--- /dev/null
+From 8e2bad543eca5c25cd02cbc63d72557934d45f13 Mon Sep 17 00:00:00 2001
+From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+Date: Mon, 10 Feb 2025 13:16:22 -0600
+Subject: dlm: prevent NPD when writing a positive value to event_done
+
+From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+
+commit 8e2bad543eca5c25cd02cbc63d72557934d45f13 upstream.
+
+do_uevent returns the value written to event_done. In case it is a
+positive value, new_lockspace would undo all the work, and lockspace
+would not be set. __dlm_new_lockspace, however, would treat that
+positive value as a success due to commit 8511a2728ab8 ("dlm: fix use
+count with multiple joins").
+
+Down the line, device_create_lockspace would pass that NULL lockspace to
+dlm_find_lockspace_local, leading to a NULL pointer dereference.
+
+Treating such positive values as successes prevents the problem. Given
+this has been broken for so long, this is unlikely to break userspace
+expectations.
+
+Fixes: 8511a2728ab8 ("dlm: fix use count with multiple joins")
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Nazar Kalashnikov <nazarkalashnikov0@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/dlm/lockspace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/dlm/lockspace.c
++++ b/fs/dlm/lockspace.c
+@@ -631,7 +631,7 @@ static int new_lockspace(const char *nam
+ lockspace to start running (via sysfs) in dlm_ls_start(). */
+
+ error = do_uevent(ls, 1);
+- if (error)
++ if (error < 0)
+ goto out_recoverd;
+
+ /* wait until recovery is successful or failed */
--- /dev/null
+From stable+bounces-266587-greg=kroah.com@vger.kernel.org Tue Jun 16 23:41:47 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Jun 2026 18:39:53 -0400
+Subject: Drivers: hv: vmbus: Improve the logic of reserving fb_mmio on Gen2 VMs
+To: stable@vger.kernel.org
+Cc: Dexuan Cui <decui@microsoft.com>, Michael Kelley <mhklinux@outlook.com>, Krister Johansen <kjlx@templeofstupid.com>, Matthew Ruffell <matthew.ruffell@canonical.com>, Wei Liu <wei.liu@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260616223953.3557794-1-sashal@kernel.org>
+
+From: Dexuan Cui <decui@microsoft.com>
+
+[ Upstream commit 016a25e4b0df4d77e7c258edee4aaf982e4ee809 ]
+
+If vmbus_reserve_fb() in the kdump/kexec kernel fails to properly reserve
+the framebuffer MMIO range (which is below 4GB) due to a Gen2 VM's
+screen.lfb_base being zero [1], there is an MMIO conflict between the
+drivers hyperv-drm and pci-hyperv: when the driver pci-hyperv's
+hv_allocate_config_window() calls vmbus_allocate_mmio() to get an
+MMIO range, typically it gets a 32-bit MMIO range that overlaps with the
+framebuffer MMIO range, and later hv_pci_enter_d0() fails with an
+error message "PCI Pass-through VSP failed D0 Entry with status" since
+the host thinks that PCI devices must not use MMIO space that the
+host has assigned to the framebuffer.
+
+This is especially an issue if pci-hyperv is built-in and hyperv-drm is
+built as a module. Consequently, the kdump/kexec kernel fails to detect
+PCI devices via pci-hyperv, and may fail to mount the root file system,
+which may reside in a NVMe disk. The issue described here has existed
+for SR-IOV VF NICs since day one of the pci-hyperv driver, and has been
+worked around on x64 when possible. With the recent introduction of
+ARM64 VMs that boot from NVMe, there is no workaround, so we need a
+formal fix.
+
+On Gen2 VMs, if the screen.lfb_base is 0 in the kdump/kexec kernel [1],
+fall back to the low MMIO base, which should be equal to the framebuffer
+MMIO base [2] (the statement is true according to my testing on x64
+Windows Server 2016, and on x64 and ARM64 Windows Server 2025 and on
+Azure. I checked with the Hyper-V team and they said the statement should
+continue to be true for Gen2 VMs). In the first kernel, screen.lfb_base
+is not 0; if the user specifies a very high resolution, it's not enough
+to only reserve 8MB: let's always reserve half of the space below 4GB,
+but cap the reservation to 128MB, which is the required framebuffer size
+of the highest resolution 7680*4320 supported by Hyper-V.
+
+While at it, fix the comparison "end > VTPM_BASE_ADDRESS" by changing
+the > to >=. Here the 'end' is an inclusive end (typically, it's
+0xFFFF_FFFF for the low MMIO range).
+
+Note: vmbus_reserve_fb() now also reserves an MMIO range at the beginning
+of the low MMIO range on CVMs, which have no framebuffers (the
+'screen.lfb_base' in vmbus_reserve_fb() is 0 for CVMs), just in case the
+host might treat the beginning of the low MMIO range specially [3]. BTW,
+the OpenHCL kernel is not affected by the change, because that kernel
+boots with DeviceTree rather than ACPI (so vmbus_reserve_fb() won't run
+there), and there is no framebuffer device for that kernel.
+
+Note: normally Gen1 VMs don't have the MMIO conflict issue because the
+framebuffer MMIO range (which is hardcoded to base=4GB-128MB and
+size=64MB for Gen1 VMs by the host) is always reported via the legacy PCI
+graphics device's BAR, so the kdump/kexec kernel can reserve the 64MB
+MMIO range; however, if the VM is configured to use a very high resolution
+and the required framebuffer size exceeds 64MB (AFAIK, in practice, this
+isn't a typical configuration by users), the hyperv-drm driver may need to
+allocate an MMIO range above 4GB and change the framebuffer MMIO location
+to the allocated MMIO range -- in this case, there can still be issues [4]
+which can't be easily fixed: any possible affected Gen1 users would have
+to use a resolution whose framebuffer size is <= 64MB, or switch to Gen2
+VMs.
