[Deepin-Kernel-SIG] [linux 6.6-y] [Upstream] Update kernel base to 6.6.134-p1

[opsiff]

Update kernel base to 6.6.134.

git log --oneline v6.6.133..v6.6.134~61 |wc
100 930 7476

Summary by Sourcery

Update various kernel subsystems and drivers to align with upstream Linux 6.6.134 base, incorporating bug fixes, safety checks, and small feature additions across networking, wireless, input, crypto, debugging, and platform-specific code.

Bug Fixes:

• Fix ath11k RX TID buffer allocation and cleanup to use non-coherent DMA-safe handling and correct unaligned address tracking.
• Improve ath11k monitor status ring handling to safely skip or reclaim buffers when DMA done status is missing, avoiding lockups.
• Bound nf_flow_rule action growth, propagate allocation failures, and return errors from flow offload helpers to prevent rule construction overruns.
• Rework conntrack expectation helper association to store helper and zone directly on expectations and use proper RCU/net namespace handling, avoiding crashes and races.
• Fix lec ATM LAN emulation to safely reference the LEC daemon VCC using RCU and avoid use-after-free on close and message handling paths.
• Make mlx5 firmware version query tolerant to unsupported or failing MCAM registers and report partial results via logging instead of hard errors.
• Avoid dereferencing NULL QAIC users in deactivate handling and correctly process device-originated deactivate messages even after userspace disappeared.
• Handle unaligned SPI reads and proper scan buffer layout in ti-adc161s626 and vcnl4035 IIO drivers, preventing alignment faults and data corruption.
• Add error checking and clock rollback to ep93xx I2S enable/resume paths, preventing clock leaks on failure.
• Ensure Bluetooth LE connection parameter request handling and SMP pairing respect device state, locking and MITM requirements, avoiding races and weak auth.
• Fix HSR VLAN add VID unwind logic to correctly remove VLANs from both slave ports on failure.
• Convert qrtr tx flow tracking from radix tree to xarray and ensure cleanup/poll paths no longer use RCU after release, fixing races during unregister.
• Prevent SCO socket double-bind and stale connection use, and harden SCO connect paths against concurrent state changes.
• Tighten xtables family checks to reject non-ARP matches/targets on ARP tables, avoiding misconfiguration.
• Correct OCC hwmon power average and extended sensor formatting, and handle zero-sample cases robustly.
• Fix various netfilter conntrack expectation, broadcast, and SIP/H.323 helper interactions to avoid helper mismatches, leaks, or invalid helper lookups.
• Guard ARP/ND bridge proxy reply path against non-linear skbs and ensure ND replies are constructed from a valid parsed NS header.
• Handle Bluetooth HCI command sync destroy callbacks correctly when called from within the cmd_sync workqueue itself.
• Fix ath11k HAL copyright and add SRNG source next-peek helper used to safely inspect next descriptors without advancing pointers.
• Handle ath11k dp_rx TID DMA buffers with unaligned non-coherent allocations and syncs, and ensure AMPDU stop uses correct TID state.
• Prevent netem from corrupting memory when injecting bit errors on zero-length skbs.
• Avoid object tool infinite recursion on jump tables by relaxing unconditional jump constraint in backtracking.
• Fix IPv6 control message option length accounting when overwriting dst options and routing headers, avoiding length drift.
• Correct IPv6 flowlabel lifetime handling by not freeing exclusive options based solely on flags during release.
• Reset IPv6 ICMP and IPv4 ICMPv6 error skb control blocks when reusing skbs for translated errors to avoid cross-family contamination.
• Ensure IPv6 ND user option netlink messages are correctly initialised with zeroed padding.
• Fix ip6_tunnel ICMP error path to validate inner IPv4 header before using it.
• Fix RDS IB MR allocation to reject missing connection state.
• Prevent MIPS r4k TLB uniquify from sleeping in atomic context by using GFP_ATOMIC after boot.
• Fix AST DP501 analog init to write back to the correct SCU register.
• Prevent DRM compat ioctl array index speculation by using array_index_nospec.
• Respect enhanced framing capability in g4x DP based on pipe config rather than raw DPCD flag.
• Correct ADXL355 temperature channel sign, BNO055 channel count, and MPU3050 IRQ free path to use trigger as cookie.
• Fix IIO buffer and set_fifo_odr handling across multiple drivers to respect sensor indices and scan layouts.
• Fix CAAM hash setkey paths to correctly allocate aligned key buffers when hashing long keys without overrunning kmemdup size.
• Fix FEC PTP PPS enable to allow any channel matching configuration instead of a single hardcoded index.
• Ensure mlx5 lag debugfs creation checks for existent lag device before creating per-device entries.
• Fix PN532 UART receive path to avoid skb overrun by trimming when no tailroom is left before pushing a byte.
• Fix X25 reassembly logic to guard against fraglen overflow and reset fraglen when purging queues, avoiding memory corruption and stale state.
• Fix HFSC runtime service curve arithmetic to use 64-bit division for potentially large values.
• Fix Tegra I2C runtime PM IRQ-safe use when pinctrl is present to avoid sleeping in atomic context.
• Fix AF_ALG tsgl chaining to unmark previous end-of-list before chaining a new segment list.
• Fix pmbus device ID validation for TPS53676 and ensure PXE1610 probing errors when page selection fails.
• Fix TDA IO SPDIF-in index mapping on X-Fi to correctly expose second SPDIF input.
• Fix various USB serial and HID quirks, including new device IDs and LPM disable for specific webcams.
• Fix NBD, ipset, cgroup, rateest path string handling to validate length and avoid non-terminated copies.

