[Deepin-Kernel-SIG] [linux 6.6-y] [Upstream] Update kernel base to 6.6.140-p1

[opsiff]

Update kernel base to 6.6.140.

git log --oneline v6.6.139..c0095cef73030 |wc
104 942 7544

Merged(3):
rxrpc: Fix re-decryption of RESPONSE packets
rxrpc: Fix rxkad crypto unalignment handling
rxrpc: Fix memory leaks in rxkad_verify_response()

Handle(2):
driver core: Don't let a device probe until it's ready
device property: Make modifications of fwnode "flags" thread safe

Skip(1):
net: txgbe: fix firmware version check

Summary by Sourcery

Update the 6.6-based kernel with upstream fixes across Bluetooth, crypto, storage, networking, KVM, device core, and assorted drivers to improve correctness, robustness, and security.

Bug Fixes:

• Harden Bluetooth mgmt command handling by validating pending commands under proper locking and fixing pending list lifetime management.
• Fix Talitos crypto engine ahash handling, including SEC1 large-request processing, context flags, and completion sequencing to avoid data corruption and hangs.
• Correct padata reordering logic to avoid races and use-after-free when serializing parallel jobs.
• Repair OCFS2 direct I/O end-io handling by batching extent marking transactions and correctly cleaning up orphan inodes only after successful completion.
• Fix Micrel KS8851 Ethernet drivers (SPI/parallel/common) locking and softirq contexts, and ensure RX processing runs with BHs disabled.
• Address multiple KVM x86 and SVM nested virtualization issues, including exception payload delivery semantics, nested state save/restore, invlpga permissions, and VM exit state propagation.
• Harden various filesystem and storage paths (erofs dirent parsing, f2fs nid validation, ext2 zero-link inodes, md/raid10 error paths, rbd device_add error handling) against corruption and leaks.
• Fix assorted driver bugs in USB (caiaq, chipidea, 6fire, endpoint audio), MMC (clock/DLL setup, CQE retries, discard corner cases), I2C/SPI/MDIO/of platform integration, TPM TIS transfers, Qualcomm LPG PWM, remoteproc, rtc-ntxec, Mediatek JPEG, and others to handle error cases and edge conditions correctly.
• Improve userland tools and interfaces (taskstats getdelays/procacct, seq_oss patch loading, ELF core dumping, regset copying, ibmasmfs command handling) to avoid truncation, overflows, and incorrect return values.
• Fix networking subsystems and protocols (QRTR namespace teardown, RDS RDMA mapping error path, RXE header length checks, ICMP nf_conntrack attach, SMC CLC decline handling, strparser abort path) to prevent leaks, invalid memory access, and incorrect connection state.

Enhancements:

• Introduce per-device and per-fwnode flag helpers and a DEV_FLAG_READY_TO_PROBE bit to coordinate safe driver probing in the driver core and fw_devlink.
• Rework fwnode flag storage to use bit operations and make updates thread-safe for concurrent device/property handling.
• Switch kernel stack randomization from per-CPU to per-task offset tracking, initializing it at fork for more robust kstack offsetting.
• Increase taskstats netlink message buffer sizes and add recvmsg-based helpers to detect and log truncated messages.
• Improve TPM TIS error reporting and retry diagnostics around DATA_EXPECT handling to aid debugging flaky TPM hardware.

[sourcery-ai]

Reviewer's Guide

Updates Deepin 6.6.y kernel base to v6.6.140 and pulls in upstream fixes across Bluetooth mgmt, crypto, padata, filesystems, networking drivers, KVM, device core/fwnode flags, random kernel stack offset handling, and assorted subsystem bugfixes and hardening changes.

Sequence diagram for updated device_add and driver probe readiness

sequenceDiagram
    participant UserSpace as UserSpace
    participant Bus as bus_add_device
    participant Core as device_add
    participant Dev as struct_device
    participant Driver as __driver_probe_device

    UserSpace->>Core: device_add(Dev)
    Core->>Bus: bus_add_device(Dev)
    Bus-->>Core: device linked into klist_devices

    Note over UserSpace,Driver: A driver may try to bind via another path
    UserSpace->>Driver: __driver_probe_device(Dev)
    Driver->>Dev: dev_ready_to_probe()
    alt not ready
        Driver-->>UserSpace: -EPROBE_DEFER ("Device not ready to probe")
    end

    Core->>Dev: dev_set_ready_to_probe()
    Core->>Bus: bus_probe_device(Dev)
    Bus->>Driver: __driver_probe_device(Dev)
    Driver->>Dev: dev_ready_to_probe()
    alt ready
        Driver->>Dev: dev->can_match = true
        Driver-->>Bus: probe succeeds / fails normally
    end