+
+[1] https://lore.kernel.org/all/SA1PR21MB692176C1BC53BFC9EAE5CF8EBF51A@SA1PR21MB6921.namprd21.prod.outlook.com/
+[2] https://lore.kernel.org/all/SA1PR21MB69218F955B62DFF62E3E88D2BF222@SA1PR21MB6921.namprd21.prod.outlook.com/
+[3] https://lore.kernel.org/all/SN6PR02MB415726B17D5A6027CD1717E8D4342@SN6PR02MB4157.namprd02.prod.outlook.com/
+[4] https://lore.kernel.org/all/SA1PR21MB69213486F821CA5A2C793C81BF342@SA1PR21MB6921.namprd21.prod.outlook.com/
+
+Fixes: 4daace0d8ce8 ("PCI: hv: Add paravirtual PCI front-end for Microsoft Hyper-V VMs")
+CC: stable@vger.kernel.org
+Reviewed-by: Michael Kelley <mhklinux@outlook.com>
+Tested-by: Krister Johansen <kjlx@templeofstupid.com>
+Tested-by: Matthew Ruffell <matthew.ruffell@canonical.com>
+Signed-off-by: Dexuan Cui <decui@microsoft.com>
+Signed-off-by: Wei Liu <wei.liu@kernel.org>
+[ changed `sysfb_primary_display.screen.lfb_base/lfb_size` reads to the global `screen_info.lfb_base/lfb_size` and dropped the `if (IS_ENABLED(CONFIG_SYSFB))` wrapper, de-indenting the block. ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hv/vmbus_drv.c | 29 ++++++++++++++++++++++++++---
+ 1 file changed, 26 insertions(+), 3 deletions(-)
+
+--- a/drivers/hv/vmbus_drv.c
++++ b/drivers/hv/vmbus_drv.c
+@@ -2029,8 +2029,8 @@ static acpi_status vmbus_walk_resources(
+ return AE_NO_MEMORY;
+
+ /* If this range overlaps the virtual TPM, truncate it. */
+- if (end > VTPM_BASE_ADDRESS && start < VTPM_BASE_ADDRESS)
+- end = VTPM_BASE_ADDRESS;
++ if (end >= VTPM_BASE_ADDRESS && start < VTPM_BASE_ADDRESS)
++ end = VTPM_BASE_ADDRESS - 1;
+
+ new_res->name = "hyperv mmio";
+ new_res->flags = IORESOURCE_MEM;
+@@ -2097,12 +2097,31 @@ static void vmbus_mmio_remove(void)
+ static void __maybe_unused vmbus_reserve_fb(void)
+ {
+ resource_size_t start = 0, size;
++ resource_size_t low_mmio_base;
+ struct pci_dev *pdev;
+
+ if (efi_enabled(EFI_BOOT)) {
+ /* Gen2 VM: get FB base from EFI framebuffer */
+ start = screen_info.lfb_base;
+ size = max_t(__u32, screen_info.lfb_size, 0x800000);
++
++ low_mmio_base = hyperv_mmio->start;
++ if (!low_mmio_base || upper_32_bits(low_mmio_base) ||
++ (start && start < low_mmio_base)) {
++ pr_warn("Unexpected low mmio base %pa\n", &low_mmio_base);
++ } else {
++ /*
++ * If the kdump/kexec or CVM kernel's lfb_base
++ * is 0, fall back to the low mmio base.
++ */
++ if (!start)
++ start = low_mmio_base;
++ /*
++ * Reserve half of the space below 4GB for high
++ * resolutions, but cap the reservation to 128MB.
++ */
++ size = min((SZ_4G - start) / 2, SZ_128M);
++ }
+ } else {
+ /* Gen1 VM: get FB base from PCI */
+ pdev = pci_get_device(PCI_VENDOR_ID_MICROSOFT,
+@@ -2122,8 +2141,10 @@ static void __maybe_unused vmbus_reserve
+ pci_dev_put(pdev);
+ }
+
+- if (!start)
++ if (!start) {
++ pr_warn("Unexpected framebuffer mmio base of zero\n");
+ return;
++ }
+
+ /*
+ * Make a claim for the frame buffer in the resource tree under the
+@@ -2133,6 +2154,8 @@ static void __maybe_unused vmbus_reserve
+ */
+ for (; !fb_mmio && (size >= 0x100000); size >>= 1)
+ fb_mmio = __request_region(hyperv_mmio, start, size, fb_mmio_name, 0);
++
++ pr_info("hv_mmio=%pR,%pR fb=%pR\n", hyperv_mmio, hyperv_mmio->sibling, fb_mmio);
+ }
+
+ /**
--- /dev/null
+From stable+bounces-267937-greg=kroah.com@vger.kernel.org Tue Jun 23 13:08:40 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Jun 2026 08:08:35 -0400
+Subject: fuse: re-lock request before replacing page cache folio
+To: stable@vger.kernel.org
+Cc: Joanne Koong <joannelkoong@gmail.com>, Lei Lu <llfamsec@gmail.com>, Miklos Szeredi <mszeredi@redhat.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260623120835.1156432-1-sashal@kernel.org>
+
+From: Joanne Koong <joannelkoong@gmail.com>
+
+[ Upstream commit a078484921052d0badd827fcc2770b5cfc1d4120 ]
+
+fuse_try_move_folio() unlocks the request on entry but does not
+re-lock it on the success path. This means fuse_chan_abort() can end the
+request and free the fuse_io_args (eg fuse_readpages_end()) while the
+subsequent copy chain logic after fuse_try_move_folio() accesses the
+fuse_io_args, leading to use-after-free issues.
+
+Fix this by calling lock_request() before replace_page_cache_folio().
+This ensures the request is locked on the success path which will
+prevent the fuse_io_args from being freed while the later copying logic
+runs, and also ensures that the ap->folios[i]->mapping is never null
+since ap->folios[i] will always point to the newfolio after
+replace_page_cache_folio().
