The violation of atomicity occurs when the drbd_uuid_set_bm function is
executed simultaneously with modifying the value of
device->ldev->md.uuid[UI_BITMAP]. Consider a scenario where, while
device->ldev->md.uuid[UI_BITMAP] passes the validity check when its
value is not zero, the value of device->ldev->md.uuid[UI_BITMAP] is
written to zero. In this case, the check in drbd_uuid_set_bm might refer
to the old value of device->ldev->md.uuid[UI_BITMAP] (before locking),
which allows an invalid value to pass the validity check, resulting in
inconsistency.

To address this issue, it is recommended to include the data validity
check within the locked section of the function. This modification
ensures that the value of device->ldev->md.uuid[UI_BITMAP] does not
change during the validation process, thereby maintaining its integrity.

This possible bug is found by an experimental static analysis tool
developed by our team. This tool analyzes the locking APIs to extract
function pairs that can be concurrently executed, and then analyzes the
instructions in the paired functions to identify possible concurrency
bugs including data races and atomicity violations.

Fixes: 9f2247bb ("drbd: Protect accesses to the uuid set with a spinlock")
Cc: stable@vger.kernel.org
Signed-off-by: Qiu-ji Chen <chenqiuji666@gmail.com>
Reviewed-by: Philipp Reisner <philipp.reisner@linbit.com>
Link: https://lore.kernel.org/r/20240913083504.10549-1-chenqiuji666@gmail.comSigned-off-by: Jens Axboe <axboe@kernel.dk>

Commit 734e1a86 ("block: Prevent deadlocks when switching
elevators") introduced the function elv_iosched_load_module() to allow
loading an elevator module outside of elv_iosched_store() with the
target device queue not frozen, to avoid deadlocks. However, the "none"
scheduler does not have a module and as a result,
elv_iosched_load_module() always returns an error when trying to switch
to this valid scheduler.

Fix this by ignoring the return value of the request_module() call
done by elv_iosched_load_module(). This restores the behavior before
commit 734e1a86, which was to ignore the request_module() result and
instead rely on elevator_change() to handle the "none" scheduler case.
Reported-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
Fixes: 734e1a86 ("block: Prevent deadlocks when switching elevators")
Cc: stable@vger.kernel.org
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/20240917133231.134806-1-dlemoal@kernel.orgSigned-off-by: Jens Axboe <axboe@kernel.dk>

Merge in 6.11 final to get the fix for preventing deadlocks on an
elevator switch, as there's a fixup for that patch.

* tag 'v6.11': (1788 commits)
  Linux 6.11
  Revert "KVM: VMX: Always honor guest PAT on CPUs that support self-snoop"
  pinctrl: pinctrl-cy8c95x0: Fix regcache
  cifs: Fix signature miscalculation
  mm: avoid leaving partial pfn mappings around in error case
  drm/xe/client: add missing bo locking in show_meminfo()
  drm/xe/client: fix deadlock in show_meminfo()
  drm/xe/oa: Enable Xe2+ PES disaggregation
  drm/xe/display: fix compat IS_DISPLAY_STEP() range end
  drm/xe: Fix access_ok check in user_fence_create
  drm/xe: Fix possible UAF in guc_exec_queue_process_msg
  drm/xe: Remove fence check from send_tlb_invalidation
  drm/xe/gt: Remove double include
  net: netfilter: move nf flowtable bpf initialization in nf_flow_table_module_init()
  PCI: Fix potential deadlock in pcim_intx()
  workqueue: Clear worker->pool in the worker thread context
  net: tighten bad gso csum offset check in virtio_net_hdr
  netlink: specs: mptcp: fix port endianness
  net: dpaa: Pad packets to ETH_ZLEN
  mptcp: pm: Fix uaf in __timer_delete_sync
  ...