Loading

File-Level Changes

Change	Details	Files
Harden Bluetooth mgmt pending-command handling and fix race/leak scenarios	Replace direct pending_find() checks with mgmt_pending_valid()/mgmt_pending_listed() helpers, protecting lists with mgmt_pending_lock Ensure parameters for sync callbacks are copied under lock and commands are cancelled with -ECANCELED when no longer pending Use mgmt_pending_free() consistently instead of mgmt_pending_remove() and simplify status/setting broadcasts to single-cmd helpers	net/bluetooth/mgmt.c net/bluetooth/mgmt_util.c net/bluetooth/mgmt_util.h
Fix talitos ahash on SEC1 by chunking per-request data and tracking per-descriptor state	Extend talitos_ahash_req_ctx with per-request tracking (request scatterlists, remaining/current bytes, work_struct) and rename ambiguous first/last fields to first_desc/last_desc Split ahash_process_req() into ahash_process_req_one() and a worker that iterates over TALITOS1_MAX_DATA_LEN chunks, scheduling work to handle remaining data Handle async completion correctly in ahash_done(), only completing when all bytes for a request have been processed	drivers/crypto/talitos.c
Simplify and harden padata reordering logic	Replace global pd->lock-based dequeue loop with per-CPU search via padata_find_next() that directly moves matching sequence items to serial queues Make padata_do_serial() either immediately call padata_reorder() for the in-order element or just insert into the per-CPU list while preserving ordering Drop reorder_work and its synchronization from parallel_data, reducing locking complexity	kernel/padata.c include/linux/padata.h
Improve OCFS2 direct-IO end-io handling, batching journal transactions and safe orphan cleanup	Batch ocfs2_mark_extent_written() calls in ocfs2_dio_end_io_write() into limited-size transactions, committing and restarting as needed Delay orphan inode removal until after writes, size updates, and unlocking, and adjust parameters passed to ocfs2_del_inode_from_orphan() Ensure transaction handles are always committed when allocated and avoid partial-credit extension errors in the zeroing loop	fs/ocfs2/aops.c
Clean up Micrel KS8851 SPI/PAR and common driver locking and RX handling	Change ks8851_lock()/unlock() signatures to hide flags and update SPI/PAR backends to use spin_lock_bh()/spin_unlock_bh() instead of irqsave/restore Serialize IRQ and workqueue paths and ensure netif_rx is called with BHs disabled for RX queue processing Update PHY and EEPROM paths to match new locking helpers	drivers/net/ethernet/micrel/ks8851_common.c drivers/net/ethernet/micrel/ks8851_par.c drivers/net/ethernet/micrel/ks8851_spi.c drivers/net/ethernet/micrel/ks8851.h
Refine KVM x86 exception payload handling and nested SVM state migration	Defer payload delivery via kvm_handle_exception_payload_quirk() and ensure it runs from get_vcpu_events, get_debugregs and get_sregs when CAP_EXCEPTION_PAYLOAD is disabled Properly choose which queued exception (normal vs vmexit) to save and avoid premature payload delivery that could clobber guest state Fix nested SVM: sync int_state into nested ctl, clear event_inj on nested vmrun/vmexit, use vcpu->arch.cr2 for CR2, mark vmcb02 fully dirty on restore, and update APICv if needed	arch/x86/kvm/x86.c arch/x86/kvm/svm/nested.c arch/x86/kvm/svm/svm.c
