When reading or writing a guest page, WARN and bail if offset+len would
result in a read to a different page so that KVM bugs are more likely to
be detected, and so that any such bugs are less likely to escalate to an
out-of-bounds access.  E.g. if userspace isn't using guard pages and the
target page is at the end of a memslot.

Note, KVM already hardens itself in similar APIs, e.g. in the "cached"
variants, it's just the vanilla APIs that are playing with fire.

Link: https://lore.kernel.org/r/20240829191413.900740-3-seanjc@google.comSigned-off-by: Sean Christopherson <seanjc@google.com>

Pass "seg" instead of "len" when writing guest memory in kvm_clear_guest(),
as "seg" holds the number of bytes to write for the current page, while
"len" holds the total bytes remaining.

Luckily, all users of kvm_clear_guest() are guaranteed to not cross a page
boundary, and so the bug is unhittable in the current code base.

Fixes: 2f541442 ("KVM: remove kvm_clear_guest_page")
Reported-by: zyr_ms@outlook.com
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219104
Link: https://lore.kernel.org/r/20240829191413.900740-2-seanjc@google.comSigned-off-by: Sean Christopherson <seanjc@google.com>

Fold coalesced_mmio_has_room() into its sole caller, coalesced_mmio_write(),
as it's really just a single line of code, has a goofy return value, and
is unnecessarily brittle.

E.g. if coalesced_mmio_has_room() were to check ring->last directly, or
the caller failed to use READ_ONCE(), KVM would be susceptible to TOCTOU
attacks from userspace.

Opportunistically add a comment explaining why on earth KVM leaves one
entry free, which may not be obvious to readers that aren't familiar with
ring buffers.

No functional change intended.
Reviewed-by: Ilias Stamatis <ilstam@amazon.com>
Cc: Paul Durrant <paul@xen.org>
Link: https://lore.kernel.org/r/20240828181446.652474-3-seanjc@google.comSigned-off-by: Sean Christopherson <seanjc@google.com>

Add a test to verify that KVM correctly exits (or not) when a vCPU's
coalesced I/O ring is full (or isn't).  Iterate over all legal starting
points in the ring (with an empty ring), and verify that KVM doesn't exit
until the ring is full.

Opportunistically verify that KVM exits immediately on non-coalesced I/O,
either because the MMIO/PIO region was never registered, or because a
previous region was unregistered.

This is a regression test for a KVM bug where KVM would prematurely exit
due to bad math resulting in a false positive if the first entry in the
ring was before the halfway mark.  See commit 92f6d413 ("KVM: Fix
coalesced_mmio_has_room() to avoid premature userspace exit").

Enable the test for x86, arm64, and risc-v, i.e. all architectures except
s390, which doesn't have MMIO.

On x86, which has both MMIO and PIO, interleave MMIO and PIO into the same
ring, as KVM shouldn't exit until a non-coalesced I/O is encountered,
regardless of whether the ring is filled with MMIO, PIO, or both.

Lastly, wrap the coalesced I/O ring in a structure to prepare for a
potential future where KVM supports multiple ring buffers beyond KVM's
"default" built-in buffer.

Link: https://lore.kernel.org/all/20240820133333.1724191-1-ilstam@amazon.com
Cc: Ilias Stamatis <ilstam@amazon.com>
Cc: Marc Zyngier <maz@kernel.org>
Cc: Oliver Upton <oliver.upton@linux.dev>
Cc: Anup Patel <anup@brainfault.org>
Link: https://lore.kernel.org/r/20240828181446.652474-2-seanjc@google.comSigned-off-by: Sean Christopherson <seanjc@google.com>

The following calculation used in coalesced_mmio_has_room() to check
whether the ring buffer is full is wrong and results in premature exits if
the start of the valid entries is in the first half of the ring buffer.

  avail = (ring->first - last - 1) % KVM_COALESCED_MMIO_MAX;
  if (avail == 0)
	  /* full */

Because negative values are handled using two's complement, and KVM
computes the result as an unsigned value, the above will get a false
positive if "first < last" and the ring is half-full.