The union around bi_integrity field is pointless.
Remove it.
Signed-off-by: Kanchan Joshi <joshi.k@samsung.com>
Link: https://lore.kernel.org/r/20240917045457.429698-1-joshi.k@samsung.comSigned-off-by: Jens Axboe <axboe@kernel.dk>

bd_prepare_to_claim() waits for a var to change, not for a bit to be
cleared. Change from bit_waitqueue() to __var_waitqueue() and
correspondingly use wake_up_var(). This will allow a future patch which
change the "bit" function to expect an "unsigned long *" instead of
"void *".
Signed-off-by: NeilBrown <neilb@suse.de>
Link: https://lore.kernel.org/r/20240826063659.15327-2-neilb@suse.deSigned-off-by: Jens Axboe <axboe@kernel.dk>

Pull kvm fix from Paolo Bonzini:
 "Do not always honor guest PAT on CPUs that support self-snoop.

  This triggers an issue in the bochsdrm driver, which used ioremap()
  instead of ioremap_wc() to map the video RAM.

  The revert lets video RAM use the WB memory type instead of the slower
  UC memory type"

* tag 'for-linus-6.11' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
  Revert "KVM: VMX: Always honor guest PAT on CPUs that support self-snoop"

This reverts commit 377b2f35.

This caused a regression with the bochsdrm driver, which used ioremap()
instead of ioremap_wc() to map the video RAM.  After the commit, the
WB memory type is used without the IGNORE_PAT, resulting in the slower
UC memory type.  In fact, UC is slow enough to basically cause guests
to not boot... but only on new processors such as Sapphire Rapids and
Cascade Lake.  Coffee Lake for example works properly, though that might
also be an effect of being on a larger, more NUMA system.

The driver has been fixed but that does not help older guests.  Until we
figure out whether Cascade Lake and newer processors are working as
intended, revert the commit.  Long term we might add a quirk, but the
details depend on whether the processors are working as intended: for
example if they are, the quirk might reference bochs-compatible devices,
e.g. in the name and documentation, so that userspace can disable the
quirk by default and only leave it enabled if such a device is being
exposed to the guest.

If instead this is actually a bug in CLX+, then the actions we need to
take are different and depend on the actual cause of the bug.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

Pull pin control fixes from Linus Walleij:

 - One Intel patch that I mistakenly merged into for-next despite it
   belonging in fixes: add Arrow Lake-H/U ACPI ID so this Arrow Lake
   chip probes.

 - One fix making the CY895x0 reg cache work, which is good because it
   makes the device work too.

* tag 'pinctrl-v6.11-4' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
  pinctrl: pinctrl-cy8c95x0: Fix regcache
  pinctrl: meteorlake: Add Arrow Lake-H/U ACPI ID

Pull sound fixes from Takashi Iwai:
 "A few last-minute ASoC fixes and MAINTAINERS update.

  All look small, obvious and nice-to-have fixes for 6.11-final"

* tag 'sound-6.11' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
  ASoC: meson: axg-card: fix 'use-after-free'
  ASoC: codecs: avoid possible garbage value in peb2466_reg_read()
  MAINTAINERS: update Pierre Bossart's email and role
  ASoC: tas2781: fix to save the dsp bin file name into the correct array in case name_prefix is not NULL
  ASoC: Intel: soc-acpi-intel-mtl-match: add missing empty item
  ASoC: Intel: soc-acpi-intel-lnl-match: add missing empty item

Pull smb client fix from Steve French:
 "Fix for packet signing of write"

* tag '6.11-rc7-SMB3-client-fix' of git://git.samba.org/sfrench/cifs-2.6:
  cifs: Fix signature miscalculation

Merge tag 'asoc-fix-v6.11-rc7' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus

ASoC: Fixes for v6.11

A few last minute fixes, plus an update for Pierre's contact details and
status.  It'd be good to get these into v6.11 (especially the
MAINTAINERS update) but it wouldn't be the end of the world if they
waited for the merge window, none of them are super remarkable and it's
just a question of timing that they're last minute.