Enhancements:

• Increase nf_flow_rule maximum action entries and convert many flow offload helpers to return error codes, improving robustness of hardware offload rule construction for NAT and tunnels.
• Refine netfilter nf_tables verdict handling to reject direct NF_QUEUE immediates in expression initialisation, aligning with nft_queue usage.
• Strengthen xt_cgroup match support with path length validation and better error reporting for invalid cgroup paths.
• Extend ipset APIs and list:set type to pass nlattr directly for set lookup, clarifying ownership and avoiding unsafe string ops.
• Store net namespace and optional zone directly in nf_conntrack_expect and reuse helpers via RCU pointers, simplifying expectation lookups and zone comparisons.
• Improve conntrack netlink expectation handling to look up helpers via master connection help, store helper on expectation, and expose helper name consistently in dumps and filters.
• Switch qrtr tx flow tracking from radix tree to xarray and simplify iteration and wakeup logic during endpoint unregister and node teardown.
• Allow shared classifier blocks to require explicit mark/baseclass when attaching fw and flow classifiers, preventing ambiguous filter attachments in tc.
• Improve Bluetooth mgmt mesh send validation of payload length and adv_data_len, and enforce LTK key size constraints.
• Modernize lecd pointer usage in LEC ATM driver to use RCU, synchronize on close, and gate all use sites with rcu_access_pointer.
• Make mlx5 firmware version query non-fatal and log errors while still providing whatever version info is available for devlink info reporting.
• Enhance qaic control path to gracefully handle interrupted waits and missed deactivate notifications from the device by locally cleaning up DBC state.
• Add new device IDs and quirks for xpad, option, io_edgeport, and USB core to support additional game controllers, LTE modems, and serial adapters.
• Update multiple device-tree bindings and driver Kconfig to correct properties such as #interrupt-cells and unevaluatedProperties usage.
• Adjust MIPS multi-precision multiply helper enablement for wider GCC versions to avoid suboptimal __multi3 calls on mips64r6.
• Harden sk_psock verdict data_ready against NULL socket races by using RCU to fetch sk_socket and ops, improving BPF sockmap safety.
• Improve hci_cmd_sync_run destroy handling when called reentrantly from cmd_sync workqueue.
• Refine SMP pairing logic to use explicit MITM flag tracking, forcing MITM when high security is requested and Just Works would otherwise be used.

[sourcery-ai]

Reviewer's Guide

Rebase of Deepin 6.6-y kernel to 6.6.134 plus a set of targeted fixes across networking, wireless (ath11k/iwlwifi), netfilter/conntrack, audio, IIO, USB, and various subsystems, focusing on correct DMA/memory handling, race-condition fixes, safer helper/expect handling, bounds checking, and improved error propagation.

Class diagram for updated ath11k dp_rx_tid RX descriptor management

classDiagram
    class dp_rx_tid {
        +u8 tid
        +dma_addr_t paddr
        +u32 size
        +u32 ba_win_sz
        +u32 ssn
        +bool active
        +bool hw_qdesc_vaddr
        +struct list_head frag_list
        +struct timer_list frag_timer
        +struct ath11k_base *ab
        +u32 *vaddr_unaligned
        +dma_addr_t paddr_unaligned
        +u32 unaligned_size
    }

    class ath11k_base {
        +struct device *dev
        +spinlock_t base_lock
    }

    class ath11k_dp {
        +struct ath11k_base *ab
        +struct list_head reo_cmd_list
        +struct list_head reo_cmd_cache_flush_list
        +u32 reo_cmd_cache_flush_count
    }

    class ath11k {
        +struct ath11k_base *ab
    }

    class ath11k_peer {
        +struct dp_rx_tid rx_tid[ ]
    }

    ath11k_base <.. dp_rx_tid : owns_pointer
    ath11k_dp o-- ath11k_base
    ath11k o-- ath11k_base
    ath11k_peer o-- dp_rx_tid