+
+Fixes: ce534fb05292 ("fuse: allow splice to move pages")
+Cc: stable@vger.kernel.org
+Reported-by: Lei Lu <llfamsec@gmail.com>
+Signed-off-by: Joanne Koong <joannelkoong@gmail.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/fuse/dev.c | 19 +++++--------------
+ 1 file changed, 5 insertions(+), 14 deletions(-)
+
+--- a/fs/fuse/dev.c
++++ b/fs/fuse/dev.c
+@@ -843,6 +843,10 @@ static int fuse_try_move_page(struct fus
+ if (WARN_ON(folio_test_mlocked(oldfolio)))
+ goto out_fallback_unlock;
+
++ err = lock_request(cs->req);
++ if (err)
++ goto out_fallback_unlock;
++
+ replace_page_cache_folio(oldfolio, newfolio);
+
+ folio_get(newfolio);
+@@ -856,20 +860,7 @@ static int fuse_try_move_page(struct fus
+ */
+ pipe_buf_release(cs->pipe, buf);
+
+- err = 0;
+- spin_lock(&cs->req->waitq.lock);
+- if (test_bit(FR_ABORTED, &cs->req->flags))
+- err = -ENOENT;
+- else
+- *pagep = &newfolio->page;
+- spin_unlock(&cs->req->waitq.lock);
+-
+- if (err) {
+- folio_unlock(newfolio);
+- folio_put(newfolio);
+- goto out_put_old;
+- }
+-
++ *pagep = &newfolio->page;
+ folio_unlock(oldfolio);
+ /* Drop ref for ap->pages[] array */
+ folio_put(oldfolio);
--- /dev/null
+From stable+bounces-266562-greg=kroah.com@vger.kernel.org Tue Jun 16 20:21:34 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Jun 2026 15:21:28 -0400
+Subject: futex/requeue: Prevent NULL pointer dereference in remove_waiter() on self-deadlock
+To: stable@vger.kernel.org
+Cc: Ji'an Zhou <eilaimemedsnaimel@gmail.com>, Thomas Gleixner <tglx@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260616192128.3499944-1-sashal@kernel.org>
+
+From: Ji'an Zhou <eilaimemedsnaimel@gmail.com>
+
+[ Upstream commit 74e144274af39935b0f410c0ee4d2b91c3730414 ]
+
+When FUTEX_CMP_REQUEUE_PI requeues a non-top waiter that already owns the
+target PI futex, task_blocks_on_rt_mutex() returns -EDEADLK before setting
+waiter->task.
+
+The subsequent remove_waiter() in rt_mutex_start_proxy_lock() dereferences
+the NULL waiter->task, causing a kernel crash.
+
+Add a self-deadlock check for non-top waiters before calling
+rt_mutex_start_proxy_lock(), analogous to the top-waiter check in
+futex_lock_pi_atomic().
+
+Fixes: 3bfdc63936dd4773109b7b8c280c0f3b5ae7d349 ("rtmutex: Use waiter::task instead of current in remove_waiter()")
+Signed-off-by: Ji'an Zhou <eilaimemedsnaimel@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/futex/requeue.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/kernel/futex/requeue.c
++++ b/kernel/futex/requeue.c
+@@ -629,6 +629,12 @@ retry_private:
+ continue;
+ }
+
++ /* Self-deadlock: non-top waiter already owns the PI futex. */
++ if (rt_mutex_owner(&pi_state->pi_mutex) == this->task) {
++ ret = -EDEADLK;
++ break;
++ }
++
+ ret = rt_mutex_start_proxy_lock(&pi_state->pi_mutex,
+ this->rt_waiter,
+ this->task);
--- /dev/null
+From stable+bounces-265109-greg=kroah.com@vger.kernel.org Tue Jun 16 18:15:07 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Jun 2026 13:05:11 -0400
+Subject: hv: utils: handle and propagate errors in kvp_register
+To: stable@vger.kernel.org
+Cc: Thorsten Blum <thorsten.blum@linux.dev>, Long Li <longli@microsoft.com>, Wei Liu <wei.liu@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260616170511.3370357-1-sashal@kernel.org>
+
+From: Thorsten Blum <thorsten.blum@linux.dev>
+
+[ Upstream commit 3fcf923302a8f5c0dc3af3d2ca2657cb5fae4297 ]
+
+Make kvp_register() return an error code instead of silently ignoring
+failures, and propagate the error from kvp_handle_handshake() instead of
+returning success.
+
+This propagates both kzalloc_obj() and hvutil_transport_send() failures
+to kvp_handle_handshake() and thus to kvp_on_msg().
+
+Fixes: 245ba56a52a3 ("Staging: hv: Implement key/value pair (KVP)")
+Cc: stable@vger.kernel.org
+Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
+Reviewed-by: Long Li <longli@microsoft.com>
+Signed-off-by: Wei Liu <wei.liu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hv/hv_kvp.c | 27 ++++++++++++++-------------
+ 1 file changed, 14 insertions(+), 13 deletions(-)
+
+--- a/drivers/hv/hv_kvp.c
++++ b/drivers/hv/hv_kvp.c
+@@ -93,7 +93,7 @@ static void kvp_send_key(struct work_str
+ static void kvp_respond_to_host(struct hv_kvp_msg *msg, int error);
+ static void kvp_timeout_func(struct work_struct *dummy);
+ static void kvp_host_handshake_func(struct work_struct *dummy);
+-static void kvp_register(int);
++static int kvp_register(int);
+
+ static DECLARE_DELAYED_WORK(kvp_timeout_work, kvp_timeout_func);
+ static DECLARE_DELAYED_WORK(kvp_host_handshake_work, kvp_host_handshake_func);
+@@ -127,24 +127,26 @@ static void kvp_register_done(void)
+ hv_poll_channel(kvp_transaction.recv_channel, kvp_poll_wrapper);
+ }
+
+-static void
++static int
+ kvp_register(int reg_value)
+ {
+
+ struct hv_kvp_msg *kvp_msg;
+ char *version;
++ int ret;
+
+ kvp_msg = kzalloc(sizeof(*kvp_msg), GFP_KERNEL);