Pull pci fix from Bjorn Helgaas:

 - Prevent a possible deadlock (reported by lockdep) when a driver
   relinquishes a pci_dev, another driver claims it, and one uses
   managed pcim_enable_device() and the other doesn't (Philipp Stanner)

* tag 'pci-v6.11-fixes-4' of git://git.kernel.org/pub/scm/linux/kernel/git/pci/pci:
  PCI: Fix potential deadlock in pcim_intx()

Make the integrity mapping more like data mapping, blk_rq_map_sg. Use
the request to validate the segment count, and update the callers so
they don't have to.
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Link: https://lore.kernel.org/r/20240913191746.2628196-1-kbusch@meta.comSigned-off-by: Jens Axboe <axboe@kernel.dk>

Pull spi fixes from Mark Brown:
 "A few last minute fixes for v6.11, they're all individually
  unremarkable and only last minute due to when they came in"

* tag 'spi-fix-v6.11-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi:
  spi: nxp-fspi: fix the KASAN report out-of-bounds bug
  spi: geni-qcom: Fix incorrect free_irq() sequence
  spi: geni-qcom: Undo runtime PM changes at driver exit time

There are no external users of this.
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Link: https://lore.kernel.org/r/20240913182854.2445457-9-kbusch@meta.comSigned-off-by: Jens Axboe <axboe@kernel.dk>

The request tracks the integrity segments already, so no need to recount
the segments again.
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Reviewed-by: Kanchan Joshi <joshi.k@samsung.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Link: https://lore.kernel.org/r/20240913182854.2445457-8-kbusch@meta.comSigned-off-by: Jens Axboe <axboe@kernel.dk>

The request tracks the integrity segments already, so no need to recount
the segments again.
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Reviewed-by: Kanchan Joshi <joshi.k@samsung.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Link: https://lore.kernel.org/r/20240913182854.2445457-7-kbusch@meta.comSigned-off-by: Jens Axboe <axboe@kernel.dk>

Provide a helper to keep the request flags and nr_integrity_segments in
sync with the bio's integrity payload. This is an integrity equivalent
to the normal data helper function, 'blk_rq_map_user()'.
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Reviewed-by: Kanchan Joshi <joshi.k@samsung.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Link: https://lore.kernel.org/r/20240913182854.2445457-6-kbusch@meta.comSigned-off-by: Jens Axboe <axboe@kernel.dk>

If a bio is merged to a request, the entire bio list is merged, so don't
temporarily detach it from its list when counting segments. In most
cases, bi_next will already be NULL, so detaching is usually a no-op.
But if the bio does have a list, the current code is miscounting the
segments for the resulting merge.
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Link: https://lore.kernel.org/r/20240913182854.2445457-5-kbusch@meta.comSigned-off-by: Jens Axboe <axboe@kernel.dk>

Both types of merging when integrity data is used are miscounting the
segments:

Merging two requests wasn't accounting for the new segment count, so add
the "next" segment count to the first on a successful merge to ensure
this value is accurate.

Merging a bio into an existing request was double counting the bio's
segments, even if the merge failed later on. Move the segment accounting
to the end when the merge is successful.
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Link: https://lore.kernel.org/r/20240913182854.2445457-4-kbusch@meta.comSigned-off-by: Jens Axboe <axboe@kernel.dk>

This value is used for merging considerations, so it needs to be
accurate.
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Link: https://lore.kernel.org/r/20240913182854.2445457-3-kbusch@meta.comSigned-off-by: Jens Axboe <axboe@kernel.dk>

Always defining the field will make using it easier and less error prone
in future patches.

There shouldn't be any downside to this: the field fits in what would
otherwise be a 2-byte hole, so we're not saving space by conditionally
leaving it out.
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Link: https://lore.kernel.org/r/20240913182854.2445457-2-kbusch@meta.comSigned-off-by: Jens Axboe <axboe@kernel.dk>

Pull soundwire fix from Vinod Koul:

 - Revert of earlier fix sent for non-continuous port map programming
   which caused regression on Intel platforms

* tag 'soundwire-6.11-fixes_2' of git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/soundwire:
  soundwire: stream: Revert "soundwire: stream: fix programming slave ports for non-continous port maps"

Pull drm fixes from Dave Airlie:
 "Regular fixes pull, the amdgpu JPEG engine fixes are probably the
  biggest, they look to block some register accessing, otherwise there
  are just minor fixes and regression fixes all over.

  nouveau had a regression report going back a few kernels that finally
  got fixed, Not entirely happy with so many changes so late, but they
  all seem quite benign apart from the jpeg one.

  dma-buf/heaps:
   - fix off by one in CMA heap fault handler

  syncobj:
   - fix syncobj leak in drm_syncobj_eventfd_ioctl

  amdgpu:
   - Avoid races between set_drr() functions and dc_state_destruct()
   - Fix regerssion related to zpos
   - Fix regression related to overlay cursor
   - SMU 14.x updates
   - JPEG fixes
   - Silence an UBSAN warning

  amdkfd:
   - Fetch cacheline size from IP discovery

  i915:
   - Prevent a possible int overflow in wq offsets

  xe:
   - Remove a double include
   - Fix null checks and UAF
   - Fix access_ok check in user_fence_create
   - Fix compat IS_DISPLAY_STEP() range
   - OA fix
   - Fixes in show_meminfo

  nouveau:
   - fix GP10x regression on boot

  stm:
   - add COMMON_CLK dep

  rockchip:
   - iommu api change

  tegra:
   - iommu api change"

* tag 'drm-fixes-2024-09-13' of https://gitlab.freedesktop.org/drm/kernel: (25 commits)
  drm/xe/client: add missing bo locking in show_meminfo()
  drm/xe/client: fix deadlock in show_meminfo()
  drm/xe/oa: Enable Xe2+ PES disaggregation
  drm/xe/display: fix compat IS_DISPLAY_STEP() range end
  drm/xe: Fix access_ok check in user_fence_create
  drm/xe: Fix possible UAF in guc_exec_queue_process_msg
  drm/xe: Remove fence check from send_tlb_invalidation
  drm/xe/gt: Remove double include
  drm/amd/display: Add all planes on CRTC to state for overlay cursor
  drm/amdgpu/atomfirmware: Silence UBSAN warning
  drm/amd/amdgpu: apply command submission parser for JPEG v1
  drm/amd/amdgpu: apply command submission parser for JPEG v2+
  drm/amd/pm: fix the pp_dpm_pcie issue on smu v14.0.2/3
  drm/amd/pm: update the features set on smu v14.0.2/3
  drm/amd/display: Do not reset planes based on crtc zpos_changed
  drm/amd/display: Avoid race between dcn35_set_drr() and dc_state_destruct()
  drm/amd/display: Avoid race between dcn10_set_drr() and dc_state_destruct()
  drm/amdkfd: Add cache line size info
  drm/tegra: Use iommu_paging_domain_alloc()
  drm/rockchip: Use iommu_paging_domain_alloc()
  ...

Pull NVMe fixes from Keith:

"nvme fixes for Linux 6.12

 - A syntax cleanup (Shen)
 - Fix a Kconfig linking error (Arnd)
 - New queue-depth quirk (Keith)"

* tag 'nvme-6.12-2024-09-13' of git://git.infradead.org/nvme:
  nvme-pci: qdepth 1 quirk
  nvme-tcp: fix link failure for TCP auth
  nvme: Convert comma to semicolon

Another device has been reported to be unreliable if we have more than
one outstanding command. In this new case, data corruption may occur.
Since we have two devices now needing this quirky behavior, make a
generic quirk flag.

The same Apple quirk is clearly not "temporary", so update the comment
while moving it.

Link: https://lore.kernel.org/linux-nvme/191d810a4e3.fcc6066c765804.973611676137075390@collabora.com/Reported-by: Robert Beckett <bob.beckett@collabora.com>
Reviewed-by: Christoph Hellwig hch@lst.de>
Signed-off-by: Keith Busch <kbusch@kernel.org>

The size of the mux stride was off by one, which could result in
invalid pin configuration on the device side or invalid state
readings on the software side.