    class dp_rx_tid_functions {
        +int ath11k_peer_rx_tid_setup(ath11k *ar, u8 *peer_mac, int vdev_id, int tid, u16 ssn, u16 ba_win_sz, int pn_type)
        +void ath11k_dp_rx_tid_mem_free(ath11k_base *ab, const u8 *peer_mac, int vdev_id, int tid)
        +void ath11k_peer_rx_tid_delete(ath11k *ar, u8 *peer_mac, int vdev_id, int tid)
        +void ath11k_dp_reo_cmd_list_cleanup(ath11k_base *ab)
        +void ath11k_dp_reo_cmd_free(ath11k_dp *dp, void *ctx, enum hal_reo_cmd_status status)
        +void ath11k_dp_reo_cache_flush(ath11k_base *ab, struct dp_rx_tid *rx_tid)
        +int ath11k_dp_rx_ampdu_stop(ath11k *ar, struct ieee80211_sta *sta, struct ieee80211_ampdu_params *params)
    }

    dp_rx_tid_functions ..> dp_rx_tid : alloc_noncoherent
    dp_rx_tid_functions ..> ath11k_base : dma_alloc_noncoherent,dma_free_noncoherent
    dp_rx_tid_functions ..> ath11k_dp : reo_cmd_list
    dp_rx_tid_functions ..> ath11k_peer : access_rx_tid

Loading

Class diagram for updated nf_conntrack_expect and helper interactions

classDiagram
    class nf_conntrack_expect {
        +struct hlist_node hnode
        +possible_net_t net
        +struct nf_conntrack_tuple tuple
        +struct nf_conntrack_tuple_mask mask
        +struct nf_conntrack_zone zone
        +refcount_t use
        +struct timer_list timeout
        +struct nf_conntrack_expect_policy *expect_policy
        +struct nf_conntrack_helper __rcu *helper
        +struct nf_conn *master
        +unsigned int class
        +u32 flags
        +u8 expectfn_name[ ]
    }

    class nf_conn {
        +struct nf_conntrack_zone zone
        +possible_net_t ct_net
    }

    class nf_conn_help {
        +struct nf_conntrack_helper __rcu *helper
    }

    class nf_conntrack_helper {
        +char name[ ]
        +u8 expect_class_max
    }

    nf_conn o-- nf_conn_help : nfct_help
    nf_conntrack_expect o-- nf_conn : master
    nf_conntrack_expect ..> nf_conntrack_helper : RCU_pointer_helper

    class nf_conntrack_expect_functions {
        +bool nf_ct_exp_equal(tuple, i, zone)
        +void nf_ct_expect_init(nf_conntrack_expect *exp, unsigned int class, u8 family, union nf_inet_addr *saddr, union nf_inet_addr *daddr, u8 proto, __be16 *src, __be16 *dst)
        +nf_conntrack_expect *nf_ct_expect_alloc(nf_conn *me)
        +bool nf_ct_exp_zone_equal_any(nf_conntrack_expect *a, nf_conntrack_zone *b)
        +struct net *nf_ct_exp_net(nf_conntrack_expect *exp)
    }

    class ctnetlink_expect_path {
        +nf_conntrack_expect *ctnetlink_alloc_expect(nlattr *cda[], nf_conn *ct, nf_conntrack_tuple *tuple, nf_conntrack_tuple *mask)
        +int ctnetlink_create_expect(struct net *net, nlmsghdr *nlh, nlattr *cda[])
        +int ctnetlink_exp_dump_expect(struct sk_buff *skb, nf_conntrack_expect *exp)
        +bool expect_iter_name(nf_conntrack_expect *exp, void *data)
    }

    ctnetlink_expect_path ..> nf_conntrack_expect : allocates_and_sets
    nf_conntrack_expect_functions ..> nf_conntrack_expect : initializes

    class helper_unregister_path {
        +bool expect_iter_me(nf_conntrack_expect *exp, void *data)
        +void nf_conntrack_helper_unregister(nf_conntrack_helper *me)
    }

    helper_unregister_path ..> nf_conntrack_expect : iterate_destroy_by_helper
    helper_unregister_path ..> nf_conntrack_helper : unregisters

    class broadcast_expect_path {
        +int nf_conntrack_broadcast_help(struct sk_buff *skb, struct nf_conn *ct, enum ip_conntrack_info ctinfo, unsigned int timeout)
    }

    broadcast_expect_path ..> nf_conntrack_expect : nf_ct_expect_init
    broadcast_expect_path ..> nf_conntrack_helper : rcu_assign_pointer(exp.helper, helper)
    broadcast_expect_path ..> nf_conn : read_pnet(ct.ct_net), zone