++ if (!kvp_msg)
++ return -ENOMEM;
+
+- if (kvp_msg) {
+- version = kvp_msg->body.kvp_register.version;
+- kvp_msg->kvp_hdr.operation = reg_value;
+- strcpy(version, HV_DRV_VERSION);
+-
+- hvutil_transport_send(hvt, kvp_msg, sizeof(*kvp_msg),
+- kvp_register_done);
+- kfree(kvp_msg);
+- }
++ version = kvp_msg->body.kvp_register.version;
++ kvp_msg->kvp_hdr.operation = reg_value;
++ strcpy(version, HV_DRV_VERSION);
++
++ ret = hvutil_transport_send(hvt, kvp_msg, sizeof(*kvp_msg),
++ kvp_register_done);
++ kfree(kvp_msg);
++ return ret;
+ }
+
+ static void kvp_timeout_func(struct work_struct *dummy)
+@@ -186,9 +188,8 @@ static int kvp_handle_handshake(struct h
+ */
+ pr_debug("KVP: userspace daemon ver. %d connected\n",
+ msg->kvp_hdr.operation);
+- kvp_register(dm_reg_value);
+
+- return 0;
++ return kvp_register(dm_reg_value);
+ }
+
+
--- /dev/null
+From stable+bounces-266612-greg=kroah.com@vger.kernel.org Wed Jun 17 02:47:48 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Jun 2026 21:47:39 -0400
+Subject: locking/rtmutex: Skip remove_waiter() when waiter is not enqueued
+To: stable@vger.kernel.org
+Cc: Davidlohr Bueso <dave@stgolabs.net>, syzbot+78147abe6c524f183ee9@syzkaller.appspotmail.com, Thomas Gleixner <tglx@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260617014739.3672034-1-sashal@kernel.org>
+
+From: Davidlohr Bueso <dave@stgolabs.net>
+
+[ Upstream commit 40a25d59e85b3c8709ac2424d44f65610467871e ]
+
+syzbot triggered the following splat in remove_waiter() via
+FUTEX_CMP_REQUEUE_PI:
+
+ KASAN: null-ptr-deref in range [0x0000000000000a88-0x0000000000000a8f]
+ class_raw_spinlock_constructor
+ remove_waiter+0x159/0x1200 kernel/locking/rtmutex.c:1561
+ rt_mutex_start_proxy_lock+0x103/0x120
+ futex_requeue+0x10e4/0x20d0
+ __x64_sys_futex+0x34f/0x4d0
+
+task_blocks_on_rt_mutex() does not arm the waiter upon deadlock detection,
+leaving waiter->task nil, where 3bfdc63936dd ("rtmutex: Use waiter::task instead
+of current in remove_waiter()") made this fatal.
+
+Furthermore, rt_mutex_start_proxy_lock() should not be calling into remove_waiter()
+upon a successfully grabbing the rtmutex. 1a1fb985f2e2 ("futex: Handle early deadlock
+return correctly"), moved the remove_waiter() out of __rt_mutex_start_proxy_lock()
+(where 'ret' was only ever 0 or < 0) into the wrapper. Tighten this check to
+account for try_to_take_rt_mutex().
+
+Fixes: 3bfdc63936dd ("rtmutex: Use waiter::task instead of current in remove_waiter()")
+Reported-by: syzbot+78147abe6c524f183ee9@syzkaller.appspotmail.com
+Signed-off-by: Davidlohr Bueso <dave@stgolabs.net>
+Signed-off-by: Thomas Gleixner <tglx@kernel.org>
+Cc: stable@vger.kernel.org
+Closes: https://lore.kernel.org/all/69f114ac.050a0220.ac8b.0003.GAE@google.com/
+Link: https://patch.msgid.link/20260507112913.1019537-1-dave@stgolabs.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/locking/rtmutex.c | 3 +++
+ kernel/locking/rtmutex_api.c | 2 +-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+--- a/kernel/locking/rtmutex.c
++++ b/kernel/locking/rtmutex.c
+@@ -1524,6 +1524,9 @@ static void __sched remove_waiter(struct
+
+ lockdep_assert_held(&lock->wait_lock);
+
++ if (!waiter_task) /* never enqueued */
++ return;
++
+ scoped_guard(raw_spinlock, &waiter_task->pi_lock) {
+ rt_mutex_dequeue(lock, waiter);
+ waiter_task->pi_blocked_on = NULL;
+--- a/kernel/locking/rtmutex_api.c
++++ b/kernel/locking/rtmutex_api.c
+@@ -344,7 +344,7 @@ int __sched rt_mutex_start_proxy_lock(st
+
+ raw_spin_lock_irq(&lock->wait_lock);
+ ret = __rt_mutex_start_proxy_lock(lock, waiter, task);
+- if (unlikely(ret))
++ if (unlikely(ret < 0))
+ remove_waiter(lock, waiter);
+ raw_spin_unlock_irq(&lock->wait_lock);
+
--- /dev/null
+From stable+bounces-264330-greg=kroah.com@vger.kernel.org Tue Jun 16 16:58:47 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Jun 2026 11:55:33 -0400
+Subject: mptcp: pm: fix extra_subflows underflow on userspace PM subflow creation
+To: stable@vger.kernel.org
+Cc: Tao Cui <cuitao@kylinos.cn>, "Matthieu Baerts (NGI0)" <matttbe@kernel.org>, Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260616155533.3323286-1-sashal@kernel.org>
+
+From: Tao Cui <cuitao@kylinos.cn>
+
+[ Upstream commit 14e9fea30b68fc75b2b3d97396a7e6adb544bd2a ]
+
+The userspace PM increments extra_subflows after __mptcp_subflow_connect()
+succeeds, but __mptcp_subflow_connect() calls mptcp_pm_close_subflow()
+on failure to roll back the pre-increment done by the kernel PM's fill_*()
+helpers. Because the userspace PM hasn't incremented yet at that point,
+this decrement is spurious and causes extra_subflows to underflow.
+
+Fix it by aligning the userspace PM with the kernel PM: increment
+extra_subflows before calling __mptcp_subflow_connect(), so the existing
+error path in subflow.c correctly rolls it back on failure. Also simplify
+the error handling by taking pm.lock only when needed for cleanup.