While on it also update the code and:
- Increase the mux stride size to 16
- Align the virtual muxed regmap range to 16
- Start the regmap window at the selector
- Mark reserved registers as not-readable

Fixes: 8670de9f ("pinctrl: cy8c95x0: Use regmap ranges")
Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com>
Reported-by: Andy Shevchenko <andy@kernel.org>
Reviewed-by: Andy Shevchenko <andy@kernel.org>
Link: https://lore.kernel.org/20240902072859.583490-1-patrick.rudolph@9elements.comSigned-off-by: Linus Walleij <linus.walleij@linaro.org>

Merge tag 'intel-pinctrl-v6.11-1' of git://git.kernel.org/pub/scm/linux/kernel/git/pinctrl/intel into fixes

intel-pinctrl for v6.11-1

This includes a new ACPI ID that is added to the Intel Meteor Lake
driver to support recent Intel Arrow Lake hardware.
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>

- Remove a double include (Lucas)
- Fix null checks and UAF (Brost)
- Fix access_ok check in user_fence_create (Nirmoy)
- Fix compat IS_DISPLAY_STEP() range (Jani)
- OA fix (Ashutosh)
- Fixes in show_meminfo (Auld)
Signed-off-by: Dave Airlie <airlied@redhat.com>

From: Rodrigo Vivi <rodrigo.vivi@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/ZuL-sORu54zfz1Lf@intel.com

Merge tag 'drm-misc-fixes-2024-09-12' of https://gitlab.freedesktop.org/drm/misc/kernel into drm-fixes

An off-by-one fix for the CMA DMA-buf heap, An init fix for nouveau, a
config dependency fix for stm, a syncobj leak fix, and two iommu fixes
for tegra and rockchip.
Signed-off-by: Dave Airlie <airlied@redhat.com>

From: Maxime Ripard <mripard@redhat.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20240912-phenomenal-upbeat-grouse-a26781@houat

Merge tag 'drm-intel-fixes-2024-09-12' of https://gitlab.freedesktop.org/drm/i915/kernel into drm-fixes

- Prevent a possible int overflow in wq offsets [guc] (Nikita Zhandarovich)
Signed-off-by: Dave Airlie <airlied@redhat.com>
From: Tvrtko Ursulin <tursulin@igalia.com>
Link: https://patchwork.freedesktop.org/patch/msgid/ZuKTN2XngNhBB3z3@linux

Merge tag 'amd-drm-fixes-6.11-2024-09-11' of https://gitlab.freedesktop.org/agd5f/linux into drm-fixes

amd-drm-fixes-6.11-2024-09-11:

amdgpu:
- Avoid races between set_drr() functions and dc_state_destruct()
- Fix regerssion related to zpos
- Fix regression related to overlay cursor
- SMU 14.x updates
- JPEG fixes
- Silence an UBSAN warning

amdkfd:
- Fetch cacheline size from IP discovery
Signed-off-by: Dave Airlie <airlied@redhat.com>

From: Alex Deucher <alexander.deucher@amd.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20240911170528.838655-1-alexander.deucher@amd.com

Fix the calculation of packet signatures by adding the offset into a page
in the read or write data payload when hashing the pages from it.

Fixes: 39bc5820 ("cifs: Add a function to Hash the contents of an iterator")
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Tom Talpey <tom@talpey.com>
Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
cc: Shyam Prasad N <nspmangalore@gmail.com>
cc: Rohith Surabattula <rohiths.msft@gmail.com>
cc: Jeff Layton <jlayton@kernel.org>
cc: linux-cifs@vger.kernel.org
cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Steve French <stfrench@microsoft.com>

Pull clk fix from Stephen Boyd:
 "One build fix for 32-bit arches using the Qualcomm PLL driver. It's
  cheaper to use a comparison here instead of a division so we just do
  that to fix the build"

* tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux:
  clk: qcom: clk-alpha-pll: Simplify the zonda_pll_adjust_l_val()

Pull block fix from Jens Axboe:
 "Just a single fix for a deadlock issue that can happen if someone
  attempts to change the root disk IO scheduler with a module that
  requires loading from disk.