    class h323_sip_expect_paths {
        +int expect_h245(struct sk_buff *skb, struct nf_conn *ct,...)
        +int expect_q931(struct sk_buff *skb, struct nf_conn *ct,...)
        +int process_gcf(struct sk_buff *skb, struct nf_conn *ct,...)
        +int process_acf(struct sk_buff *skb, struct nf_conn *ct,...)
        +int process_lcf(struct sk_buff *skb, struct nf_conn *ct,...)
        +int process_register_request(struct sk_buff *skb, struct nf_conn *ct,...)
    }

    h323_sip_expect_paths ..> nf_conntrack_expect : use_nf_ct_expect_init
    h323_sip_expect_paths ..> nf_conntrack_helper : rcu_assign_pointer(exp.helper, helper)

Loading

File-Level Changes

Change	Details	Files
Fix ath11k DP RX TID buffer allocation and cleanup and add monitor status-ring DMA handling helper	Replace kmalloc+dma_map_single with dma_alloc_noncoherent for RX TID hw descriptors, track unaligned buffer and DMA address, and sync descriptor contents explicitly for device Update all RX TID free paths and REO command cleanup to use dma_free_noncoherent on vaddr_unaligned/paddr_unaligned and reset new unaligned fields Adjust AMPDU stop and reorder-queue setup code to use the stored DMA-mapped paddr and the new dp_rx_tid layout Introduce ath11k_dp_rx_mon_buf_done and ath11k_hal_srng_src_next_peek to better handle monitor status ring DMA-done races by peeking ahead and safely skipping or freeing buffers	drivers/net/wireless/ath/ath11k/dp_rx.c drivers/net/wireless/ath/ath11k/hal.c drivers/net/wireless/ath/ath11k/hal.h drivers/net/wireless/ath/ath11k/dp.h
Harden nf_flow_table_offload by bounding action list, propagating errors, and returning status from helpers	Introduce NF_FLOW_RULE_ACTION_MAX and guard flow_action_entry_next to cap num_entries, returning NULL on overflow Convert IPv4/IPv6 SNAT/DNAT, L4 port mangling, checksum, redirect, and encap/decap helpers to return int and handle ENOSPC/EOPNOTSUPP Update nf_flow_rule_route_ipv4/ipv6 and nf_flow_rule_route_common to bail out when helper calls fail or entries cannot be allocated, and ensure VLAN and tunnel actions also respect the action limit Remove older per-rule max define and rely on the new bound	net/netfilter/nf_flow_table_offload.c
Rework conntrack expectations to store helper and zone directly on nf_conntrack_expect and make helper handling RCU-safe	Extend nf_conntrack_expect to store net namespace and (optionally) conntrack zone explicitly, and make helper pointer RCU-protected Change nf_ct_expect_init and ctnetlink_alloc_expect to derive helper, net, and zone from the master conntrack and assign them via rcu_assign_pointer/write_pnet Update various helpers (nf_conntrack_netlink, nf_conntrack_expect.c, nf_conntrack_helper.c, nf_conntrack_h323_main.c, nf_conntrack_sip.c, nf_conntrack_broadcast.c, nf_conntrack_sip.c, nf_conntrack_broadcast.c, nf_conntrack_h323_main.c) to use exp->helper/exp->net/exp zone helpers instead of dereferencing master->help Tighten expectation destruction and helper unregister paths to iterate using the helper pointer stored on expects and avoid stale helper dereferences	include/net/netfilter/nf_conntrack_expect.h net/netfilter/nf_conntrack_expect.c net/netfilter/nf_conntrack_helper.c net/netfilter/nf_conntrack_netlink.c net/netfilter/nf_conntrack_broadcast.c net/netfilter/nf_conntrack_h323_main.c net/netfilter/nf_conntrack_sip.c
Improve robustness and bounds checking in several network protocol handlers and classifiers	Enforce per-family validity for xtables matches/targets on ARP, rejecting NFPROTO_UNSPEC ones on NFPROTO_ARP tables Require baseclass/mark when attaching cls_flow and cls_fw filters to shared blocks, and ensure tc_chain_fill_node zeroes tcm_info Harden cgroup, rateest, and ipset list set code by validating path/name length and using nla_strcmp with nla attributes Fix qrtr_node tx-flow tracking by replacing radix trees with xarrays and adjusting all users, and ensure unregister wakes all waiters and cleans up xarray Correct various protocol corner cases: x25 reassembly overflow check and fraglen reset, nd proxy skb linearization and NA building, ip4ip6/ip6_err_gen_icmpv6_unreach/ip6_datagram_send_ctl to clear control blocks and maintain txoptions length accounting, netem bit error injection only when headlen>0, HFSC rtsc_min division using 64-bit helper, nfnetlink_log size calculation for NLMSG_DONE, nftables verdict init rejecting NF_QUEUE immediates	net/netfilter/x_tables.c net/sched/cls_flow.c net/sched/cls_fw.c net/sched/sch_netem.c net/netfilter/xt_cgroup.c net/netfilter/xt_rateest.c net/netfilter/ipset/ip_set_core.c net/netfilter/ipset/ip_set_list_set.c include/linux/netfilter/ipset/ip_set.h net/qrtr/af_qrtr.c net/x25/x25_in.c net/x25/x25_subr.c net/bridge/br_arp_nd_proxy.c net/ipv6/datagram.c net/ipv6/ip6_tunnel.c net/ipv6/icmp.c net/ipv6/ioam6.c net/ipv6/ndisc.c net/netfilter/nfnetlink_log.c net/sched/sch_hfsc.c net/netfilter/nf_tables_api.c