Introduce device and fwnode flags bitfields and make fw_devlink/fwnode operations thread-safe	Add dev->flags bitmap with DEV_FLAG_READY_TO_PROBE and accessor helpers; set ready_to_probe in device_add() only after full init and gate driver probe on it Convert fwnode_handle->flags from u8 bitfield to unsigned long bitmap with helpers for set/clear/test/assign and update all users to use them Ensure fw_devlink uses the new flag helpers for LINKS_ADDED, INITIALIZED, NOT_DEVICE, VISITED, BEST_EFFORT and NEEDS_CHILD_BOUND_ON_ADD, and clear NOT_DEVICE when dynamically creating devices from firmware	include/linux/device.h include/linux/fwnode.h drivers/base/core.c drivers/base/dd.c drivers/md/raid10.c drivers/net/phy/mdio_bus.c drivers/bus/imx-weim.c drivers/i2c/i2c-core-of.c drivers/of/base.c drivers/of/dynamic.c drivers/of/platform.c
Switch kstack randomization to per-task storage and wire it into fork	Replace per-CPU kstack_offset variable with task_struct->kstack_offset and new random_kstack_task_init() helper Update add_random_kstack_offset()/choose_random_kstack_offset() to use current->kstack_offset and allow use with preemption enabled Call random_kstack_task_init() from copy_process() and remove per-CPU kstack_offset definition from init	include/linux/randomize_kstack.h include/linux/sched.h kernel/fork.c init/main.c
Misc subsystem bugfixes, robustness and hardening across drivers and tools	Increase taskstats netlink MAX_MSG_SIZE and add recvmsg wrapper that detects MSG_TRUNC in getdelays/procacct tools, logging EMSGSIZE and dumping version info Tighten various bounds checks and error paths: EROFS and ext2 dirent validation, F2FS nid corruption detection, KMP pattern allocation overflow, RBD disk add error unwind, RDS RDMA map, RXE header-size validation, etc. Fix small logic and lifetime issues in multiple drivers (USB caiaq control/device, TPM TIS error logging, pcrypt EINPROGRESS handling, AXI PMIC retries, SPI IMX remove refcounting, AXP288 charger devm_work_autocancel, ibmasm queue bounds, LED LPG clock index check, media drivers work-cancel and job_ready, ks8851 IRQ RX softirq context, random kernel and networking fixes)	tools/accounting/getdelays.c tools/accounting/procacct.c fs/erofs/dir.c fs/ext2/inode.c fs/f2fs/node.c lib/ts_kmp.c drivers/block/rbd.c net/rds/rdma.c drivers/infiniband/sw/rxe/rxe_recv.c sound/usb/caiaq/control.c sound/usb/caiaq/device.c crypto/pcrypt.c drivers/char/tpm/tpm_tis_core.c drivers/power/supply/axp288_charger.c drivers/spi/spi-imx.c drivers/misc/ibmasm/* drivers/leds/rgb/leds-qcom-lpg.c drivers/media/* net/strparser/strparser.c io_uring/* mm/damon/core.c sound/* nvme/* kernel/regset.c fs/binfmt_elf.c fs/userfaultfd.c net/ipv4/icmp.c drivers/block/zram/zram_drv.c drivers/usb/chipidea/* drivers/gpu/drm/* drivers/mmc/* drivers/iio/adc/* drivers/rtc/rtc-ntxec.c drivers/tpm/tpm_tis_core.c drivers/bus/imx-weim.c drivers/ceph/auth.c