+
+Fixes: 77e4b94a3de6 ("mptcp: update userspace pm infos")
+Cc: stable@vger.kernel.org
+Signed-off-by: Tao Cui <cuitao@kylinos.cn>
+Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-5-856831229976@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/pm_userspace.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+--- a/net/mptcp/pm_userspace.c
++++ b/net/mptcp/pm_userspace.c
+@@ -408,18 +408,21 @@ int mptcp_nl_cmd_sf_create(struct sk_buf
+ goto create_err;
+ }
+
++ spin_lock_bh(&msk->pm.lock);
++ msk->pm.subflows++;
++ spin_unlock_bh(&msk->pm.lock);
++
+ lock_sock(sk);
+
+ err = __mptcp_subflow_connect(sk, &addr_l, &addr_r);
+
+ release_sock(sk);
+
+- spin_lock_bh(&msk->pm.lock);
+- if (err)
++ if (err) {
++ spin_lock_bh(&msk->pm.lock);
+ mptcp_userspace_pm_delete_local_addr(msk, &local);
+- else
+- msk->pm.subflows++;
+- spin_unlock_bh(&msk->pm.lock);
++ spin_unlock_bh(&msk->pm.lock);
++ }
+
+ create_err:
+ sock_put((struct sock *)msk);
--- /dev/null
+From stable+bounces-266796-greg=kroah.com@vger.kernel.org Wed Jun 17 15:34:09 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Jun 2026 10:33:35 -0400
+Subject: net: phonet: free phonet_device after RCU grace period
+To: stable@vger.kernel.org
+Cc: "Santosh Kalluri" <santosh.kalluri129@gmail.com>, "RĂ©mi Denis-Courmont" <remi@remlab.net>, "Simon Horman" <horms@kernel.org>, "Jakub Kicinski" <kuba@kernel.org>, "Sasha Levin" <sashal@kernel.org>
+Message-ID: <20260617143335.3942705-3-sashal@kernel.org>
+
+From: Santosh Kalluri <santosh.kalluri129@gmail.com>
+
+[ Upstream commit 71de0177b28da751f407581a4515cf4d762f6296 ]
+
+phonet_device_destroy() removes a phonet_device from the per-net device
+list with list_del_rcu(), but frees it immediately. RCU readers walking
+the same list can still hold a pointer to the object after it has been
+removed, leading to a slab-use-after-free.
+
+Use kfree_rcu(), matching the lifetime rule already used by
+phonet_address_del() for the same object type.
+
+Fixes: eeb74a9d45f7 ("Phonet: convert devices list to RCU")
+Cc: stable@vger.kernel.org
+Signed-off-by: Santosh Kalluri <santosh.kalluri129@gmail.com>
+Acked-by: RĂ©mi Denis-Courmont <remi@remlab.net>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/phonet/pn_dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/phonet/pn_dev.c
++++ b/net/phonet/pn_dev.c
+@@ -105,7 +105,7 @@ static void phonet_device_destroy(struct
+ for_each_set_bit(addr, pnd->addrs, 64)
+ phonet_address_notify(net, RTM_DELADDR, ifindex, addr);
+
+- kfree(pnd);
++ kfree_rcu(pnd, rcu);
+ }
+ }
+
--- /dev/null
+From 7cb9a23d7ae40a702577d3d8bacb7026f04ac2a9 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Thu, 5 Mar 2026 21:32:00 +0100
+Subject: netfilter: nf_tables: always walk all pending catchall elements
+
+From: Florian Westphal <fw@strlen.de>
+
+commit 7cb9a23d7ae40a702577d3d8bacb7026f04ac2a9 upstream.
+
+During transaction processing we might have more than one catchall element:
+1 live catchall element and 1 pending element that is coming as part of the
+new batch.
+
+If the map holding the catchall elements is also going away, its
+required to toggle all catchall elements and not just the first viable
+candidate.
+
+Otherwise, we get:
+ WARNING: ./include/net/netfilter/nf_tables.h:1281 at nft_data_release+0xb7/0xe0 [nf_tables], CPU#2: nft/1404
+ RIP: 0010:nft_data_release+0xb7/0xe0 [nf_tables]
+ [..]
+ __nft_set_elem_destroy+0x106/0x380 [nf_tables]
+ nf_tables_abort_release+0x348/0x8d0 [nf_tables]
+ nf_tables_abort+0xcf2/0x3ac0 [nf_tables]
+ nfnetlink_rcv_batch+0x9c9/0x20e0 [..]
+
+Fixes: 628bd3e49cba ("netfilter: nf_tables: drop map element references from preparation phase")
+Reported-by: Yiming Qian <yimingqian591@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+[ Shivani: Modified to apply on v6.6.y-v6.1.y ]
+Signed-off-by: Shivani Agarwal <shivani.agarwal@broadcom.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nf_tables_api.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -652,7 +652,6 @@ static void nft_map_catchall_deactivate(
+ elem.priv = catchall->elem;
+ nft_set_elem_change_active(ctx->net, set, ext);
+ nft_setelem_data_deactivate(ctx->net, set, &elem);
+- break;
+ }
+ }
+
+@@ -5615,7 +5614,6 @@ static void nft_map_catchall_activate(co
+ nft_clear(ctx->net, ext);
+ elem.priv = catchall->elem;
+ nft_setelem_data_activate(ctx->net, set, &elem);
+- break;
+ }
+ }
+
--- /dev/null
+From stable+bounces-266794-greg=kroah.com@vger.kernel.org Wed Jun 17 15:33:44 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Jun 2026 10:33:33 -0400
+Subject: phonet: Pass ifindex to fill_addr().
+To: stable@vger.kernel.org
+Cc: Kuniyuki Iwashima <kuniyu@amazon.com>, Eric Dumazet <edumazet@google.com>, Paolo Abeni <pabeni@redhat.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260617143335.3942705-1-sashal@kernel.org>
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit 08a9572be36819b5d9011604edfa5db6c5062a7a ]
+
+We will convert addr_doit() and getaddr_dumpit() to RCU, both
+of which call fill_addr().
+
+The former will call phonet_address_notify() outside of RCU
+due to GFP_KERNEL, so dev will not be available in fill_addr().
+
+Let's pass ifindex directly to fill_addr().
+
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Stable-dep-of: 71de0177b28d ("net: phonet: free phonet_device after RCU grace period")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/phonet/pn_netlink.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/net/phonet/pn_netlink.c
++++ b/net/phonet/pn_netlink.c
+@@ -19,7 +19,7 @@
+
+ /* Device address handling */
+
+-static int fill_addr(struct sk_buff *skb, struct net_device *dev, u8 addr,
++static int fill_addr(struct sk_buff *skb, u32 ifindex, u8 addr,
+ u32 portid, u32 seq, int event);
+
+ void phonet_address_notify(int event, struct net_device *dev, u8 addr)
+@@ -31,7 +31,8 @@ void phonet_address_notify(int event, st
+ nla_total_size(1), GFP_KERNEL);
+ if (skb == NULL)
+ goto errout;
+- err = fill_addr(skb, dev, addr, 0, 0, event);
++
++ err = fill_addr(skb, dev->ifindex, addr, 0, 0, event);
+ if (err < 0) {
+ WARN_ON(err == -EMSGSIZE);
+ kfree_skb(skb);
+@@ -92,8 +93,8 @@ static int addr_doit(struct sk_buff *skb
+ return err;
+ }
+
+-static int fill_addr(struct sk_buff *skb, struct net_device *dev, u8 addr,
+- u32 portid, u32 seq, int event)
++static int fill_addr(struct sk_buff *skb, u32 ifindex, u8 addr,
++ u32 portid, u32 seq, int event)
+ {
+ struct ifaddrmsg *ifm;
+ struct nlmsghdr *nlh;
+@@ -107,7 +108,7 @@ static int fill_addr(struct sk_buff *skb
+ ifm->ifa_prefixlen = 0;
+ ifm->ifa_flags = IFA_F_PERMANENT;
+ ifm->ifa_scope = RT_SCOPE_LINK;
+- ifm->ifa_index = dev->ifindex;
++ ifm->ifa_index = ifindex;
+ if (nla_put_u8(skb, IFA_LOCAL, addr))
+ goto nla_put_failure;
+ nlmsg_end(skb, nlh);
+@@ -140,7 +141,7 @@ static int getaddr_dumpit(struct sk_buff
+ if (addr_idx++ < addr_start_idx)
+ continue;
+
+- if (fill_addr(skb, pnd->netdev, addr << 2,
++ if (fill_addr(skb, pnd->netdev->ifindex, addr << 2,
+ NETLINK_CB(cb->skb).portid,
+ cb->nlh->nlmsg_seq, RTM_NEWADDR) < 0)
+ goto out;
--- /dev/null
+From stable+bounces-266795-greg=kroah.com@vger.kernel.org Wed Jun 17 15:34:24 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Jun 2026 10:33:34 -0400
+Subject: phonet: Pass net and ifindex to phonet_address_notify().
+To: stable@vger.kernel.org
+Cc: Kuniyuki Iwashima <kuniyu@amazon.com>, Eric Dumazet <edumazet@google.com>, Paolo Abeni <pabeni@redhat.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260617143335.3942705-2-sashal@kernel.org>
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit 68ed5c38b512b734caf3da1f87db4a99fcfe3002 ]
+
+Currently, phonet_address_notify() fetches netns and ifindex from dev.
+
+Once addr_doit() is converted to RCU, phonet_address_notify() will be
+called outside of RCU due to GFP_KERNEL, and dev will be unavailable
+there.
+
+Let's pass net and ifindex to phonet_address_notify().
+
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Stable-dep-of: 71de0177b28d ("net: phonet: free phonet_device after RCU grace period")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/phonet/pn_dev.h | 2 +-
+ net/phonet/pn_dev.c | 10 +++++++---
+ net/phonet/pn_netlink.c | 12 ++++++------
+ 3 files changed, 14 insertions(+), 10 deletions(-)
+
+--- a/include/net/phonet/pn_dev.h
++++ b/include/net/phonet/pn_dev.h
+@@ -38,7 +38,7 @@ int phonet_address_add(struct net_device
+ int phonet_address_del(struct net_device *dev, u8 addr);
+ u8 phonet_address_get(struct net_device *dev, u8 addr);
+ int phonet_address_lookup(struct net *net, u8 addr);
+-void phonet_address_notify(int event, struct net_device *dev, u8 addr);
++void phonet_address_notify(struct net *net, int event, u32 ifindex, u8 addr);
+
+ int phonet_route_add(struct net_device *dev, u8 daddr);
+ int phonet_route_del(struct net_device *dev, u8 daddr);
+--- a/net/phonet/pn_dev.c
++++ b/net/phonet/pn_dev.c
+@@ -98,10 +98,13 @@ static void phonet_device_destroy(struct
+ mutex_unlock(&pndevs->lock);
+
+ if (pnd) {
++ struct net *net = dev_net(dev);
++ u32 ifindex = dev->ifindex;
+ u8 addr;
+
+ for_each_set_bit(addr, pnd->addrs, 64)
+- phonet_address_notify(RTM_DELADDR, dev, addr);
++ phonet_address_notify(net, RTM_DELADDR, ifindex, addr);
++
+ kfree(pnd);
+ }
+ }
+@@ -244,8 +247,9 @@ static int phonet_device_autoconf(struct
+ ret = phonet_address_add(dev, req.ifr_phonet_autoconf.device);
+ if (ret)
+ return ret;
+- phonet_address_notify(RTM_NEWADDR, dev,
+- req.ifr_phonet_autoconf.device);
++
++ phonet_address_notify(dev_net(dev), RTM_NEWADDR, dev->ifindex,
++ req.ifr_phonet_autoconf.device);
+ return 0;
+ }
+
+--- a/net/phonet/pn_netlink.c
++++ b/net/phonet/pn_netlink.c
+@@ -22,7 +22,7 @@
+ static int fill_addr(struct sk_buff *skb, u32 ifindex, u8 addr,
+ u32 portid, u32 seq, int event);
+
+-void phonet_address_notify(int event, struct net_device *dev, u8 addr)
++void phonet_address_notify(struct net *net, int event, u32 ifindex, u8 addr)
+ {
+ struct sk_buff *skb;
+ int err = -ENOBUFS;
+@@ -32,17 +32,17 @@ void phonet_address_notify(int event, st
+ if (skb == NULL)
+ goto errout;
+
+- err = fill_addr(skb, dev->ifindex, addr, 0, 0, event);
++ err = fill_addr(skb, ifindex, addr, 0, 0, event);
+ if (err < 0) {
+ WARN_ON(err == -EMSGSIZE);
+ kfree_skb(skb);
+ goto errout;
+ }
+- rtnl_notify(skb, dev_net(dev), 0,
+- RTNLGRP_PHONET_IFADDR, NULL, GFP_KERNEL);
++
++ rtnl_notify(skb, net, 0, RTNLGRP_PHONET_IFADDR, NULL, GFP_KERNEL);
+ return;
+ errout:
+- rtnl_set_sk_err(dev_net(dev), RTNLGRP_PHONET_IFADDR, err);
++ rtnl_set_sk_err(net, RTNLGRP_PHONET_IFADDR, err);
+ }
+
+ static const struct nla_policy ifa_phonet_policy[IFA_MAX+1] = {
+@@ -89,7 +89,7 @@ static int addr_doit(struct sk_buff *skb
+ else
+ err = phonet_address_del(dev, pnaddr);
+ if (!err)
+- phonet_address_notify(nlh->nlmsg_type, dev, pnaddr);
++ phonet_address_notify(net, nlh->nlmsg_type, ifm->ifa_index, pnaddr);
+ return err;
+ }
+
--- /dev/null
+From stable+bounces-266877-greg=kroah.com@vger.kernel.org Wed Jun 17 19:04:21 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Jun 2026 14:04:10 -0400
+Subject: rxrpc: Fix the ACK parser to extract the SACK table for parsing
+To: stable@vger.kernel.org
+Cc: David Howells <dhowells@redhat.com>, Michael Bommarito <michael.bommarito@gmail.com>, Marc Dionne <marc.dionne@auristor.com>, Jeffrey Altman <jaltman@auristor.com>, Eric Dumazet <edumazet@google.com>, "David S. Miller" <davem@davemloft.net>, Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>, Simon Horman <horms@kernel.org>, linux-afs@lists.infradead.org, netdev@vger.kernel.org, stable@kernel.org, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260617180410.271223-1-sashal@kernel.org>
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 333b6d5bb9f87827ac2639c737bf9613dbae7253 ]
+
+Fix modification of the received skbuff in rxrpc_input_soft_acks() and a
+potential incorrect access of the buffer in a fragmented UDP packet (the
+packet would probably have to be deliberately pre-generated as fragmented)
+when AF_RXRPC tries to extract the contents of the SACK table by copying
+out the contents of the SACK table into a buffer before attempting to parse
+
+AF_RXRPC assumes that it can just call skb_condense() and then validly
+access the SACK table from skb->data and that it will be a flat buffer -
+but skb_condense() can silently fail to do anything under some
+circumstances.
+
+Note that whilst rxrpc_input_soft_acks() should be able to parse extended
+ACKs, the rest of AF_RXRPC doesn't currently support that.
+
+Further, there's then no need to call skb_condense() in rxrpc_input_ack(),
+so don't.
+
+Fixes: d57a3a151660 ("rxrpc: Save last ACK's SACK table rather than marking txbufs")
+Reported-by: Michael Bommarito <michael.bommarito@gmail.com>
+Link: https://lore.kernel.org/r/20260513180907.2061972-1-michael.bommarito@gmail.com
+Signed-off-by: David Howells <dhowells@redhat.com>
+cc: Marc Dionne <marc.dionne@auristor.com>
+cc: Jeffrey Altman <jaltman@auristor.com>
+cc: Eric Dumazet <edumazet@google.com>
+cc: "David S. Miller" <davem@davemloft.net>
+cc: Jakub Kicinski <kuba@kernel.org>
+cc: Paolo Abeni <pabeni@redhat.com>
+cc: Simon Horman <horms@kernel.org>
+cc: linux-afs@lists.infradead.org
+cc: netdev@vger.kernel.org
+cc: stable@kernel.org
+Link: https://patch.msgid.link/105362.1780573560@warthog.procyon.org.uk
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rxrpc/input.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+--- a/net/rxrpc/input.c
++++ b/net/rxrpc/input.c
+@@ -781,7 +781,18 @@ static void rxrpc_input_soft_acks(struct
+ struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
+ unsigned int i, old_nacks = 0;
+ rxrpc_seq_t lowest_nak = seq + sp->nr_acks;
+- u8 *acks = skb->data + sizeof(struct rxrpc_wire_header) + sizeof(struct rxrpc_ackpacket);
++ u8 sack[256] __aligned(sizeof(unsigned long));
++ u8 *acks = sack;
++
++ /* Extract the SACK table into a flat buffer rather than accessing it
++ * directly through skb->data, which is not guaranteed to be linear for
++ * a fragmented packet (skb_condense() can silently fail to linearise
++ * it).
++ */
++ if (skb_copy_bits(skb,
++ sizeof(struct rxrpc_wire_header) + sizeof(struct rxrpc_ackpacket),
++ sack, umin(sp->nr_acks, sizeof(sack))) < 0)
++ return;
+
+ for (i = 0; i < sp->nr_acks; i++) {
+ if (acks[i] == RXRPC_ACK_TYPE_ACK) {
selftests-bpf-update-comments-find_equal_scalars-syn.patch
ring-buffer-remove-ring_buffer_read_prepare_sync.patch
regulator-core-fix-locking-in-regulator_resolve_supply-error-path.patch
+dlm-prevent-npd-when-writing-a-positive-value-to-event_done.patch
+netfilter-nf_tables-always-walk-all-pending-catchall-elements.patch
+mptcp-pm-fix-extra_subflows-underflow-on-userspace-pm-subflow-creation.patch
+hv-utils-handle-and-propagate-errors-in-kvp_register.patch
+futex-requeue-prevent-null-pointer-dereference-in-remove_waiter-on-self-deadlock.patch
+drivers-hv-vmbus-improve-the-logic-of-reserving-fb_mmio-on-gen2-vms.patch
+locking-rtmutex-skip-remove_waiter-when-waiter-is-not-enqueued.patch
+phonet-pass-ifindex-to-fill_addr.patch
+phonet-pass-net-and-ifindex-to-phonet_address_notify.patch
+net-phonet-free-phonet_device-after-rcu-grace-period.patch
+rxrpc-fix-the-ack-parser-to-extract-the-sack-table-for-parsing.patch
+slimbus-qcom-ngd-ctrl-fix-up-platform_driver-registration.patch
+slimbus-qcom-ngd-ctrl-balance-pm_runtime-enablement-for-ngd.patch
+fuse-re-lock-request-before-replacing-page-cache-folio.patch
--- /dev/null
+From stable+bounces-266970-greg=kroah.com@vger.kernel.org Thu Jun 18 03:18:32 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Jun 2026 22:18:26 -0400
+Subject: slimbus: qcom-ngd-ctrl: Balance pm_runtime enablement for NGD
+To: stable@vger.kernel.org
+Cc: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>, Srinivas Kandagatla <srini@kernel.org>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260618021826.525414-1-sashal@kernel.org>
+
+From: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+
+[ Upstream commit 6a003446b725c44b9e3ffa111b0effbaa2d43085 ]
+
+The pm_runtime_enable() and pm_runtime_use_autosuspend() calls are
+supposed to be balanced on exit, add these calls.
+
+Fixes: 917809e2280b ("slimbus: ngd: Add qcom SLIMBus NGD driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
+Link: https://patch.msgid.link/20260530204421.116824-8-srini@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/slimbus/qcom-ngd-ctrl.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/slimbus/qcom-ngd-ctrl.c
++++ b/drivers/slimbus/qcom-ngd-ctrl.c
+@@ -1585,6 +1585,8 @@ static int qcom_slim_ngd_probe(struct pl
+ ret = qcom_slim_ngd_qmi_svc_event_init(ctrl);
+ if (ret) {
+ dev_err(&pdev->dev, "QMI service registration failed:%d", ret);
++ pm_runtime_dont_use_autosuspend(dev);
++ pm_runtime_disable(dev);
+ return ret;
+ }
+
+@@ -1694,6 +1696,7 @@ static int qcom_slim_ngd_remove(struct p
+ {
+ struct qcom_slim_ngd_ctrl *ctrl = platform_get_drvdata(pdev);
+
++ pm_runtime_dont_use_autosuspend(&pdev->dev);
+ pm_runtime_disable(&pdev->dev);
+ pdr_handle_release(ctrl->pdr);
+ qcom_unregister_ssr_notifier(ctrl->notifier, &ctrl->nb);
--- /dev/null
+From sashal@kernel.org Wed Jun 17 20:08:58 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Jun 2026 15:08:55 -0400
+Subject: slimbus: qcom-ngd-ctrl: Fix up platform_driver registration
+To: stable@vger.kernel.org
+Cc: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>, Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>, Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>, Srinivas Kandagatla <srini@kernel.org>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260617190855.291480-1-sashal@kernel.org>
+
+From: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+
+[ Upstream commit 8663e8334d7b6007f5d8a4e5dd270246f35107a6 ]
+
+Device drivers should not invoke platform_driver_register()/unregister()
+in their probe and remove paths. They should further not rely on
+platform_driver_unregister() as their only means of "deleting" their
+child devices.
+
+Introduce a helper to unregister the child device and move the
+platform_driver_register()/unregister() to module_init()/exit().
+
+Fixes: 917809e2280b ("slimbus: ngd: Add qcom SLIMBus NGD driver")
+Cc: stable@vger.kernel.org
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Reviewed-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
+Link: https://patch.msgid.link/20260530204421.116824-3-srini@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/slimbus/qcom-ngd-ctrl.c | 36 +++++++++++++++++++++++++++++++++---
+ 1 file changed, 33 insertions(+), 3 deletions(-)
+
+--- a/drivers/slimbus/qcom-ngd-ctrl.c
++++ b/drivers/slimbus/qcom-ngd-ctrl.c
+@@ -1561,6 +1561,13 @@ static int of_qcom_slim_ngd_register(str
+ return -ENODEV;
+ }
+
++static void qcom_slim_ngd_unregister(struct qcom_slim_ngd_ctrl *ctrl)
++{
++ struct qcom_slim_ngd *ngd = ctrl->ngd;
++
++ platform_device_del(ngd->pdev);
++}
++
+ static int qcom_slim_ngd_probe(struct platform_device *pdev)
+ {
+ struct device *dev = &pdev->dev;
+@@ -1663,7 +1670,6 @@ static int qcom_slim_ngd_ctrl_probe(stru
+ goto err_pdr_lookup;
+ }
+
+- platform_driver_register(&qcom_slim_ngd_driver);
+ return of_qcom_slim_ngd_register(dev, ctrl);
+
+ err_pdr_alloc:
+@@ -1677,7 +1683,9 @@ err_pdr_lookup:
+
+ static int qcom_slim_ngd_ctrl_remove(struct platform_device *pdev)
+ {
+- platform_driver_unregister(&qcom_slim_ngd_driver);
++ struct qcom_slim_ngd_ctrl *ctrl = platform_get_drvdata(pdev);
++
++ qcom_slim_ngd_unregister(ctrl);
+
+ return 0;
+ }
+@@ -1756,6 +1764,28 @@ static struct platform_driver qcom_slim_
+ },
+ };
+
+-module_platform_driver(qcom_slim_ngd_ctrl_driver);
++static int qcom_slim_ngd_init(void)
++{
++ int ret;
++
++ ret = platform_driver_register(&qcom_slim_ngd_driver);
++ if (ret)
++ return ret;
++
++ ret = platform_driver_register(&qcom_slim_ngd_ctrl_driver);
++ if (ret)
++ platform_driver_unregister(&qcom_slim_ngd_driver);
++
++ return ret;
++}
++
++static void qcom_slim_ngd_exit(void)
++{
++ platform_driver_unregister(&qcom_slim_ngd_ctrl_driver);
++ platform_driver_unregister(&qcom_slim_ngd_driver);
++}
++
++module_init(qcom_slim_ngd_init);
++module_exit(qcom_slim_ngd_exit);
+ MODULE_LICENSE("GPL v2");
+ MODULE_DESCRIPTION("Qualcomm SLIMBus NGD controller");
projects / thirdparty / kernel / stable-queue.git / commitdiff