Fix multiple Bluetooth stack race conditions, validation, and state handling	Ensure hci_le_remote_conn_param_req_evt holds hdev lock throughout, sends negative replies under lock, and updates connection params safely Validate mesh_send payload lengths and adv_data_len, rejecting invalid or inconsistent sizes Add LTK validation to bound enc_size by key storage size Ensure sco_chan_add refuses sockets already bound to another connection and make sco_sock_connect/sco_connect re-check socket state under lock and handle error paths by dropping hci_conn ref In hci_cmd_sync_run, execute callbacks directly when already on cmd_sync_work and ensure corresponding destroy callback is called with the result	net/bluetooth/hci_event.c net/bluetooth/mgmt.c net/bluetooth/sco.c net/bluetooth/hci_sync.c net/bluetooth/smp.c
Harden various driver DMA/IRQ paths and fix resource lifetime / error propagation	Convert several drivers (ti-adc161s626, vcnl4035, bno055, st_lsm6dsx, adxl355, ad5770r, mpu3050, bmi160, qaic, geni spi, tegra i2c, pmbus pxe1610/tps53679, occ) to use aligned stack structs, unaligned access helpers, proper timestamped scan structs, better error propagation, and correct buffer sizes/endian descriptors Fix irq handlers to detect no-interrupt conditions properly (geni spi), free the correct irq cookie (mpu3050), and avoid IRQ-safe pm_runtime when pinctrl is in use (tegra i2c) Adjust FEC PTP PPS enabling to not reject configuration just because index != pps_channel In caam hash/ahash, allocate aligned hashed_key buffers sized to aligned_len rather than keylen and copy explicitly before hashing to avoid overflow Ensure af_alg tsgl allocation properly unmarks chain end before sg_chain, avoiding corrupted scatterlists	drivers/iio/adc/ti-adc161s626.c drivers/iio/light/vcnl4035.c drivers/iio/imu/bmi160/bmi160_core.c drivers/iio/imu/bno055/bno055.c drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c drivers/iio/gyro/mpu3050-core.c drivers/hwmon/occ/common.c drivers/hwmon/pmbus/pxe1610.c drivers/hwmon/pmbus/tps53679.c drivers/crypto/caam/caamalg_qi2.c drivers/crypto/caam/caamhash.c crypto/af_alg.c drivers/spi/spi-geni-qcom.c drivers/i2c/busses/i2c-tegra.c drivers/net/ethernet/freescale/fec_ptp.c drivers/accel/qaic/qaic_control.c
Tighten Mellanox mlx5 firmware querying and LAG debugfs setup	Change mlx5_fw_version_query to a void helper that initializes outputs to known values, logs warnings on error, and never returns a negative errno, updating callers to handle potential U32_MAX failure markers instead of error codes Ensure LAG debugfs setup checks that a mlx5_lag exists before creating the 'lag' debugfs directory to avoid NULL dereferences during early or partial init	drivers/net/ethernet/mellanox/mlx5/core/fw.c drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.h drivers/net/ethernet/mellanox/mlx5/core/devlink.c drivers/net/ethernet/mellanox/mlx5/core/lag/debugfs.c
Miscellaneous correctness fixes across subsystems (Btrfs, USB, HID, input, DRM, arch-specific, etc.)	Add Btrfs checker constraint that non-zero drop_progress requires drop_level>=1 to avoid later BUG_ONs, and avoid taking device_list mutex while reading zoned device zone info at mount time Multiple small driver/stack fixes: proper clk_unregister_fixed_rate in macb_pci, dp501 register write offset, drm_compat_ioctl using array_index_nospec, notify on short Wacom BT reports, validate returned HID feature IDs in hid-multitouch, fix RMI F54 worker mutex ordering, GPU objtool jump-table heuristic relaxation, AST DP SCU write fix Architecture/low-level fixes: extend MIPS __multi3 workaround to GCC<10, use GFP_ATOMIC in r4k_tlb_uniquify during TLB context, add missing DW_CFA_advance_loc4 support in arm64 SCS unwinder, correct RISC-V kgdb register indices Add/adjust platform/USB quirks and IDs for new hardware (i8042 DMI quirk, xpad/option/edgeport/USB quirks, holtek ht16k33 dt-binding unevaluatedProperties, Microchip mpfs GPIO interrupt-cells, sound/ctxfi SPDIF in index, snd-usb-caiaq id length termination), and fix tg3 MAC address routines to treat a default burned-in MAC as invalid and fallback to device_get_mac_address	fs/btrfs/tree-checker.c fs/btrfs/zoned.c drivers/net/ethernet/cadence/macb_pci.c drivers/gpu/drm/ast/ast_dp501.c drivers/gpu/drm/drm_ioc32.c drivers/gpu/drm/i915/display/g4x_dp.c drivers/hid/wacom_wac.c drivers/hid/hid-multitouch.c drivers/input/serio/i8042-acpipnpio.h drivers/input/joystick/xpad.c Documentation/devicetree/bindings/auxdisplay/holtek,ht16k33.yaml Documentation/devicetree/bindings/gpio/microchip,mpfs-gpio.yaml arch/arm64/kernel/patch-scs.c arch/mips/ralink/clk.c arch/mips/mm/tlb-r4k.c arch/mips/lib/multi3.c arch/riscv/kernel/kgdb.c drivers/usb/core/quirks.c drivers/usb/serial/option.c drivers/usb/serial/io_edgeport.c drivers/usb/serial/io_usbvend.h sound/usb/caiaq/device.c sound/soc/cirrus/ep93xx-i2s.c drivers/net/ethernet/broadcom/tg3.c net/atm/lec.c net/atm/lec.h net/nfc/pn533/uart.c net/rds/ib_rdma.c net/sched/sch_hfsc.c tools/objtool/check.c