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[deepin-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from opsiff. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• deepin/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[sourcery-ai]

Hey - I've reviewed your changes and they look great!

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[Copilot]

Pull request overview

Updates the Deepin kernel base to upstream Linux 6.6.140 (stable backports), pulling in a broad set of correctness, robustness, and security fixes across core kernel subsystems, drivers, networking, filesystems, virtualization, and tooling.

Changes:

• Bumps multiple userland tools/selftests and improves robustness of taskstats netlink handling.
• Lands core-kernel fixes and hardening in areas like device core probing readiness, fwnode flag thread-safety, padata ordering, and stack randomization plumbing.
• Incorporates many targeted subsystem/driver fixes (Bluetooth mgmt pending handling, USB audio, MMC, NVMe quirks, filesystems, KVM nested virtualization, etc.).

Reviewed changes

Copilot reviewed 105 out of 106 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
tools/testing/selftests/mqueue/settings	Extends mqueue selftest timeout.
tools/accounting/procacct.c	Increases taskstats buffer and adds truncation detection via recvmsg().
tools/accounting/getdelays.c	Same taskstats recvmsg() truncation handling as procacct.
sound/usb/mixer.c	Adjusts volume range warning threshold and commentary.
sound/usb/mixer_quirks.c	Error-handling fixups and SPDIF switch logic correction.
sound/usb/format.c	Tightens UAC2 sample-rate parsing behavior on overflow.
sound/usb/endpoint.c	Moves packsize clamping to after maxframesize is computed.
sound/usb/caiaq/device.c	Propagates setup errors from device init path.
sound/usb/caiaq/control.c	Avoids redundant writes and rolls back state on USB command failure.
sound/usb/6fire/control.c	Fixes input volume update logic by comparing adjusted values.
sound/pci/ctxfi/ctatc.c	Improves SPDIF resource selection fallback for PLL rate.
sound/drivers/pcmtest.c	Fixes init error unwinding and resource cleanup ordering.
sound/core/seq/oss/seq_oss_rw.c	Returns correct byte count on successful patch load.
sound/core/misc.c	Hardens fasync work/free behavior and locking.
sound/core/control.c	Prevents enum name parsing from reading past buffer end.
sound/aoa/soundbus/i2sbus/core.c	Fixes device node refcounting (of_node_get/put).
net/strparser/strparser.c	Clears queued skb state on abort to avoid leaks/dangling pointers.
net/smc/smc_clc.c	Avoids NULL deref when declining first contact without lgr.
net/rds/rdma.c	Simplifies error path around cookie put_user handling.
net/qrtr/ns.c	Fixes callback restore on init failure/remove and synchronizes teardown.
net/ipv4/icmp.c	Adds nospec hardening around ICMP type table indexing.
net/ceph/auth.c	Fixes auth protocol init condition after protocol reset.
net/caif/cfsrvl.c	Improves teardown safety by unlinking layers before release.
net/bluetooth/mgmt.c	Refactors pending command validation/removal under lock; fixes lifetime handling.
net/bluetooth/mgmt_util.h	Adds helpers to validate/list pending mgmt commands safely.
net/bluetooth/mgmt_util.c	Implements mgmt_pending_listed()/valid() helpers with locking semantics.
mm/damon/core.c	Uses time_in_range_open() to handle quota window wrap/edge cases.
lib/ts_kmp.c	Adds overflow/zero-length validation to KMP init sizing.
kernel/regset.c	Switches to kvzalloc/kvfree for large regset buffers.
kernel/padata.c	Reworks reorder logic to address races/UAF in serialization ordering.
kernel/fork.c	Initializes per-task kstack offset on fork.
io_uring/timeout.c	Rejects unexpected SQE padding/addr3 fields for timeouts.
io_uring/poll.c	Fixes poll_refs comparisons and propagates EPOLLONESHOT to apoll events.
init/main.c	Removes per-CPU kstack_offset storage (now per-task).
include/linux/usb.h	Clarifies hcpriv lifetime requirements while bandwidth is allocated.
include/linux/tpm_eventlog.h	Converts TPM_MEMREMAP/UNMAP fallback macros to inline stubs.
include/linux/sched.h	Adds per-task kstack_offset storage.
include/linux/randomize_kstack.h	Switches stack randomization tracking to per-task and adds init helper.
include/linux/padata.h	Updates parallel_data by removing reorder work/lock fields.
include/linux/fwnode.h	Converts fwnode flags to atomic bit operations and adds helpers.
include/linux/f2fs_fs.h	Adds STOP_CP_REASON_CORRUPTED_NID stop reason.
include/linux/device.h	Introduces device flags bitmap and ready_to_probe accessors.
fs/userfaultfd.c	Removes mmap_min_addr check for unaligned range validation.
fs/ocfs2/aops.c	Batches DIO extent marking and defers orphan cleanup until success.
fs/f2fs/node.c	Adds invalid nid helper and stops checkpoint on corrupted free nid list.
fs/ext2/inode.c	Detects inconsistent zero-link inodes and reports EFSCORRUPTED.
fs/erofs/dir.c	Hardens dirent parsing and validates name offsets/lengths.
fs/binfmt_elf.c	Uses kvfree for note data allocations.
drivers/usb/host/xhci.c	Adjusts endpoint disable behavior (hcpriv preservation).
drivers/usb/chipidea/otg.c	Restricts vbus handling to gadget role and refines ID switch logic.
drivers/usb/chipidea/core.c	Coalesces OTG ID/BSV IRQ handling and queues work once.
drivers/spi/spi.c	Uses fwnode flag helper when clearing NOT_DEVICE.
drivers/spi/spi-imx.c	Balances controller refcount across remove path.
drivers/rtc/rtc-ntxec.c	Uses device_set_of_node_from_dev() instead of manual of_node assignment.
drivers/remoteproc/xlnx_r5_remoteproc.c	Avoids NULL deref when mailbox RX msg is absent.
drivers/power/supply/axp288_charger.c	Uses devm_work_autocancel helpers for work cleanup.
drivers/pci/endpoint/functions/pci-epf-ntb.c	Simplifies EPC interface teardown and adjusts bind error paths.
drivers/of/unittest.c	Fixes of_node refcounting in unittest PCI overlay path.
drivers/of/platform.c	Uses fwnode flag helper when clearing NOT_DEVICE.
drivers/of/dynamic.c	Uses fwnode_set_flag() for NOT_DEVICE on attach.
drivers/of/base.c	Uses fwnode_set_flag() for BEST_EFFORT on stdout node.
drivers/nvme/host/pci.c	Adds quirk entry for a new Kingston device ID.
drivers/nvme/host/core.c	Disables write-zeroes limits when quirked.
drivers/net/wireless/realtek/rtw88/pci.c	Adds NULL check for bridge before vendor access.
drivers/net/phy/mdio_bus.c	Uses fwnode_set_flag() for NEEDS_CHILD_BOUND_ON_ADD.
drivers/net/ethernet/micrel/ks8851.h	Changes lock/unlock callback signatures to drop irqsave flags.
drivers/net/ethernet/micrel/ks8851_spi.c	Updates locking helpers and call sites for new signature.
drivers/net/ethernet/micrel/ks8851_par.c	Switches to BH-safe locking (spin_lock_bh) and updates call sites.
drivers/net/ethernet/micrel/ks8851_common.c	Updates locking wrapper API and ensures RX runs with BHs disabled.
drivers/mmc/host/sdhci-of-dwcmshc.c	Disables clock while configuring DLL; re-enables via sdhci_enable_clk().
drivers/mmc/core/queue.h	Adds per-request flags and single-block retry indicator.
drivers/mmc/core/block.c	Forces single-block recovery mode on write retries.
drivers/misc/ibmasm/remote.c	Validates queue indices to avoid out-of-bounds access.
drivers/misc/ibmasm/lowlevel.c	Adds size validation and uses size_t for command sizing.
drivers/misc/ibmasm/ibmasmfs.c	Validates command header length and command size vs write count.
drivers/mfd/stpmic1.c	Adds retry on power-off regmap update and logs failures.
drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c	Cancels pending work on release to avoid UAF.
drivers/media/platform/amphion/vpu_v4l2.c	Changes mem2mem ops callback from job_abort to job_ready.
drivers/media/i2c/imx219.c	Properly handles optional reset GPIO acquisition errors.
drivers/md/raid10.c	Fixes error path to free r10bio when request wait fails.
drivers/leds/rgb/leds-qcom-lpg.c	Validates clock index to avoid out-of-bounds.
drivers/infiniband/sw/rxe/rxe_recv.c	Tightens header-length validation including pad and ICRC.
drivers/iio/adc/ti-ads7950.c	Uses unaligned timestamp buffer push helper.
drivers/iio/adc/ad7768-1.c	Sends SYNC pulse in one-shot mode before waiting for completion.
drivers/i2c/i2c-core-of.c	Uses fwnode flag helper when clearing NOT_DEVICE.
drivers/gpu/drm/tiny/arcpgu.c	Uses __free(device_node) for node lifetime management.
drivers/gpu/drm/nouveau/nouveau_gem.c	Fixes relocation bounds check by widening to u64.
drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c	Adds entry limit and uses vmemdup_array_user() fast path.
drivers/firmware/google/framebuffer-coreboot.c	Adjusts framebuffer resource flags.
drivers/crypto/talitos.c	Refactors ahash handling for SEC1 large requests and completion sequencing.
drivers/char/tpm/tpm_tis_core.c	Improves diagnostics and error handling for DATA_EXPECT and retry exhaustion.
drivers/bus/imx-weim.c	Uses fwnode flag helper when clearing NOT_DEVICE.
drivers/block/zram/zram_drv.c	Ensures discard path always ends bio.
drivers/block/rbd.c	Fixes error path by deleting device on disk add failure.
drivers/base/dd.c	Defers probing until device_add marks device ready_to_probe.
drivers/base/core.c	Makes fwnode flags thread-safe and marks devices ready_to_probe in device_add().
crypto/pcrypt.c	Handles -EINPROGRESS in completion and treats -EBUSY as async.
certs/extract-cert.c	Guards key_pass usage behind USE_PKCS11_ENGINE.
arch/x86/kvm/x86.c	Fixes exception payload delivery semantics across save/restore paths.
arch/x86/kvm/svm/svm.c	Adds nested permission check for invlpga and updates NextRIP cache.
arch/x86/kvm/svm/nested.c	Fixes dirty tracking/exit state sync and nested state restore edge cases.
arch/um/drivers/cow_user.c	Avoids glibc C23 strrchr macro clash by calling kernel_strrchr().
arch/parisc/kernel/syscalls/syscall.tbl	Corrects _llseek syscall table entry ABI qualifier.
arch/loongarch/kernel/syscall.c	Adds nospec hardening for sys_call_table indexing.
arch/loongarch/kernel/cpu-probe.c	Adds cpu_show_spectre_v1 sysfs output implementation.
arch/arm64/boot/dts/ti/k3-am62-verdin.dtsi	Updates eMMC pinctrl pulls for MMC0_DAT[1-7].

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.