0;
    /* Asynchronous branch logic currently embedded in oplock_break */
    if (brk_opinfo->is_lease) {
        struct lease *lease = brk_opinfo->o_lease;
        if (lease->state & SMB2_LEASE_HANDLE_CACHING_LE && !lease->is_dir)
            lease->new_state = SMB2_LEASE_READ_CACHING_LE;
        else
            lease->new_state = SMB2_LEASE_NONE_LE;
        if (in_work) {
            setup_async_work(in_work, NULL, NULL);
            smb2_send_interim_resp(in_work, STATUS_PENDING);
            release_async_work(in_work);
        }
        brk_opinfo->op_state = OPLOCK_ACK_WAIT;
    } else {
        err = oplock_break_pending(brk_opinfo, req_op_level);
        if (err)
            return err < 0 ? err : 0;
        if (brk_opinfo->level == SMB2_OPLOCK_LEVEL_BATCH ||
            brk_opinfo->level == SMB2_OPLOCK_LEVEL_EXCLUSIVE)
            brk_opinfo->op_state = OPLOCK_ACK_WAIT;
    }
    return err;
}

static int oplock_break_sync(struct oplock_info *brk_opinfo, int req_op_level) {
    int err = 0;
    if (brk_opinfo->is_lease) {
        struct lease *lease = brk_opinfo->o_lease;
        if (lease->state & SMB2_LEASE_HANDLE_CACHING_LE && !lease->is_dir)
            lease->new_state = SMB2_LEASE_READ_CACHING_LE;
        else
            lease->new_state = SMB2_LEASE_NONE_LE;
        /* For the synchronous path, decrement breaking count if needed */
        atomic_dec(&brk_opinfo->breaking_cnt);
    } else {
        err = oplock_break_pending(brk_opinfo, req_op_level);
        if (err)
            return err < 0 ? err : 0;
        if (brk_opinfo->level == SMB2_OPLOCK_LEVEL_BATCH ||
            brk_opinfo->level == SMB2_OPLOCK_LEVEL_EXCLUSIVE)
            brk_opinfo->op_state = OPLOCK_ACK_WAIT;
    }
    return err;
}

static int oplock_break(struct oplock_info *brk_opinfo, int req_op_level,
                        struct ksmbd_work *in_work) {
    if (in_work)
        return oplock_break_async(brk_opinfo, req_op_level, in_work);
    else
        return oplock_break_sync(brk_opinfo, req_op_level);
}

By delegating the new asynchronous branch to the oplock_break_async helper, you simplify the main function and make each code path easier to follow and maintain.