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[deepin-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from opsiff. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• deepin/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[sourcery-ai]

Hey - I've reviewed your changes and they look great!

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[Copilot]

Pull request overview

This PR updates the repository’s Linux 6.6.y kernel base to 6.6.134-p1, pulling in a broad set of upstream stable fixes and small enhancements across networking (netfilter/IPv6/BT), drivers (USB/IIO/wireless/ethernet), filesystems (btrfs), and tooling (objtool).

Changes:

• Sync multiple subsystems/drivers with upstream 6.6.134 stable fixes (robustness, bounds checks, race fixes).
• Improve safety/validation in several paths (length checks, buffer handling, RCU usage adjustments, error handling propagation).
• Add/adjust device IDs, quirks, and DT binding corrections to match upstream.

Reviewed changes

Copilot reviewed 101 out of 101 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
tools/objtool/check.c	Relax jump back-pointer marking
sound/usb/caiaq/device.c	Fix card id termination bound
sound/soc/cirrus/ep93xx-i2s.c	Propagate clk enable failures
sound/pci/ctxfi/ctdaio.c	Correct SPDIF input index
net/x25/x25_subr.c	Reset fraglen on purge
net/x25/x25_in.c	Fragment overflow/alloc handling changes
net/sched/sch_netem.c	Guard zero-length corruption
net/sched/sch_hfsc.c	64-bit division for curve math
net/sched/cls_fw.c	Enforce mark for shared blocks
net/sched/cls_flow.c	Enforce baseclass for shared blocks
net/sched/cls_api.c	Zero tcm_info in netlink dump
net/rds/ib_rdma.c	Validate conn/QP before MR alloc
net/qrtr/af_qrtr.c	Convert tx flow to xarray
net/netfilter/xt_rateest.c	Validate estimator name lengths
net/netfilter/xt_cgroup.c	Validate cgroup path length
net/netfilter/x_tables.c	Reject non-ARP ext in ARP tables
net/netfilter/nfnetlink_log.c	Fix NLMSG_DONE size accounting
net/netfilter/nf_tables_api.c	Reject immediate NF_QUEUE verdict
net/netfilter/nf_flow_table_offload.c	Bound action growth + error returns
net/netfilter/nf_conntrack_sip.c	Expect helper via exp->helper RCU
net/netfilter/nf_conntrack_netlink.c	Store helper/net/zone on expectations
net/netfilter/nf_conntrack_helper.c	Fix helper-unregister expect cleanup
net/netfilter/nf_conntrack_h323_main.c	Use rcu_assign_pointer for helper
net/netfilter/nf_conntrack_expect.c	Expectation net/zone + helper RCU
net/netfilter/nf_conntrack_broadcast.c	Store net/zone/helper on broadcast exp
net/netfilter/ipset/ip_set_list_set.c	Pass nlattr to set lookup
net/netfilter/ipset/ip_set_core.c	Switch lookup to nla_strcmp
net/ipv6/ndisc.c	Zero padding in nduseropt msg
net/ipv6/ip6_tunnel.c	Validate inner IPv4 header
net/ipv6/ip6_flowlabel.c	Avoid freeing opts on release
net/ipv6/ioam6.c	Widen schema length type
net/ipv6/icmp.c	Clear IPv6 CB when reusing skb
net/ipv6/datagram.c	Fix option length accounting
net/ipv6/addrconf.c	Locking reorder for addr drop
net/hsr/hsr_device.c	Correct VLAN unwind logic
net/core/skmsg.c	RCU-safe sk_socket access
net/bridge/br_arp_nd_proxy.c	Linearize skb before ND parsing
net/bluetooth/smp.c	Enforce MITM tracking/forcing
net/bluetooth/sco.c	Harden connect/double-bind races
net/bluetooth/mgmt.c	Validate mesh send length + LTK size
net/bluetooth/hci_sync.c	Ensure destroy callback on reentrant run
net/bluetooth/hci_event.c	Locking/state checks for conn param req
net/atm/lec.h	Convert lecd pointer to RCU
net/atm/lec.c	RCU-protect lecd VCC usage/close
kernel/bpf/verifier.c	Adjust PTR_TO_BUF + range safety logic
include/net/netfilter/nf_conntrack_expect.h	Add net/zone + helper RCU