The above might have worked as expected in python for example:
  >>> (-86) % 170
  84

However it doesn't work the same way in C.

  printf("avail: %d\n", (-86) % 170);
  printf("avail: %u\n", (-86) % 170);
  printf("avail: %u\n", (-86u) % 170u);

Using gcc-11 these print:

  avail: -86
  avail: 4294967210
  avail: 0

For illustration purposes, given a 4-bit integer and a ring size of 0xA
(unsigned), 0xA == 0x1010 == -6, and thus (-6u % 0xA) == 0.

Fix the calculation and allow all but one entries in the buffer to be
used as originally intended.

Note, KVM's behavior is self-healing to some extent, as KVM will allow the
entire buffer to be used if ring->first is beyond the halfway point.  In
other words, in the unlikely scenario that a use case benefits from being
able to coalesce more than 86 entries at once, KVM will still provide such
behavior, sometimes.

Note #2, the % operator in C is not the modulo operator but the remainder
operator. Modulo and remainder operators differ with respect to negative
values.  But, the relevant values in KVM are all unsigned, so it's a moot
point in this case anyway.

Note #3, this is almost a pure revert of the buggy commit, plus a
READ_ONCE() to provide additional safety.  Thue buggy commit justified the
change with "it paves the way for making this function lockless", but it's
not at all clear what was intended, nor is there any evidence that the
buggy code was somehow safer.  (a) the fields in question were already
accessed locklessly, from the perspective that they could be modified by
userspace at any time, and (b) the lock guarding the ring itself was
changed, but never dropped, i.e. whatever lockless scheme (SRCU?) was
planned never landed.

Fixes: 105f8d40 ("KVM: Calculate available entries in coalesced mmio ring")
Signed-off-by: Ilias Stamatis <ilstam@amazon.com>
Reviewed-by: Paul Durrant <paul@xen.org>
Link: https://lore.kernel.org/r/20240718193543.624039-2-ilstam@amazon.com
[sean: rework changelog to clarify behavior, call out weirdness of buggy commit]
Signed-off-by: Sean Christopherson <seanjc@google.com>

Merge tag 'driver-core-6.11-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core

Pull driver core fixes from Greg KH:
 "Here are two driver fixes for regressions from 6.11-rc1 due to the
  driver core change making a structure in a driver core callback const.

  These were missed by all testing EXCEPT for what Bart happened to be
  running, so I appreciate the fixes provided here for some
  odd/not-often-used driver subsystems that nothing else happened to
  catch.

  Both of these fixes have been in linux-next all week with no reported
  issues"

* tag 'driver-core-6.11-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core:
  mips: sgi-ip22: Fix the build
  ARM: riscpc: ecard: Fix the build

Pull char / misc fixes from Greg KH:
 "Here are some small char/misc fixes for 6.11-rc4 to resolve reported
  problems. Included in here are:

   - fastrpc revert of a change that broke userspace

   - xillybus fixes for reported issues

  Half of these have been in linux-next this week with no reported
  problems, I don't know if the last bit of xillybus driver changes made
  it in, but they are 'obviously correct' so will be safe :)"

* tag 'char-misc-6.11-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
  char: xillybus: Check USB endpoints when probing device
  char: xillybus: Refine workqueue handling
  Revert "misc: fastrpc: Restrict untrusted app to attach to privileged PD"
  char: xillybus: Don't destroy workqueue from work item running on it

Pull tty / serial fixes from Greg KH:
 "Here are some small tty and serial driver fixes for 6.11-rc4 to
  resolve some reported problems. Included in here are:

   - conmakehash.c userspace build issues

   - fsl_lpuart driver fix

   - 8250_omap revert for reported regression

   - atmel_serial rts flag fix

  All of these have been in linux-next this week with no reported
  issues"

* tag 'tty-6.11-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
  Revert "serial: 8250_omap: Set the console genpd always on if no console suspend"
  tty: atmel_serial: use the correct RTS flag.
  tty: vt: conmakehash: remove non-portable code printing comment header
  tty: serial: fsl_lpuart: mark last busy before uart_add_one_port

Pull USB / Thunderbolt driver fixes from Greg KH:
 "Here are some small USB and Thunderbolt driver fixes for 6.11-rc4 to
  resolve some reported issues. Included in here are:

   - thunderbolt driver fixes for reported problems

   - typec driver fixes

   - xhci fixes

   - new device id for ljca usb driver

  All of these have been in linux-next this week with no reported
  issues"

* tag 'usb-6.11-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
  xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration
  usb: misc: ljca: Add Lunar Lake ljca GPIO HID to ljca_gpio_hids[]
  Revert "usb: typec: tcpm: clear pd_event queue in PORT_RESET"
  usb: typec: ucsi: Fix the return value of ucsi_run_command()
  usb: xhci: fix duplicate stall handling in handle_tx_event()
  usb: xhci: Check for xhci->interrupters being allocated in xhci_mem_clearup()
  thunderbolt: Mark XDomain as unplugged when router is removed
  thunderbolt: Fix memory leaks in {port|retimer}_sb_regs_write()

Pull more btrfs fixes from David Sterba:
 "A more fixes. We got reports that shrinker added in 6.10 still causes
  latency spikes and the fixes don't handle all corner cases. Due to
  summer holidays we're taking a shortcut to disable it for release
  builds and will fix it in the near future.

   - only enable extent map shrinker for DEBUG builds, temporary quick
     fix to avoid latency spikes for regular builds

   - update target inode's ctime on unlink, mandated by POSIX

   - properly take lock to read/update block group's zoned variables

   - add counted_by() annotations"

* tag 'for-6.11-rc3-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
  btrfs: only enable extent map shrinker for DEBUG builds
  btrfs: zoned: properly take lock to read/update block group's zoned variables
  btrfs: tree-checker: add dev extent item checks
  btrfs: update target inode's ctime on unlink
  btrfs: send: annotate struct name_cache_entry with __counted_by()

fuse_notify_store(), unlike fuse_do_readpage(), does not enable page
zeroing (because it can be used to change partial page contents).

So fuse_notify_store() must be more careful to fully initialize page
contents (including parts of the page that are beyond end-of-file)
before marking the page uptodate.

The current code can leave beyond-EOF page contents uninitialized, which
makes these uninitialized page contents visible to userspace via mmap().

This is an information leak, but only affects systems which do not
enable init-on-alloc (via CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y or the
corresponding kernel command line parameter).

Link: https://bugs.chromium.org/p/project-zero/issues/detail?id=2574
Cc: stable@kernel.org
Fixes: a1d75f25 ("fuse: add store request")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Merge tag 'mm-hotfixes-stable-2024-08-17-19-34' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm

Pull misc fixes from Andrew Morton:
 "16 hotfixes. All except one are for MM. 10 of these are cc:stable and
  the others pertain to post-6.10 issues.

  As usual with these merges, singletons and doubletons all over the
  place, no identifiable-by-me theme. Please see the lovingly curated
  changelogs to get the skinny"

* tag 'mm-hotfixes-stable-2024-08-17-19-34' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm:
  mm/migrate: fix deadlock in migrate_pages_batch() on large folios
  alloc_tag: mark pages reserved during CMA activation as not tagged
  alloc_tag: introduce clear_page_tag_ref() helper function
  crash: fix riscv64 crash memory reserve dead loop
  selftests: memfd_secret: don't build memfd_secret test on unsupported arches
  mm: fix endless reclaim on machines with unaccepted memory
  selftests/mm: compaction_test: fix off by one in check_compaction()
  mm/numa: no task_numa_fault() call if PMD is changed
  mm/numa: no task_numa_fault() call if PTE is changed
  mm/vmalloc: fix page mapping if vm_area_alloc_pages() with high order fallback to order 0
  mm/memory-failure: use raw_spinlock_t in struct memory_failure_cpu
  mm: don't account memmap per-node
  mm: add system wide stats items category
  mm: don't account memmap on failure
  mm/hugetlb: fix hugetlb vs. core-mm PT locking
  mseal: fix is_madv_discard()

Pull powerpc fixes from Michael Ellerman:

 - Fix crashes on 85xx with some configs since the recent hugepd rework.