  Changing the scheduler freezes the queue while that operation is
  happening, hence causing a deadlock"

* tag 'block-6.11-20240912' of git://git.kernel.dk/linux:
  block: Prevent deadlocks when switching elevators

Merge tag 'hwmon-for-v6.11-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging

Pull hwmon fix from Guenter Roeck:

 - Fix clearing status register bits for chips supporting older
   PMBus versions

* tag 'hwmon-for-v6.11-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging:
  hwmon: (pmbus) Conditionally clear individual status bits for pmbus rev >= 1.2

Pull workqueue fix from Tejun Heo:
 "A fix for a NULL worker->pool deref bug which can be triggered when a
  worker is created and then destroyed immediately"

* tag 'wq-for-6.11-rc7-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq:
  workqueue: Clear worker->pool in the worker thread context

Pull RISC-V fixes from Palmer Dabbelt:

 - Two fixes for smp_processor_id() calls in preemptible sections: one
   if the perf driver, and one in the fence.i prctl.

* tag 'riscv-for-linus-6.11-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux:
  riscv: Disable preemption while handling PR_RISCV_CTX_SW_FENCEI_OFF
  drivers: perf: Fix smp_processor_id() use in preemptible code

Pull networking fixes from Paolo Abeni:
 "Including fixes from netfilter.

  There is a recently notified BT regression with no fix yet. I do not
  think a fix will land in the next week.

  Current release - regressions:

   - core: tighten bad gso csum offset check in virtio_net_hdr

   - netfilter: move nf flowtable bpf initialization in
     nf_flow_table_module_init()

   - eth: ice: stop calling pci_disable_device() as we use pcim

   - eth: fou: fix null-ptr-deref in GRO.

  Current release - new code bugs:

   - hsr: prevent NULL pointer dereference in hsr_proxy_announce()

  Previous releases - regressions:

   - hsr: remove seqnr_lock

   - netfilter: nft_socket: fix sk refcount leaks

   - mptcp: pm: fix uaf in __timer_delete_sync

   - phy: dp83822: fix NULL pointer dereference on DP83825 devices

   - eth: revert "virtio_net: rx enable premapped mode by default"

   - eth: octeontx2-af: Modify SMQ flush sequence to drop packets

  Previous releases - always broken:

   - eth: mlx5: fix bridge mode operations when there are no VFs

   - eth: igb: Always call igb_xdp_ring_update_tail() under Tx lock"

* tag 'net-6.11-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (36 commits)
  net: netfilter: move nf flowtable bpf initialization in nf_flow_table_module_init()
  net: tighten bad gso csum offset check in virtio_net_hdr
  netlink: specs: mptcp: fix port endianness
  net: dpaa: Pad packets to ETH_ZLEN
  mptcp: pm: Fix uaf in __timer_delete_sync
  net: libwx: fix number of Rx and Tx descriptors
  net: dsa: felix: ignore pending status of TAS module when it's disabled
  net: hsr: prevent NULL pointer dereference in hsr_proxy_announce()
  selftests: mptcp: include net_helper.sh file
  selftests: mptcp: include lib.sh file
  selftests: mptcp: join: restrict fullmesh endp on 1st sf
  netfilter: nft_socket: make cgroupsv2 matching work with namespaces
  netfilter: nft_socket: fix sk refcount leaks
  MAINTAINERS: Add ethtool pse-pd to PSE NETWORK DRIVER
  dt-bindings: net: tja11xx: fix the broken binding
  selftests: net: csum: Fix checksums for packets with non-zero padding
  net: phy: dp83822: Fix NULL pointer dereference on DP83825 devices
  virtio_net: disable premapped mode by default
  Revert "virtio_net: big mode skip the unmap check"
  Revert "virtio_net: rx remove premapped failover code"
  ...