include/linux/netfilter/ipset/ip_set.h	Update ip_set_get_byname signature
fs/btrfs/zoned.c	Avoid device_list_mutex in mount path
fs/btrfs/tree-checker.c	Validate drop_level vs drop_progress
drivers/usb/serial/option.c	Add new modem device IDs
drivers/usb/serial/io_usbvend.h	Add BlackBox IC135A PID
drivers/usb/serial/io_edgeport.c	Recognize new Edgeport OEM ID
drivers/usb/core/quirks.c	Disable LPM for Kiyo Pro
drivers/spi/spi-geni-qcom.c	Handle DMA IRQ status in ISR
drivers/nfc/pn533/uart.c	Avoid skb overrun on RX
drivers/net/wireless/microchip/wilc1000/hif.c	Widen valuesize type
drivers/net/wireless/intel/iwlwifi/mvm/d3.c	Fix ND match length validation
drivers/net/wireless/ath/ath11k/hal.h	Add srng src next-peek prototype
drivers/net/wireless/ath/ath11k/hal.c	Implement src next-peek helper
drivers/net/wireless/ath/ath11k/dp_rx.c	Noncoherent DMA-safe RX TID + mon ring
drivers/net/wireless/ath/ath11k/dp.h	Track unaligned DMA alloc fields
drivers/net/ethernet/xilinx/xilinx_axienet.h	Use GENMASK for length fields
drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.h	Make fw query non-fatal (void)
drivers/net/ethernet/mellanox/mlx5/core/lag/debugfs.c	Guard lag debugfs creation
drivers/net/ethernet/mellanox/mlx5/core/fw.c	Log fw query failures + partial results
drivers/net/ethernet/mellanox/mlx5/core/devlink.c	Use new fw query semantics
drivers/net/ethernet/freescale/fec_ptp.c	Allow PPS on any configured channel
drivers/net/ethernet/cadence/macb_pci.c	Use clk_unregister_fixed_rate
drivers/net/ethernet/broadcom/tg3.c	Use carrier state + default MAC fallback
drivers/input/serio/i8042-acpipnpio.h	Add new DMI quirk entry
drivers/input/rmi4/rmi_f54.c	Fix mutex lock ordering in work
drivers/input/joystick/xpad.c	Add new controller IDs
drivers/iio/light/vcnl4035.c	Fix trigger buffer alignment + endianness
drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c	Guard FIFO ODR config by sensor id
drivers/iio/imu/bno055/bno055.c	Fix scan channel count
drivers/iio/imu/bmi160/bmi160_core.c	Validate pin enum + clearer errors
drivers/iio/gyro/mpu3050-core.c	Free IRQ with correct cookie
drivers/iio/dac/ad5770r.c	Return error from SPI read
drivers/iio/adc/ti-adc161s626.c	Handle unaligned SPI reads + scan struct
drivers/iio/accel/adxl355_core.c	Fix temperature channel sign
drivers/i2c/busses/i2c-tegra.c	Avoid IRQ-safe with pinctrl present
drivers/i2c/busses/Kconfig	Ensure PINCTRL dependency for COMPILE_TEST
drivers/hwmon/pmbus/tps53679.c	Stronger device ID validation
drivers/hwmon/pmbus/pxe1610.c	Check page select return code
drivers/hwmon/occ/common.c	Robust power avg + sysfs formatting
drivers/hid/wacom_wac.c	Validate BT report lengths
drivers/hid/hid-multitouch.c	Validate feature report ID
drivers/gpu/drm/i915/display/g4x_dp.c	Use pipe config enhanced framing
drivers/gpu/drm/drm_ioc32.c	Add array_index_nospec to compat ioctl
drivers/gpu/drm/ast/ast_dp501.c	Fix SCU register writeback address
drivers/crypto/caam/caamhash.c	Fix aligned key buffer allocation
drivers/crypto/caam/caamalg_qi2.c	Fix aligned key buffer allocation
drivers/accel/qaic/qaic_control.c	Handle missed deactivate + wait interrupt
crypto/af_alg.c	Fix SG chaining end-marker handling
arch/riscv/kernel/kgdb.c	Fix GDB reg mapping indices
arch/mips/ralink/clk.c	Fix sysc node index selection
arch/mips/mm/tlb-r4k.c	Use GFP_ATOMIC in atomic context
arch/mips/lib/multi3.c	Update GCC version gating
arch/arm64/kernel/patch-scs.c	Support DW_CFA_advance_loc4
Documentation/devicetree/bindings/gpio/microchip,mpfs-gpio.yaml	Fix #interrupt-cells to 2
Documentation/devicetree/bindings/auxdisplay/holtek,ht16k33.yaml	Use unevaluatedProperties