 - Fix boot warning with hugepages and CONFIG_DEBUG_VIRTUAL on some
   platforms.

 - Don't enable offline cores when changing SMT modes, to match existing
   userspace behaviour.

Thanks to Christophe Leroy, Dr. David Alan Gilbert, Guenter Roeck, Nysal
Jan K.A, Shrikanth Hegde, Thomas Gleixner, and Tyrel Datwyler.

* tag 'powerpc-6.11-2' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
  powerpc/topology: Check if a core is online
  cpu/SMT: Enable SMT only if a core is online
  powerpc/mm: Fix boot warning with hugepages and CONFIG_DEBUG_VIRTUAL
  powerpc/mm: Fix size of allocated PGDIR
  soc: fsl: qbman: remove unused struct 'cgr_comp'

Pull smb client fixes from Steve French:

 - fix for clang warning - additional null check

 - fix for cached write with posix locks

 - flexible structure fix

* tag 'v6.11-rc3-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6:
  smb: smb2pdu.h: Use static_assert() to check struct sizes
  smb3: fix lock breakage for cached writes
  smb/client: avoid possible NULL dereference in cifs_free_subrequest()

Pull i2c fixes from Wolfram Sang:
 "I2C core fix replacing IS_ENABLED() with IS_REACHABLE()

  For host drivers, there are two fixes:

   - Tegra I2C Controller: Addresses a potential double-locking issue
     during probe. ACPI devices are not IRQ-safe when invoking runtime
     suspend and resume functions, so the irq_safe flag should not be
     set.

   - Qualcomm GENI I2C Controller: Fixes an oversight in the exit path
     of the runtime_resume() function, which was missed in the previous
     release"

* tag 'i2c-for-6.11-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
  i2c: tegra: Do not mark ACPI devices as irq safe
  i2c: Use IS_REACHABLE() for substituting empty ACPI functions
  i2c: qcom-geni: Add missing geni_icc_disable in geni_i2c_runtime_resume

Pull SCSI fixes from James Bottomley:
 "Two small fixes to the mpi3mr driver. One to avoid oversize
  allocations in tracing and the other to fix an uninitialized spinlock
  in the user to driver feature request code (used to trigger dumps and
  the like)"

* tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
  scsi: mpi3mr: Avoid MAX_PAGE_ORDER WARNING for buffer allocations
  scsi: mpi3mr: Add missing spin_lock_init() for mrioc->trigger_lock

Pull xfs fixes from Chandan Babu:

 - Check for presence of only 'attr' feature before scrubbing an inode's
   attribute fork.

 - Restore the behaviour of setting AIL thread to TASK_INTERRUPTIBLE for
   long (i.e. 50ms) sleep durations to prevent high load averages.

 - Do not allow users to change the realtime flag of a file unless the
   datadev and rtdev both support fsdax access modes.

* tag 'xfs-6.11-fixes-3' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux:
  xfs: conditionally allow FS_XFLAG_REALTIME changes if S_DAX is set
  xfs: revert AIL TASK_KILLABLE threshold
  xfs: attr forks require attr, not attr2

Pull bcachefs fixes from Kent OverstreetL

 - New on disk format version, bcachefs_metadata_version_disk_accounting_inum

   This adds one more disk accounting counter, which counts disk usage
   and number of extents per inode number. This lets us track
   fragmentation, for implementing defragmentation later, and it also
   counts disk usage per inode in all snapshots, which will be a useful
   thing to expose to users.

 - One performance issue we've observed is threads spinning when they
   should be waiting for dirty keys in the key cache to be flushed by
   journal reclaim, so we now have hysteresis for the waiting thread, as
   well as improving the tracepoint and a new time_stat, for tracking
   time blocked waiting on key cache flushing.

... and various assorted smaller fixes.

* tag 'bcachefs-2024-08-16' of git://evilpiepirate.org/bcachefs:
  bcachefs: Fix locking in __bch2_trans_mark_dev_sb()
  bcachefs: fix incorrect i_state usage
  bcachefs: avoid overflowing LRU_TIME_BITS for cached data lru
  bcachefs: Fix forgetting to pass trans to fsck_err()
  bcachefs: Increase size of cuckoo hash table on too many rehashes
  bcachefs: bcachefs_metadata_version_disk_accounting_inum
  bcachefs: Kill __bch2_accounting_mem_mod()
  bcachefs: Make bkey_fsck_err() a wrapper around fsck_err()
  bcachefs: Fix warning in __bch2_fsck_err() for trans not passed in
  bcachefs: Add a time_stat for blocked on key cache flush
  bcachefs: Improve trans_blocked_journal_reclaim tracepoint
  bcachefs: Add hysteresis to waiting on btree key cache flush
  lib/generic-radix-tree.c: Fix rare race in __genradix_ptr_alloc()
  bcachefs: Convert for_each_btree_node() to lockrestart_do()
  bcachefs: Add missing downgrade table entry
  bcachefs: disk accounting: ignore unknown types
  bcachefs: bch2_accounting_invalid() fixup
  bcachefs: Fix bch2_trigger_alloc when upgrading from old versions
  bcachefs: delete faulty fastpath in bch2_btree_path_traverse_cached()

We run this in full RW mode now, so we have to guard against the
superblock buffer being reallocated.
Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>

Pull memcg-v1 fix from Al Viro:
 "memcg_write_event_control() oops fix"

* tag 'pull-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
  memcg_write_event_control(): fix a user-triggerable oops

Pull arm64 fixes from Catalin Marinas:

 - Fix the arm64 __get_mem_asm() to use the _ASM_EXTABLE_##type##ACCESS()
   macro instead of the *_ERR() one in order to avoid writing -EFAULT to
   the value register in case of a fault

 - Initialise all elements of the acpi_early_node_map[] to NUMA_NO_NODE.
   Prior to this fix, only the first element was initialised

 - Move the KASAN random tag seed initialisation after the per-CPU areas
   have been initialised (prng_state is __percpu)

* tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
  arm64: Fix KASAN random tag seed initialization
  arm64: ACPI: NUMA: initialize all values of acpi_early_node_map to NUMA_NO_NODE
  arm64: uaccess: correct thinko in __get_mem_asm()

Pull clk fix from Stephen Boyd:
 "One fix for the new T-Head TH1520 clk driver that marks a bus clk
  critical so that it isn't turned off during late init which breaks
  emmc-sdio"

* tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux:
  clk: thead: fix dependency on clk_ignore_unused

Pull block fixes from Jens Axboe:

 - Fix corruption issues with s390/dasd (Eric, Stefan)

 - Fix a misuse of non irq locking grab of a lock (Li)

 - MD pull request with a single data corruption fix for raid1 (Yu)

* tag 'block-6.11-20240824' of git://git.kernel.dk/linux:
  block: Fix lockdep warning in blk_mq_mark_tag_wait
  md/raid1: Fix data corruption for degraded array with slow disk
  s390/dasd: fix error recovery leading to data corruption on ESE devices
  s390/dasd: Remove DMA alignment

Pull io_uring fixes from Jens Axboe:

 - Fix a comment in the uapi header using the wrong member name (Caleb)

 - Fix KCSAN warning for a debug check in sqpoll (me)

 - Two more NAPI tweaks (Olivier)

* tag 'io_uring-6.11-20240824' of git://git.kernel.dk/linux:
  io_uring: fix user_data field name in comment
  io_uring/sqpoll: annotate debug task == current with data_race()
  io_uring/napi: remove duplicate io_napi_entry timeout assignation
  io_uring/napi: check napi_enabled in io_napi_add() before proceeding

Pull devicetree fixes from Rob Herring:

 - Fix a possible (but unlikely) out-of-bounds read in interrupts
   parsing code

 - Add AT25 EEPROM "fujitsu,mb85rs256" compatible

 - Update Konrad Dybcio's email

* tag 'devicetree-fixes-for-6.11-2' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux:
  of/irq: Prevent device address out-of-bounds read in interrupt map walk
  dt-bindings: eeprom: at25: add fujitsu,mb85rs256 compatible
  dt-bindings: Batch-update Konrad Dybcio's email

Although there are several patches improving the extent map shrinker,
there are still reports of too frequent shrinker behavior, taking too
much CPU for the kswapd process.

So let's only enable extent shrinker for now, until we got more
comprehensive understanding and a better solution.

Link: https://lore.kernel.org/linux-btrfs/3df4acd616a07ef4d2dc6bad668701504b412ffc.camel@intelfx.name/
Link: https://lore.kernel.org/linux-btrfs/c30fd6b3-ca7a-4759-8a53-d42878bf84f7@gmail.com/
Fixes: 956a17d9 ("btrfs: add a shrinker for extent maps")
CC: stable@vger.kernel.org # 6.10+
Signed-off-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>

Pull thermal control fix from Rafael Wysocki:
 "Fix a Bang-bang thermal governor issue causing it to fail to reset the
  state of cooling devices if they are 'on' to start with, but the
  thermal zone temperature is always below the corresponding trip point
  (Rafael Wysocki)"

* tag 'thermal-6.11-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
  thermal: gov_bang_bang: Use governor_data to reduce overhead
  thermal: gov_bang_bang: Add .manage() callback
  thermal: gov_bang_bang: Split bang_bang_control()
  thermal: gov_bang_bang: Call __thermal_cdev_update() directly

Pull ACPI fix from Rafael Wysocki:
 "Fix an issue related to the ACPI EC device handling that causes the
  _REG control method to be evaluated for EC operation regions that are
  not expected to be used.

  This confuses the platform firmware and provokes various types of
  misbehavior on some systems (Rafael Wysocki)"

* tag 'acpi-6.11-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
  ACPI: EC: Evaluate _REG outside the EC scope more carefully
  ACPICA: Add a depth argument to acpi_execute_reg_methods()
  Revert "ACPI: EC: Evaluate orphan _REG under EC device"

Pull libnvdimm fix from Ira Weiny:
 "Commit f467fee4 ("block: move the dax flag to queue_limits") broke
  the DAX tests by skipping over the legacy pmem mapping pages case.

  Set the DAX flag in this case as well"

* tag 'libnvdimm-fixes-6.11-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm:
  nvdimm/pmem: Set dax flag for all 'PFN_MAP' cases

io_uring_cqe's user_data field refers to `sqe->data`, but io_uring_sqe
does not have a data field. Fix the comment to say `sqe->user_data`.
Signed-off-by: Caleb Sander Mateos <csander@purestorage.com>
Link: https://github.com/axboe/liburing/pull/1206
Link: https://lore.kernel.org/r/20240816181526.3642732-1-csander@purestorage.comSigned-off-by: Jens Axboe <axboe@kernel.dk>

Pull rust fixes from Miguel Ojeda:

 - Fix '-Os' Rust 1.80.0+ builds adding more intrinsics (also tweaked in
   upstream Rust for the upcoming 1.82.0).

 - Fix support for the latest version of rust-analyzer due to a change
   on rust-analyzer config file semantics (considered a fix since most
   developers use the latest version of the tool, which is the only one
   actually supported by upstream). I am discussing stability of the
   config file with upstream -- they may be able to start versioning it.

 - Fix GCC 14 builds due to '-fmin-function-alignment' not skipped for
   libclang (bindgen).

 - A couple Kconfig fixes around '{RUSTC,BINDGEN}_VERSION_TEXT' to
   suppress error messages in a foreign architecture chroot and to use a
   proper default format.

 - Clean 'rust-analyzer' target warning due to missing recursive make
   invocation mark.

 - Clean Clippy warning due to missing indentation in docs.

 - Clean LLVM 19 build warning due to removed 3dnow feature upstream.

* tag 'rust-fixes-6.11' of https://github.com/Rust-for-Linux/linux:
  rust: x86: remove `-3dnow{,a}` from target features
  kbuild: rust-analyzer: mark `rust_is_available.sh` invocation as recursive
  rust: add intrinsics to fix `-Os` builds
  kbuild: rust: skip -fmin-function-alignment in bindgen flags
  rust: Support latest version of `rust-analyzer`
  rust: macros: indent list item in `module!`'s docs
  rust: fix the default format for CONFIG_{RUSTC,BINDGEN}_VERSION_TEXT
  rust: suppress error messages from CONFIG_{RUSTC,BINDGEN}_VERSION_TEXT

Pull RISC-V fixes from Palmer Dabbelt:

 - reintroduce the text patching global icache flush

 - fix syscall entry code to correctly initialize a0, which manifested
   as a strace bug

 - XIP kernels now map the entire kernel, which fixes boot under at
   least DEBUG_VIRTUAL=y

 - initialize all nodes in the acpi_early_node_map initializer

 - fix OOB access in the Andes vendor extension probing code

 - A new key for scalar misaligned access performance in hwprobe, which
   correctly treat the values as an enum (as opposed to a bitmap)

* tag 'riscv-for-linus-6.11-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux:
  riscv: Fix out-of-bounds when accessing Andes per hart vendor extension array
  RISC-V: hwprobe: Add SCALAR to misaligned perf defines
  RISC-V: hwprobe: Add MISALIGNED_PERF key
  RISC-V: ACPI: NUMA: initialize all values of acpi_early_node_map to NUMA_NO_NODE
  riscv: change XIP's kernel_map.size to be size of the entire kernel
  riscv: entry: always initialize regs->a0 to -ENOSYS
  riscv: Re-introduce global icache flush in patch_text_XXX()

Pull tracing fixes from Steven Rostedt:
 "A couple of fixes for tracing:

   - Prevent a NULL pointer dereference in the error path of RTLA tool

   - Fix an infinite loop bug when reading from the ring buffer when
     closed. If there's a thread trying to read the ring buffer and it
     gets closed by another thread, the one reading will go into an
     infinite loop when the buffer is empty instead of exiting back to
     user space"

* tag 'trace-v6.11-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
  rtla/osnoise: Prevent NULL dereference in error handling
  tracing: Return from tracing_buffers_read() if the file has been closed

Merge tag 'keys-trusted-next-6.11-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd

Pull key fixes from Jarkko Sakkinen:
 "Two bug fixes for a memory corruption bug and a memory leak bug in the
  DCP trusted keys type.

  Just as a reminder DCP was a crypto coprocessor in i.MX SoCs"

* tag 'keys-trusted-next-6.11-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd:
  KEYS: trusted: dcp: fix leak of blob encryption key
  KEYS: trusted: fix DCP blob payload length assignment

Reported-by: syzbot+95e40eae71609e40d851@syzkaller.appspotmail.com
Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>

Reported-by: syzbot+510b0b28f8e6de64d307@syzkaller.appspotmail.com
Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>

Reported-by: syzbot+e3938cd6d761b78750e6@syzkaller.appspotmail.com
Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>

Also, improve the calculation of the new table size, so that it can
shrink when needed.
Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>

Merge tag 'for-6.11/dm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm

Pull device mapper fixes from Mikulas Patocka:

 - fix misbehavior if suspend or resume is interrupted by a signal

 - fix wrong indentation in dm-crypt.rst

 - fix memory allocation failure in dm-persistent-data

* tag 'for-6.11/dm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm:
  dm persistent data: fix memory allocation failure
  Documentation: dm-crypt.rst warning + error fix
  dm resume: don't return EINVAL when signalled
  dm suspend: return -ERESTARTSYS instead of -EINTR