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

In the overflow guard, the function returns 1 without consuming/freeing the current skb. In the caller (x25_state3_machine), the error path does x25_clear_queues() but does not kfree_skb(skb), so this leaks the incoming skb. Consider freeing skb here (and optionally purging/resetting fragment state) before returning an error.

[Copilot]

If alloc_skb(len) fails when completing a fragmented frame, this now returns 1 without freeing the current skb. The caller treats this as an error but doesn't free skb, so the skb is leaked. Restoring kfree_skb(skb) (and potentially clearing any queued fragments) on this failure path would prevent the leak.

[Copilot]

The fallback parsing of an unmatched device response uses msg_len = le32_to_cpu(msg->hdr.len) as the loop bound for indexing into msg->data. Since hdr.len is the total message length (including the header), this can read past the end of the encoded transactions (and into uninitialised bytes in the receive buffer). It also doesn't validate that trans_hdr->len is >= sizeof(*trans_hdr) / non-zero, so a malformed message could cause an infinite loop (len not advancing) or out-of-bounds access. Consider validating hdr.len against the maximum/received size and using a data length of (hdr.len - sizeof(msg->hdr)), plus per-transaction bounds checks before dereferencing trans_hdr or advancing len.

Suggested change

	u32 len = 0;
	int j;
	for (j = 0; j < msg_count && len < msg_len; ++j) {
	struct wire_trans_hdr *trans_hdr;
	trans_hdr = (struct wire_trans_hdr *)(msg->data + len);
	if (le32_to_cpu(trans_hdr->type) == QAIC_TRANS_DEACTIVATE_FROM_DEV) {
	if (decode_deactivate(qdev, trans_hdr, &len, NULL))
	len += le32_to_cpu(trans_hdr->len);
	} else {
	len += le32_to_cpu(trans_hdr->len);
	}
	}
	u32 msg_data_len;
	u32 len = 0;
	int j;
	if (msg_len < sizeof(msg->hdr) || msg_len > QAIC_MANAGE_EXT_MSG_LENGTH)
	goto drop_resp_msg;
	msg_data_len = msg_len - sizeof(msg->hdr);
	for (j = 0; j < msg_count && len < msg_data_len; ++j) {
	struct wire_trans_hdr *trans_hdr;
	u32 trans_len;
	if (msg_data_len - len < sizeof(*trans_hdr))
	break;
	trans_hdr = (struct wire_trans_hdr *)(msg->data + len);
	trans_len = le32_to_cpu(trans_hdr->len);
	if (trans_len < sizeof(*trans_hdr) || trans_len > msg_data_len - len)
	break;
	if (le32_to_cpu(trans_hdr->type) == QAIC_TRANS_DEACTIVATE_FROM_DEV) {
	if (decode_deactivate(qdev, trans_hdr, &len, NULL))
	len += trans_len;
	} else {
	len += trans_len;
	}
	}
	drop_resp_msg: