From: Greg Kroah-Hartman Date: Thu, 25 Jun 2026 11:42:58 +0000 (+0100) Subject: 6.6-stable patches X-Git-Tag: v6.18.37~15 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a73b02bcbef989ac2857585910a1bbf4ba258bba;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: dlm-prevent-npd-when-writing-a-positive-value-to-event_done.patch drivers-hv-vmbus-improve-the-logic-of-reserving-fb_mmio-on-gen2-vms.patch fuse-re-lock-request-before-replacing-page-cache-folio.patch futex-requeue-prevent-null-pointer-dereference-in-remove_waiter-on-self-deadlock.patch hv-utils-handle-and-propagate-errors-in-kvp_register.patch locking-rtmutex-skip-remove_waiter-when-waiter-is-not-enqueued.patch mptcp-pm-fix-extra_subflows-underflow-on-userspace-pm-subflow-creation.patch net-phonet-free-phonet_device-after-rcu-grace-period.patch netfilter-nf_tables-always-walk-all-pending-catchall-elements.patch phonet-pass-ifindex-to-fill_addr.patch phonet-pass-net-and-ifindex-to-phonet_address_notify.patch rxrpc-fix-the-ack-parser-to-extract-the-sack-table-for-parsing.patch slimbus-qcom-ngd-ctrl-balance-pm_runtime-enablement-for-ngd.patch slimbus-qcom-ngd-ctrl-fix-up-platform_driver-registration.patch --- diff --git a/queue-6.6/dlm-prevent-npd-when-writing-a-positive-value-to-event_done.patch b/queue-6.6/dlm-prevent-npd-when-writing-a-positive-value-to-event_done.patch new file mode 100644 index 0000000000..9a4340e123 --- /dev/null +++ b/queue-6.6/dlm-prevent-npd-when-writing-a-positive-value-to-event_done.patch @@ -0,0 +1,42 @@ +From 8e2bad543eca5c25cd02cbc63d72557934d45f13 Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo +Date: Mon, 10 Feb 2025 13:16:22 -0600 +Subject: dlm: prevent NPD when writing a positive value to event_done + +From: Thadeu Lima de Souza Cascardo + +commit 8e2bad543eca5c25cd02cbc63d72557934d45f13 upstream. + +do_uevent returns the value written to event_done. In case it is a +positive value, new_lockspace would undo all the work, and lockspace +would not be set. __dlm_new_lockspace, however, would treat that +positive value as a success due to commit 8511a2728ab8 ("dlm: fix use +count with multiple joins"). + +Down the line, device_create_lockspace would pass that NULL lockspace to +dlm_find_lockspace_local, leading to a NULL pointer dereference. + +Treating such positive values as successes prevents the problem. Given +this has been broken for so long, this is unlikely to break userspace +expectations. + +Fixes: 8511a2728ab8 ("dlm: fix use count with multiple joins") +Signed-off-by: Thadeu Lima de Souza Cascardo +Signed-off-by: David Teigland +Signed-off-by: Nazar Kalashnikov +Signed-off-by: Greg Kroah-Hartman +--- + fs/dlm/lockspace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/dlm/lockspace.c ++++ b/fs/dlm/lockspace.c +@@ -631,7 +631,7 @@ static int new_lockspace(const char *nam + lockspace to start running (via sysfs) in dlm_ls_start(). */ + + error = do_uevent(ls, 1); +- if (error) ++ if (error < 0) + goto out_recoverd; + + /* wait until recovery is successful or failed */ diff --git a/queue-6.6/drivers-hv-vmbus-improve-the-logic-of-reserving-fb_mmio-on-gen2-vms.patch b/queue-6.6/drivers-hv-vmbus-improve-the-logic-of-reserving-fb_mmio-on-gen2-vms.patch new file mode 100644 index 0000000000..01e4ddb4fc --- /dev/null +++ b/queue-6.6/drivers-hv-vmbus-improve-the-logic-of-reserving-fb_mmio-on-gen2-vms.patch @@ -0,0 +1,153 @@ +From stable+bounces-266587-greg=kroah.com@vger.kernel.org Tue Jun 16 23:41:47 2026 +From: Sasha Levin +Date: Tue, 16 Jun 2026 18:39:53 -0400 +Subject: Drivers: hv: vmbus: Improve the logic of reserving fb_mmio on Gen2 VMs +To: stable@vger.kernel.org +Cc: Dexuan Cui , Michael Kelley , Krister Johansen , Matthew Ruffell , Wei Liu , Sasha Levin +Message-ID: <20260616223953.3557794-1-sashal@kernel.org> + +From: Dexuan Cui + +[ Upstream commit 016a25e4b0df4d77e7c258edee4aaf982e4ee809 ] + +If vmbus_reserve_fb() in the kdump/kexec kernel fails to properly reserve +the framebuffer MMIO range (which is below 4GB) due to a Gen2 VM's +screen.lfb_base being zero [1], there is an MMIO conflict between the +drivers hyperv-drm and pci-hyperv: when the driver pci-hyperv's +hv_allocate_config_window() calls vmbus_allocate_mmio() to get an +MMIO range, typically it gets a 32-bit MMIO range that overlaps with the +framebuffer MMIO range, and later hv_pci_enter_d0() fails with an +error message "PCI Pass-through VSP failed D0 Entry with status" since +the host thinks that PCI devices must not use MMIO space that the +host has assigned to the framebuffer. + +This is especially an issue if pci-hyperv is built-in and hyperv-drm is +built as a module. Consequently, the kdump/kexec kernel fails to detect +PCI devices via pci-hyperv, and may fail to mount the root file system, +which may reside in a NVMe disk. The issue described here has existed +for SR-IOV VF NICs since day one of the pci-hyperv driver, and has been +worked around on x64 when possible. With the recent introduction of +ARM64 VMs that boot from NVMe, there is no workaround, so we need a +formal fix. + +On Gen2 VMs, if the screen.lfb_base is 0 in the kdump/kexec kernel [1], +fall back to the low MMIO base, which should be equal to the framebuffer +MMIO base [2] (the statement is true according to my testing on x64 +Windows Server 2016, and on x64 and ARM64 Windows Server 2025 and on +Azure. I checked with the Hyper-V team and they said the statement should +continue to be true for Gen2 VMs). In the first kernel, screen.lfb_base +is not 0; if the user specifies a very high resolution, it's not enough +to only reserve 8MB: let's always reserve half of the space below 4GB, +but cap the reservation to 128MB, which is the required framebuffer size +of the highest resolution 7680*4320 supported by Hyper-V. + +While at it, fix the comparison "end > VTPM_BASE_ADDRESS" by changing +the > to >=. Here the 'end' is an inclusive end (typically, it's +0xFFFF_FFFF for the low MMIO range). + +Note: vmbus_reserve_fb() now also reserves an MMIO range at the beginning +of the low MMIO range on CVMs, which have no framebuffers (the +'screen.lfb_base' in vmbus_reserve_fb() is 0 for CVMs), just in case the +host might treat the beginning of the low MMIO range specially [3]. BTW, +the OpenHCL kernel is not affected by the change, because that kernel +boots with DeviceTree rather than ACPI (so vmbus_reserve_fb() won't run +there), and there is no framebuffer device for that kernel. + +Note: normally Gen1 VMs don't have the MMIO conflict issue because the +framebuffer MMIO range (which is hardcoded to base=4GB-128MB and +size=64MB for Gen1 VMs by the host) is always reported via the legacy PCI +graphics device's BAR, so the kdump/kexec kernel can reserve the 64MB +MMIO range; however, if the VM is configured to use a very high resolution +and the required framebuffer size exceeds 64MB (AFAIK, in practice, this +isn't a typical configuration by users), the hyperv-drm driver may need to +allocate an MMIO range above 4GB and change the framebuffer MMIO location +to the allocated MMIO range -- in this case, there can still be issues [4] +which can't be easily fixed: any possible affected Gen1 users would have +to use a resolution whose framebuffer size is <= 64MB, or switch to Gen2 +VMs. + +[1] https://lore.kernel.org/all/SA1PR21MB692176C1BC53BFC9EAE5CF8EBF51A@SA1PR21MB6921.namprd21.prod.outlook.com/ +[2] https://lore.kernel.org/all/SA1PR21MB69218F955B62DFF62E3E88D2BF222@SA1PR21MB6921.namprd21.prod.outlook.com/ +[3] https://lore.kernel.org/all/SN6PR02MB415726B17D5A6027CD1717E8D4342@SN6PR02MB4157.namprd02.prod.outlook.com/ +[4] https://lore.kernel.org/all/SA1PR21MB69213486F821CA5A2C793C81BF342@SA1PR21MB6921.namprd21.prod.outlook.com/ + +Fixes: 4daace0d8ce8 ("PCI: hv: Add paravirtual PCI front-end for Microsoft Hyper-V VMs") +CC: stable@vger.kernel.org +Reviewed-by: Michael Kelley +Tested-by: Krister Johansen +Tested-by: Matthew Ruffell +Signed-off-by: Dexuan Cui +Signed-off-by: Wei Liu +[ changed `sysfb_primary_display.screen.lfb_base/lfb_size` reads to the global `screen_info.lfb_base/lfb_size` and dropped the `if (IS_ENABLED(CONFIG_SYSFB))` wrapper, de-indenting the block. ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hv/vmbus_drv.c | 29 ++++++++++++++++++++++++++--- + 1 file changed, 26 insertions(+), 3 deletions(-) + +--- a/drivers/hv/vmbus_drv.c ++++ b/drivers/hv/vmbus_drv.c +@@ -2029,8 +2029,8 @@ static acpi_status vmbus_walk_resources( + return AE_NO_MEMORY; + + /* If this range overlaps the virtual TPM, truncate it. */ +- if (end > VTPM_BASE_ADDRESS && start < VTPM_BASE_ADDRESS) +- end = VTPM_BASE_ADDRESS; ++ if (end >= VTPM_BASE_ADDRESS && start < VTPM_BASE_ADDRESS) ++ end = VTPM_BASE_ADDRESS - 1; + + new_res->name = "hyperv mmio"; + new_res->flags = IORESOURCE_MEM; +@@ -2097,12 +2097,31 @@ static void vmbus_mmio_remove(void) + static void __maybe_unused vmbus_reserve_fb(void) + { + resource_size_t start = 0, size; ++ resource_size_t low_mmio_base; + struct pci_dev *pdev; + + if (efi_enabled(EFI_BOOT)) { + /* Gen2 VM: get FB base from EFI framebuffer */ + start = screen_info.lfb_base; + size = max_t(__u32, screen_info.lfb_size, 0x800000); ++ ++ low_mmio_base = hyperv_mmio->start; ++ if (!low_mmio_base || upper_32_bits(low_mmio_base) || ++ (start && start < low_mmio_base)) { ++ pr_warn("Unexpected low mmio base %pa\n", &low_mmio_base); ++ } else { ++ /* ++ * If the kdump/kexec or CVM kernel's lfb_base ++ * is 0, fall back to the low mmio base. ++ */ ++ if (!start) ++ start = low_mmio_base; ++ /* ++ * Reserve half of the space below 4GB for high ++ * resolutions, but cap the reservation to 128MB. ++ */ ++ size = min((SZ_4G - start) / 2, SZ_128M); ++ } + } else { + /* Gen1 VM: get FB base from PCI */ + pdev = pci_get_device(PCI_VENDOR_ID_MICROSOFT, +@@ -2122,8 +2141,10 @@ static void __maybe_unused vmbus_reserve + pci_dev_put(pdev); + } + +- if (!start) ++ if (!start) { ++ pr_warn("Unexpected framebuffer mmio base of zero\n"); + return; ++ } + + /* + * Make a claim for the frame buffer in the resource tree under the +@@ -2133,6 +2154,8 @@ static void __maybe_unused vmbus_reserve + */ + for (; !fb_mmio && (size >= 0x100000); size >>= 1) + fb_mmio = __request_region(hyperv_mmio, start, size, fb_mmio_name, 0); ++ ++ pr_info("hv_mmio=%pR,%pR fb=%pR\n", hyperv_mmio, hyperv_mmio->sibling, fb_mmio); + } + + /** diff --git a/queue-6.6/fuse-re-lock-request-before-replacing-page-cache-folio.patch b/queue-6.6/fuse-re-lock-request-before-replacing-page-cache-folio.patch new file mode 100644 index 0000000000..6d154dbafc --- /dev/null +++ b/queue-6.6/fuse-re-lock-request-before-replacing-page-cache-folio.patch @@ -0,0 +1,71 @@ +From stable+bounces-267937-greg=kroah.com@vger.kernel.org Tue Jun 23 13:08:40 2026 +From: Sasha Levin +Date: Tue, 23 Jun 2026 08:08:35 -0400 +Subject: fuse: re-lock request before replacing page cache folio +To: stable@vger.kernel.org +Cc: Joanne Koong , Lei Lu , Miklos Szeredi , Sasha Levin +Message-ID: <20260623120835.1156432-1-sashal@kernel.org> + +From: Joanne Koong + +[ Upstream commit a078484921052d0badd827fcc2770b5cfc1d4120 ] + +fuse_try_move_folio() unlocks the request on entry but does not +re-lock it on the success path. This means fuse_chan_abort() can end the +request and free the fuse_io_args (eg fuse_readpages_end()) while the +subsequent copy chain logic after fuse_try_move_folio() accesses the +fuse_io_args, leading to use-after-free issues. + +Fix this by calling lock_request() before replace_page_cache_folio(). +This ensures the request is locked on the success path which will +prevent the fuse_io_args from being freed while the later copying logic +runs, and also ensures that the ap->folios[i]->mapping is never null +since ap->folios[i] will always point to the newfolio after +replace_page_cache_folio(). + +Fixes: ce534fb05292 ("fuse: allow splice to move pages") +Cc: stable@vger.kernel.org +Reported-by: Lei Lu +Signed-off-by: Joanne Koong +Signed-off-by: Miklos Szeredi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/dev.c | 19 +++++-------------- + 1 file changed, 5 insertions(+), 14 deletions(-) + +--- a/fs/fuse/dev.c ++++ b/fs/fuse/dev.c +@@ -843,6 +843,10 @@ static int fuse_try_move_page(struct fus + if (WARN_ON(folio_test_mlocked(oldfolio))) + goto out_fallback_unlock; + ++ err = lock_request(cs->req); ++ if (err) ++ goto out_fallback_unlock; ++ + replace_page_cache_folio(oldfolio, newfolio); + + folio_get(newfolio); +@@ -856,20 +860,7 @@ static int fuse_try_move_page(struct fus + */ + pipe_buf_release(cs->pipe, buf); + +- err = 0; +- spin_lock(&cs->req->waitq.lock); +- if (test_bit(FR_ABORTED, &cs->req->flags)) +- err = -ENOENT; +- else +- *pagep = &newfolio->page; +- spin_unlock(&cs->req->waitq.lock); +- +- if (err) { +- folio_unlock(newfolio); +- folio_put(newfolio); +- goto out_put_old; +- } +- ++ *pagep = &newfolio->page; + folio_unlock(oldfolio); + /* Drop ref for ap->pages[] array */ + folio_put(oldfolio); diff --git a/queue-6.6/futex-requeue-prevent-null-pointer-dereference-in-remove_waiter-on-self-deadlock.patch b/queue-6.6/futex-requeue-prevent-null-pointer-dereference-in-remove_waiter-on-self-deadlock.patch new file mode 100644 index 0000000000..c9de29e4e0 --- /dev/null +++ b/queue-6.6/futex-requeue-prevent-null-pointer-dereference-in-remove_waiter-on-self-deadlock.patch @@ -0,0 +1,48 @@ +From stable+bounces-266562-greg=kroah.com@vger.kernel.org Tue Jun 16 20:21:34 2026 +From: Sasha Levin +Date: Tue, 16 Jun 2026 15:21:28 -0400 +Subject: futex/requeue: Prevent NULL pointer dereference in remove_waiter() on self-deadlock +To: stable@vger.kernel.org +Cc: Ji'an Zhou , Thomas Gleixner , Sasha Levin +Message-ID: <20260616192128.3499944-1-sashal@kernel.org> + +From: Ji'an Zhou + +[ Upstream commit 74e144274af39935b0f410c0ee4d2b91c3730414 ] + +When FUTEX_CMP_REQUEUE_PI requeues a non-top waiter that already owns the +target PI futex, task_blocks_on_rt_mutex() returns -EDEADLK before setting +waiter->task. + +The subsequent remove_waiter() in rt_mutex_start_proxy_lock() dereferences +the NULL waiter->task, causing a kernel crash. + +Add a self-deadlock check for non-top waiters before calling +rt_mutex_start_proxy_lock(), analogous to the top-waiter check in +futex_lock_pi_atomic(). + +Fixes: 3bfdc63936dd4773109b7b8c280c0f3b5ae7d349 ("rtmutex: Use waiter::task instead of current in remove_waiter()") +Signed-off-by: Ji'an Zhou +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/futex/requeue.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/kernel/futex/requeue.c ++++ b/kernel/futex/requeue.c +@@ -629,6 +629,12 @@ retry_private: + continue; + } + ++ /* Self-deadlock: non-top waiter already owns the PI futex. */ ++ if (rt_mutex_owner(&pi_state->pi_mutex) == this->task) { ++ ret = -EDEADLK; ++ break; ++ } ++ + ret = rt_mutex_start_proxy_lock(&pi_state->pi_mutex, + this->rt_waiter, + this->task); diff --git a/queue-6.6/hv-utils-handle-and-propagate-errors-in-kvp_register.patch b/queue-6.6/hv-utils-handle-and-propagate-errors-in-kvp_register.patch new file mode 100644 index 0000000000..83d88b9f68 --- /dev/null +++ b/queue-6.6/hv-utils-handle-and-propagate-errors-in-kvp_register.patch @@ -0,0 +1,89 @@ +From stable+bounces-265109-greg=kroah.com@vger.kernel.org Tue Jun 16 18:15:07 2026 +From: Sasha Levin +Date: Tue, 16 Jun 2026 13:05:11 -0400 +Subject: hv: utils: handle and propagate errors in kvp_register +To: stable@vger.kernel.org +Cc: Thorsten Blum , Long Li , Wei Liu , Sasha Levin +Message-ID: <20260616170511.3370357-1-sashal@kernel.org> + +From: Thorsten Blum + +[ Upstream commit 3fcf923302a8f5c0dc3af3d2ca2657cb5fae4297 ] + +Make kvp_register() return an error code instead of silently ignoring +failures, and propagate the error from kvp_handle_handshake() instead of +returning success. + +This propagates both kzalloc_obj() and hvutil_transport_send() failures +to kvp_handle_handshake() and thus to kvp_on_msg(). + +Fixes: 245ba56a52a3 ("Staging: hv: Implement key/value pair (KVP)") +Cc: stable@vger.kernel.org +Signed-off-by: Thorsten Blum +Reviewed-by: Long Li +Signed-off-by: Wei Liu +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hv/hv_kvp.c | 27 ++++++++++++++------------- + 1 file changed, 14 insertions(+), 13 deletions(-) + +--- a/drivers/hv/hv_kvp.c ++++ b/drivers/hv/hv_kvp.c +@@ -93,7 +93,7 @@ static void kvp_send_key(struct work_str + static void kvp_respond_to_host(struct hv_kvp_msg *msg, int error); + static void kvp_timeout_func(struct work_struct *dummy); + static void kvp_host_handshake_func(struct work_struct *dummy); +-static void kvp_register(int); ++static int kvp_register(int); + + static DECLARE_DELAYED_WORK(kvp_timeout_work, kvp_timeout_func); + static DECLARE_DELAYED_WORK(kvp_host_handshake_work, kvp_host_handshake_func); +@@ -127,24 +127,26 @@ static void kvp_register_done(void) + hv_poll_channel(kvp_transaction.recv_channel, kvp_poll_wrapper); + } + +-static void ++static int + kvp_register(int reg_value) + { + + struct hv_kvp_msg *kvp_msg; + char *version; ++ int ret; + + kvp_msg = kzalloc(sizeof(*kvp_msg), GFP_KERNEL); ++ if (!kvp_msg) ++ return -ENOMEM; + +- if (kvp_msg) { +- version = kvp_msg->body.kvp_register.version; +- kvp_msg->kvp_hdr.operation = reg_value; +- strcpy(version, HV_DRV_VERSION); +- +- hvutil_transport_send(hvt, kvp_msg, sizeof(*kvp_msg), +- kvp_register_done); +- kfree(kvp_msg); +- } ++ version = kvp_msg->body.kvp_register.version; ++ kvp_msg->kvp_hdr.operation = reg_value; ++ strcpy(version, HV_DRV_VERSION); ++ ++ ret = hvutil_transport_send(hvt, kvp_msg, sizeof(*kvp_msg), ++ kvp_register_done); ++ kfree(kvp_msg); ++ return ret; + } + + static void kvp_timeout_func(struct work_struct *dummy) +@@ -186,9 +188,8 @@ static int kvp_handle_handshake(struct h + */ + pr_debug("KVP: userspace daemon ver. %d connected\n", + msg->kvp_hdr.operation); +- kvp_register(dm_reg_value); + +- return 0; ++ return kvp_register(dm_reg_value); + } + + diff --git a/queue-6.6/locking-rtmutex-skip-remove_waiter-when-waiter-is-not-enqueued.patch b/queue-6.6/locking-rtmutex-skip-remove_waiter-when-waiter-is-not-enqueued.patch new file mode 100644 index 0000000000..d6f99b8bde --- /dev/null +++ b/queue-6.6/locking-rtmutex-skip-remove_waiter-when-waiter-is-not-enqueued.patch @@ -0,0 +1,69 @@ +From stable+bounces-266612-greg=kroah.com@vger.kernel.org Wed Jun 17 02:47:48 2026 +From: Sasha Levin +Date: Tue, 16 Jun 2026 21:47:39 -0400 +Subject: locking/rtmutex: Skip remove_waiter() when waiter is not enqueued +To: stable@vger.kernel.org +Cc: Davidlohr Bueso , syzbot+78147abe6c524f183ee9@syzkaller.appspotmail.com, Thomas Gleixner , Sasha Levin +Message-ID: <20260617014739.3672034-1-sashal@kernel.org> + +From: Davidlohr Bueso + +[ Upstream commit 40a25d59e85b3c8709ac2424d44f65610467871e ] + +syzbot triggered the following splat in remove_waiter() via +FUTEX_CMP_REQUEUE_PI: + + KASAN: null-ptr-deref in range [0x0000000000000a88-0x0000000000000a8f] + class_raw_spinlock_constructor + remove_waiter+0x159/0x1200 kernel/locking/rtmutex.c:1561 + rt_mutex_start_proxy_lock+0x103/0x120 + futex_requeue+0x10e4/0x20d0 + __x64_sys_futex+0x34f/0x4d0 + +task_blocks_on_rt_mutex() does not arm the waiter upon deadlock detection, +leaving waiter->task nil, where 3bfdc63936dd ("rtmutex: Use waiter::task instead +of current in remove_waiter()") made this fatal. + +Furthermore, rt_mutex_start_proxy_lock() should not be calling into remove_waiter() +upon a successfully grabbing the rtmutex. 1a1fb985f2e2 ("futex: Handle early deadlock +return correctly"), moved the remove_waiter() out of __rt_mutex_start_proxy_lock() +(where 'ret' was only ever 0 or < 0) into the wrapper. Tighten this check to +account for try_to_take_rt_mutex(). + +Fixes: 3bfdc63936dd ("rtmutex: Use waiter::task instead of current in remove_waiter()") +Reported-by: syzbot+78147abe6c524f183ee9@syzkaller.appspotmail.com +Signed-off-by: Davidlohr Bueso +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Closes: https://lore.kernel.org/all/69f114ac.050a0220.ac8b.0003.GAE@google.com/ +Link: https://patch.msgid.link/20260507112913.1019537-1-dave@stgolabs.net +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/locking/rtmutex.c | 3 +++ + kernel/locking/rtmutex_api.c | 2 +- + 2 files changed, 4 insertions(+), 1 deletion(-) + +--- a/kernel/locking/rtmutex.c ++++ b/kernel/locking/rtmutex.c +@@ -1524,6 +1524,9 @@ static void __sched remove_waiter(struct + + lockdep_assert_held(&lock->wait_lock); + ++ if (!waiter_task) /* never enqueued */ ++ return; ++ + scoped_guard(raw_spinlock, &waiter_task->pi_lock) { + rt_mutex_dequeue(lock, waiter); + waiter_task->pi_blocked_on = NULL; +--- a/kernel/locking/rtmutex_api.c ++++ b/kernel/locking/rtmutex_api.c +@@ -344,7 +344,7 @@ int __sched rt_mutex_start_proxy_lock(st + + raw_spin_lock_irq(&lock->wait_lock); + ret = __rt_mutex_start_proxy_lock(lock, waiter, task); +- if (unlikely(ret)) ++ if (unlikely(ret < 0)) + remove_waiter(lock, waiter); + raw_spin_unlock_irq(&lock->wait_lock); + diff --git a/queue-6.6/mptcp-pm-fix-extra_subflows-underflow-on-userspace-pm-subflow-creation.patch b/queue-6.6/mptcp-pm-fix-extra_subflows-underflow-on-userspace-pm-subflow-creation.patch new file mode 100644 index 0000000000..d28b852413 --- /dev/null +++ b/queue-6.6/mptcp-pm-fix-extra_subflows-underflow-on-userspace-pm-subflow-creation.patch @@ -0,0 +1,65 @@ +From stable+bounces-264330-greg=kroah.com@vger.kernel.org Tue Jun 16 16:58:47 2026 +From: Sasha Levin +Date: Tue, 16 Jun 2026 11:55:33 -0400 +Subject: mptcp: pm: fix extra_subflows underflow on userspace PM subflow creation +To: stable@vger.kernel.org +Cc: Tao Cui , "Matthieu Baerts (NGI0)" , Jakub Kicinski , Sasha Levin +Message-ID: <20260616155533.3323286-1-sashal@kernel.org> + +From: Tao Cui + +[ Upstream commit 14e9fea30b68fc75b2b3d97396a7e6adb544bd2a ] + +The userspace PM increments extra_subflows after __mptcp_subflow_connect() +succeeds, but __mptcp_subflow_connect() calls mptcp_pm_close_subflow() +on failure to roll back the pre-increment done by the kernel PM's fill_*() +helpers. Because the userspace PM hasn't incremented yet at that point, +this decrement is spurious and causes extra_subflows to underflow. + +Fix it by aligning the userspace PM with the kernel PM: increment +extra_subflows before calling __mptcp_subflow_connect(), so the existing +error path in subflow.c correctly rolls it back on failure. Also simplify +the error handling by taking pm.lock only when needed for cleanup. + +Fixes: 77e4b94a3de6 ("mptcp: update userspace pm infos") +Cc: stable@vger.kernel.org +Signed-off-by: Tao Cui +Reviewed-by: Matthieu Baerts (NGI0) +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-5-856831229976@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/pm_userspace.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/net/mptcp/pm_userspace.c ++++ b/net/mptcp/pm_userspace.c +@@ -408,18 +408,21 @@ int mptcp_nl_cmd_sf_create(struct sk_buf + goto create_err; + } + ++ spin_lock_bh(&msk->pm.lock); ++ msk->pm.subflows++; ++ spin_unlock_bh(&msk->pm.lock); ++ + lock_sock(sk); + + err = __mptcp_subflow_connect(sk, &addr_l, &addr_r); + + release_sock(sk); + +- spin_lock_bh(&msk->pm.lock); +- if (err) ++ if (err) { ++ spin_lock_bh(&msk->pm.lock); + mptcp_userspace_pm_delete_local_addr(msk, &local); +- else +- msk->pm.subflows++; +- spin_unlock_bh(&msk->pm.lock); ++ spin_unlock_bh(&msk->pm.lock); ++ } + + create_err: + sock_put((struct sock *)msk); diff --git a/queue-6.6/net-phonet-free-phonet_device-after-rcu-grace-period.patch b/queue-6.6/net-phonet-free-phonet_device-after-rcu-grace-period.patch new file mode 100644 index 0000000000..884dbfcec7 --- /dev/null +++ b/queue-6.6/net-phonet-free-phonet_device-after-rcu-grace-period.patch @@ -0,0 +1,43 @@ +From stable+bounces-266796-greg=kroah.com@vger.kernel.org Wed Jun 17 15:34:09 2026 +From: Sasha Levin +Date: Wed, 17 Jun 2026 10:33:35 -0400 +Subject: net: phonet: free phonet_device after RCU grace period +To: stable@vger.kernel.org +Cc: "Santosh Kalluri" , "Rémi Denis-Courmont" , "Simon Horman" , "Jakub Kicinski" , "Sasha Levin" +Message-ID: <20260617143335.3942705-3-sashal@kernel.org> + +From: Santosh Kalluri + +[ Upstream commit 71de0177b28da751f407581a4515cf4d762f6296 ] + +phonet_device_destroy() removes a phonet_device from the per-net device +list with list_del_rcu(), but frees it immediately. RCU readers walking +the same list can still hold a pointer to the object after it has been +removed, leading to a slab-use-after-free. + +Use kfree_rcu(), matching the lifetime rule already used by +phonet_address_del() for the same object type. + +Fixes: eeb74a9d45f7 ("Phonet: convert devices list to RCU") +Cc: stable@vger.kernel.org +Signed-off-by: Santosh Kalluri +Acked-by: Rémi Denis-Courmont +Reviewed-by: Simon Horman +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/phonet/pn_dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/phonet/pn_dev.c ++++ b/net/phonet/pn_dev.c +@@ -105,7 +105,7 @@ static void phonet_device_destroy(struct + for_each_set_bit(addr, pnd->addrs, 64) + phonet_address_notify(net, RTM_DELADDR, ifindex, addr); + +- kfree(pnd); ++ kfree_rcu(pnd, rcu); + } + } + diff --git a/queue-6.6/netfilter-nf_tables-always-walk-all-pending-catchall-elements.patch b/queue-6.6/netfilter-nf_tables-always-walk-all-pending-catchall-elements.patch new file mode 100644 index 0000000000..f27513710a --- /dev/null +++ b/queue-6.6/netfilter-nf_tables-always-walk-all-pending-catchall-elements.patch @@ -0,0 +1,54 @@ +From 7cb9a23d7ae40a702577d3d8bacb7026f04ac2a9 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Thu, 5 Mar 2026 21:32:00 +0100 +Subject: netfilter: nf_tables: always walk all pending catchall elements + +From: Florian Westphal + +commit 7cb9a23d7ae40a702577d3d8bacb7026f04ac2a9 upstream. + +During transaction processing we might have more than one catchall element: +1 live catchall element and 1 pending element that is coming as part of the +new batch. + +If the map holding the catchall elements is also going away, its +required to toggle all catchall elements and not just the first viable +candidate. + +Otherwise, we get: + WARNING: ./include/net/netfilter/nf_tables.h:1281 at nft_data_release+0xb7/0xe0 [nf_tables], CPU#2: nft/1404 + RIP: 0010:nft_data_release+0xb7/0xe0 [nf_tables] + [..] + __nft_set_elem_destroy+0x106/0x380 [nf_tables] + nf_tables_abort_release+0x348/0x8d0 [nf_tables] + nf_tables_abort+0xcf2/0x3ac0 [nf_tables] + nfnetlink_rcv_batch+0x9c9/0x20e0 [..] + +Fixes: 628bd3e49cba ("netfilter: nf_tables: drop map element references from preparation phase") +Reported-by: Yiming Qian +Signed-off-by: Florian Westphal +[ Shivani: Modified to apply on v6.6.y-v6.1.y ] +Signed-off-by: Shivani Agarwal +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_tables_api.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -652,7 +652,6 @@ static void nft_map_catchall_deactivate( + elem.priv = catchall->elem; + nft_set_elem_change_active(ctx->net, set, ext); + nft_setelem_data_deactivate(ctx->net, set, &elem); +- break; + } + } + +@@ -5615,7 +5614,6 @@ static void nft_map_catchall_activate(co + nft_clear(ctx->net, ext); + elem.priv = catchall->elem; + nft_setelem_data_activate(ctx->net, set, &elem); +- break; + } + } + diff --git a/queue-6.6/phonet-pass-ifindex-to-fill_addr.patch b/queue-6.6/phonet-pass-ifindex-to-fill_addr.patch new file mode 100644 index 0000000000..380aef8313 --- /dev/null +++ b/queue-6.6/phonet-pass-ifindex-to-fill_addr.patch @@ -0,0 +1,80 @@ +From stable+bounces-266794-greg=kroah.com@vger.kernel.org Wed Jun 17 15:33:44 2026 +From: Sasha Levin +Date: Wed, 17 Jun 2026 10:33:33 -0400 +Subject: phonet: Pass ifindex to fill_addr(). +To: stable@vger.kernel.org +Cc: Kuniyuki Iwashima , Eric Dumazet , Paolo Abeni , Sasha Levin +Message-ID: <20260617143335.3942705-1-sashal@kernel.org> + +From: Kuniyuki Iwashima + +[ Upstream commit 08a9572be36819b5d9011604edfa5db6c5062a7a ] + +We will convert addr_doit() and getaddr_dumpit() to RCU, both +of which call fill_addr(). + +The former will call phonet_address_notify() outside of RCU +due to GFP_KERNEL, so dev will not be available in fill_addr(). + +Let's pass ifindex directly to fill_addr(). + +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Signed-off-by: Paolo Abeni +Stable-dep-of: 71de0177b28d ("net: phonet: free phonet_device after RCU grace period") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/phonet/pn_netlink.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/net/phonet/pn_netlink.c ++++ b/net/phonet/pn_netlink.c +@@ -19,7 +19,7 @@ + + /* Device address handling */ + +-static int fill_addr(struct sk_buff *skb, struct net_device *dev, u8 addr, ++static int fill_addr(struct sk_buff *skb, u32 ifindex, u8 addr, + u32 portid, u32 seq, int event); + + void phonet_address_notify(int event, struct net_device *dev, u8 addr) +@@ -31,7 +31,8 @@ void phonet_address_notify(int event, st + nla_total_size(1), GFP_KERNEL); + if (skb == NULL) + goto errout; +- err = fill_addr(skb, dev, addr, 0, 0, event); ++ ++ err = fill_addr(skb, dev->ifindex, addr, 0, 0, event); + if (err < 0) { + WARN_ON(err == -EMSGSIZE); + kfree_skb(skb); +@@ -92,8 +93,8 @@ static int addr_doit(struct sk_buff *skb + return err; + } + +-static int fill_addr(struct sk_buff *skb, struct net_device *dev, u8 addr, +- u32 portid, u32 seq, int event) ++static int fill_addr(struct sk_buff *skb, u32 ifindex, u8 addr, ++ u32 portid, u32 seq, int event) + { + struct ifaddrmsg *ifm; + struct nlmsghdr *nlh; +@@ -107,7 +108,7 @@ static int fill_addr(struct sk_buff *skb + ifm->ifa_prefixlen = 0; + ifm->ifa_flags = IFA_F_PERMANENT; + ifm->ifa_scope = RT_SCOPE_LINK; +- ifm->ifa_index = dev->ifindex; ++ ifm->ifa_index = ifindex; + if (nla_put_u8(skb, IFA_LOCAL, addr)) + goto nla_put_failure; + nlmsg_end(skb, nlh); +@@ -140,7 +141,7 @@ static int getaddr_dumpit(struct sk_buff + if (addr_idx++ < addr_start_idx) + continue; + +- if (fill_addr(skb, pnd->netdev, addr << 2, ++ if (fill_addr(skb, pnd->netdev->ifindex, addr << 2, + NETLINK_CB(cb->skb).portid, + cb->nlh->nlmsg_seq, RTM_NEWADDR) < 0) + goto out; diff --git a/queue-6.6/phonet-pass-net-and-ifindex-to-phonet_address_notify.patch b/queue-6.6/phonet-pass-net-and-ifindex-to-phonet_address_notify.patch new file mode 100644 index 0000000000..1be488859c --- /dev/null +++ b/queue-6.6/phonet-pass-net-and-ifindex-to-phonet_address_notify.patch @@ -0,0 +1,114 @@ +From stable+bounces-266795-greg=kroah.com@vger.kernel.org Wed Jun 17 15:34:24 2026 +From: Sasha Levin +Date: Wed, 17 Jun 2026 10:33:34 -0400 +Subject: phonet: Pass net and ifindex to phonet_address_notify(). +To: stable@vger.kernel.org +Cc: Kuniyuki Iwashima , Eric Dumazet , Paolo Abeni , Sasha Levin +Message-ID: <20260617143335.3942705-2-sashal@kernel.org> + +From: Kuniyuki Iwashima + +[ Upstream commit 68ed5c38b512b734caf3da1f87db4a99fcfe3002 ] + +Currently, phonet_address_notify() fetches netns and ifindex from dev. + +Once addr_doit() is converted to RCU, phonet_address_notify() will be +called outside of RCU due to GFP_KERNEL, and dev will be unavailable +there. + +Let's pass net and ifindex to phonet_address_notify(). + +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Signed-off-by: Paolo Abeni +Stable-dep-of: 71de0177b28d ("net: phonet: free phonet_device after RCU grace period") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/net/phonet/pn_dev.h | 2 +- + net/phonet/pn_dev.c | 10 +++++++--- + net/phonet/pn_netlink.c | 12 ++++++------ + 3 files changed, 14 insertions(+), 10 deletions(-) + +--- a/include/net/phonet/pn_dev.h ++++ b/include/net/phonet/pn_dev.h +@@ -38,7 +38,7 @@ int phonet_address_add(struct net_device + int phonet_address_del(struct net_device *dev, u8 addr); + u8 phonet_address_get(struct net_device *dev, u8 addr); + int phonet_address_lookup(struct net *net, u8 addr); +-void phonet_address_notify(int event, struct net_device *dev, u8 addr); ++void phonet_address_notify(struct net *net, int event, u32 ifindex, u8 addr); + + int phonet_route_add(struct net_device *dev, u8 daddr); + int phonet_route_del(struct net_device *dev, u8 daddr); +--- a/net/phonet/pn_dev.c ++++ b/net/phonet/pn_dev.c +@@ -98,10 +98,13 @@ static void phonet_device_destroy(struct + mutex_unlock(&pndevs->lock); + + if (pnd) { ++ struct net *net = dev_net(dev); ++ u32 ifindex = dev->ifindex; + u8 addr; + + for_each_set_bit(addr, pnd->addrs, 64) +- phonet_address_notify(RTM_DELADDR, dev, addr); ++ phonet_address_notify(net, RTM_DELADDR, ifindex, addr); ++ + kfree(pnd); + } + } +@@ -244,8 +247,9 @@ static int phonet_device_autoconf(struct + ret = phonet_address_add(dev, req.ifr_phonet_autoconf.device); + if (ret) + return ret; +- phonet_address_notify(RTM_NEWADDR, dev, +- req.ifr_phonet_autoconf.device); ++ ++ phonet_address_notify(dev_net(dev), RTM_NEWADDR, dev->ifindex, ++ req.ifr_phonet_autoconf.device); + return 0; + } + +--- a/net/phonet/pn_netlink.c ++++ b/net/phonet/pn_netlink.c +@@ -22,7 +22,7 @@ + static int fill_addr(struct sk_buff *skb, u32 ifindex, u8 addr, + u32 portid, u32 seq, int event); + +-void phonet_address_notify(int event, struct net_device *dev, u8 addr) ++void phonet_address_notify(struct net *net, int event, u32 ifindex, u8 addr) + { + struct sk_buff *skb; + int err = -ENOBUFS; +@@ -32,17 +32,17 @@ void phonet_address_notify(int event, st + if (skb == NULL) + goto errout; + +- err = fill_addr(skb, dev->ifindex, addr, 0, 0, event); ++ err = fill_addr(skb, ifindex, addr, 0, 0, event); + if (err < 0) { + WARN_ON(err == -EMSGSIZE); + kfree_skb(skb); + goto errout; + } +- rtnl_notify(skb, dev_net(dev), 0, +- RTNLGRP_PHONET_IFADDR, NULL, GFP_KERNEL); ++ ++ rtnl_notify(skb, net, 0, RTNLGRP_PHONET_IFADDR, NULL, GFP_KERNEL); + return; + errout: +- rtnl_set_sk_err(dev_net(dev), RTNLGRP_PHONET_IFADDR, err); ++ rtnl_set_sk_err(net, RTNLGRP_PHONET_IFADDR, err); + } + + static const struct nla_policy ifa_phonet_policy[IFA_MAX+1] = { +@@ -89,7 +89,7 @@ static int addr_doit(struct sk_buff *skb + else + err = phonet_address_del(dev, pnaddr); + if (!err) +- phonet_address_notify(nlh->nlmsg_type, dev, pnaddr); ++ phonet_address_notify(net, nlh->nlmsg_type, ifm->ifa_index, pnaddr); + return err; + } + diff --git a/queue-6.6/rxrpc-fix-the-ack-parser-to-extract-the-sack-table-for-parsing.patch b/queue-6.6/rxrpc-fix-the-ack-parser-to-extract-the-sack-table-for-parsing.patch new file mode 100644 index 0000000000..a7ae4119ba --- /dev/null +++ b/queue-6.6/rxrpc-fix-the-ack-parser-to-extract-the-sack-table-for-parsing.patch @@ -0,0 +1,73 @@ +From stable+bounces-266877-greg=kroah.com@vger.kernel.org Wed Jun 17 19:04:21 2026 +From: Sasha Levin +Date: Wed, 17 Jun 2026 14:04:10 -0400 +Subject: rxrpc: Fix the ACK parser to extract the SACK table for parsing +To: stable@vger.kernel.org +Cc: David Howells , Michael Bommarito , Marc Dionne , Jeffrey Altman , Eric Dumazet , "David S. Miller" , Jakub Kicinski , Paolo Abeni , Simon Horman , linux-afs@lists.infradead.org, netdev@vger.kernel.org, stable@kernel.org, Sasha Levin +Message-ID: <20260617180410.271223-1-sashal@kernel.org> + +From: David Howells + +[ Upstream commit 333b6d5bb9f87827ac2639c737bf9613dbae7253 ] + +Fix modification of the received skbuff in rxrpc_input_soft_acks() and a +potential incorrect access of the buffer in a fragmented UDP packet (the +packet would probably have to be deliberately pre-generated as fragmented) +when AF_RXRPC tries to extract the contents of the SACK table by copying +out the contents of the SACK table into a buffer before attempting to parse + +AF_RXRPC assumes that it can just call skb_condense() and then validly +access the SACK table from skb->data and that it will be a flat buffer - +but skb_condense() can silently fail to do anything under some +circumstances. + +Note that whilst rxrpc_input_soft_acks() should be able to parse extended +ACKs, the rest of AF_RXRPC doesn't currently support that. + +Further, there's then no need to call skb_condense() in rxrpc_input_ack(), +so don't. + +Fixes: d57a3a151660 ("rxrpc: Save last ACK's SACK table rather than marking txbufs") +Reported-by: Michael Bommarito +Link: https://lore.kernel.org/r/20260513180907.2061972-1-michael.bommarito@gmail.com +Signed-off-by: David Howells +cc: Marc Dionne +cc: Jeffrey Altman +cc: Eric Dumazet +cc: "David S. Miller" +cc: Jakub Kicinski +cc: Paolo Abeni +cc: Simon Horman +cc: linux-afs@lists.infradead.org +cc: netdev@vger.kernel.org +cc: stable@kernel.org +Link: https://patch.msgid.link/105362.1780573560@warthog.procyon.org.uk +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/input.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +--- a/net/rxrpc/input.c ++++ b/net/rxrpc/input.c +@@ -781,7 +781,18 @@ static void rxrpc_input_soft_acks(struct + struct rxrpc_skb_priv *sp = rxrpc_skb(skb); + unsigned int i, old_nacks = 0; + rxrpc_seq_t lowest_nak = seq + sp->nr_acks; +- u8 *acks = skb->data + sizeof(struct rxrpc_wire_header) + sizeof(struct rxrpc_ackpacket); ++ u8 sack[256] __aligned(sizeof(unsigned long)); ++ u8 *acks = sack; ++ ++ /* Extract the SACK table into a flat buffer rather than accessing it ++ * directly through skb->data, which is not guaranteed to be linear for ++ * a fragmented packet (skb_condense() can silently fail to linearise ++ * it). ++ */ ++ if (skb_copy_bits(skb, ++ sizeof(struct rxrpc_wire_header) + sizeof(struct rxrpc_ackpacket), ++ sack, umin(sp->nr_acks, sizeof(sack))) < 0) ++ return; + + for (i = 0; i < sp->nr_acks; i++) { + if (acks[i] == RXRPC_ACK_TYPE_ACK) { diff --git a/queue-6.6/series b/queue-6.6/series index 897f9a98ab..01731f0656 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -27,3 +27,17 @@ selftests-bpf-tests-for-per-insn-sync_linked_regs-pr.patch selftests-bpf-update-comments-find_equal_scalars-syn.patch ring-buffer-remove-ring_buffer_read_prepare_sync.patch regulator-core-fix-locking-in-regulator_resolve_supply-error-path.patch +dlm-prevent-npd-when-writing-a-positive-value-to-event_done.patch +netfilter-nf_tables-always-walk-all-pending-catchall-elements.patch +mptcp-pm-fix-extra_subflows-underflow-on-userspace-pm-subflow-creation.patch +hv-utils-handle-and-propagate-errors-in-kvp_register.patch +futex-requeue-prevent-null-pointer-dereference-in-remove_waiter-on-self-deadlock.patch +drivers-hv-vmbus-improve-the-logic-of-reserving-fb_mmio-on-gen2-vms.patch +locking-rtmutex-skip-remove_waiter-when-waiter-is-not-enqueued.patch +phonet-pass-ifindex-to-fill_addr.patch +phonet-pass-net-and-ifindex-to-phonet_address_notify.patch +net-phonet-free-phonet_device-after-rcu-grace-period.patch +rxrpc-fix-the-ack-parser-to-extract-the-sack-table-for-parsing.patch +slimbus-qcom-ngd-ctrl-fix-up-platform_driver-registration.patch +slimbus-qcom-ngd-ctrl-balance-pm_runtime-enablement-for-ngd.patch +fuse-re-lock-request-before-replacing-page-cache-folio.patch diff --git a/queue-6.6/slimbus-qcom-ngd-ctrl-balance-pm_runtime-enablement-for-ngd.patch b/queue-6.6/slimbus-qcom-ngd-ctrl-balance-pm_runtime-enablement-for-ngd.patch new file mode 100644 index 0000000000..e0765a7c8b --- /dev/null +++ b/queue-6.6/slimbus-qcom-ngd-ctrl-balance-pm_runtime-enablement-for-ngd.patch @@ -0,0 +1,46 @@ +From stable+bounces-266970-greg=kroah.com@vger.kernel.org Thu Jun 18 03:18:32 2026 +From: Sasha Levin +Date: Wed, 17 Jun 2026 22:18:26 -0400 +Subject: slimbus: qcom-ngd-ctrl: Balance pm_runtime enablement for NGD +To: stable@vger.kernel.org +Cc: Bjorn Andersson , Srinivas Kandagatla , Greg Kroah-Hartman , Sasha Levin +Message-ID: <20260618021826.525414-1-sashal@kernel.org> + +From: Bjorn Andersson + +[ Upstream commit 6a003446b725c44b9e3ffa111b0effbaa2d43085 ] + +The pm_runtime_enable() and pm_runtime_use_autosuspend() calls are +supposed to be balanced on exit, add these calls. + +Fixes: 917809e2280b ("slimbus: ngd: Add qcom SLIMBus NGD driver") +Cc: stable@vger.kernel.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Srinivas Kandagatla +Link: https://patch.msgid.link/20260530204421.116824-8-srini@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/slimbus/qcom-ngd-ctrl.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/slimbus/qcom-ngd-ctrl.c ++++ b/drivers/slimbus/qcom-ngd-ctrl.c +@@ -1585,6 +1585,8 @@ static int qcom_slim_ngd_probe(struct pl + ret = qcom_slim_ngd_qmi_svc_event_init(ctrl); + if (ret) { + dev_err(&pdev->dev, "QMI service registration failed:%d", ret); ++ pm_runtime_dont_use_autosuspend(dev); ++ pm_runtime_disable(dev); + return ret; + } + +@@ -1694,6 +1696,7 @@ static int qcom_slim_ngd_remove(struct p + { + struct qcom_slim_ngd_ctrl *ctrl = platform_get_drvdata(pdev); + ++ pm_runtime_dont_use_autosuspend(&pdev->dev); + pm_runtime_disable(&pdev->dev); + pdr_handle_release(ctrl->pdr); + qcom_unregister_ssr_notifier(ctrl->notifier, &ctrl->nb); diff --git a/queue-6.6/slimbus-qcom-ngd-ctrl-fix-up-platform_driver-registration.patch b/queue-6.6/slimbus-qcom-ngd-ctrl-fix-up-platform_driver-registration.patch new file mode 100644 index 0000000000..9073e744c7 --- /dev/null +++ b/queue-6.6/slimbus-qcom-ngd-ctrl-fix-up-platform_driver-registration.patch @@ -0,0 +1,99 @@ +From sashal@kernel.org Wed Jun 17 20:08:58 2026 +From: Sasha Levin +Date: Wed, 17 Jun 2026 15:08:55 -0400 +Subject: slimbus: qcom-ngd-ctrl: Fix up platform_driver registration +To: stable@vger.kernel.org +Cc: Bjorn Andersson , Dmitry Baryshkov , Mukesh Ojha , Srinivas Kandagatla , Greg Kroah-Hartman , Sasha Levin +Message-ID: <20260617190855.291480-1-sashal@kernel.org> + +From: Bjorn Andersson + +[ Upstream commit 8663e8334d7b6007f5d8a4e5dd270246f35107a6 ] + +Device drivers should not invoke platform_driver_register()/unregister() +in their probe and remove paths. They should further not rely on +platform_driver_unregister() as their only means of "deleting" their +child devices. + +Introduce a helper to unregister the child device and move the +platform_driver_register()/unregister() to module_init()/exit(). + +Fixes: 917809e2280b ("slimbus: ngd: Add qcom SLIMBus NGD driver") +Cc: stable@vger.kernel.org +Reviewed-by: Dmitry Baryshkov +Reviewed-by: Mukesh Ojha +Signed-off-by: Bjorn Andersson +Signed-off-by: Srinivas Kandagatla +Link: https://patch.msgid.link/20260530204421.116824-3-srini@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/slimbus/qcom-ngd-ctrl.c | 36 +++++++++++++++++++++++++++++++++--- + 1 file changed, 33 insertions(+), 3 deletions(-) + +--- a/drivers/slimbus/qcom-ngd-ctrl.c ++++ b/drivers/slimbus/qcom-ngd-ctrl.c +@@ -1561,6 +1561,13 @@ static int of_qcom_slim_ngd_register(str + return -ENODEV; + } + ++static void qcom_slim_ngd_unregister(struct qcom_slim_ngd_ctrl *ctrl) ++{ ++ struct qcom_slim_ngd *ngd = ctrl->ngd; ++ ++ platform_device_del(ngd->pdev); ++} ++ + static int qcom_slim_ngd_probe(struct platform_device *pdev) + { + struct device *dev = &pdev->dev; +@@ -1663,7 +1670,6 @@ static int qcom_slim_ngd_ctrl_probe(stru + goto err_pdr_lookup; + } + +- platform_driver_register(&qcom_slim_ngd_driver); + return of_qcom_slim_ngd_register(dev, ctrl); + + err_pdr_alloc: +@@ -1677,7 +1683,9 @@ err_pdr_lookup: + + static int qcom_slim_ngd_ctrl_remove(struct platform_device *pdev) + { +- platform_driver_unregister(&qcom_slim_ngd_driver); ++ struct qcom_slim_ngd_ctrl *ctrl = platform_get_drvdata(pdev); ++ ++ qcom_slim_ngd_unregister(ctrl); + + return 0; + } +@@ -1756,6 +1764,28 @@ static struct platform_driver qcom_slim_ + }, + }; + +-module_platform_driver(qcom_slim_ngd_ctrl_driver); ++static int qcom_slim_ngd_init(void) ++{ ++ int ret; ++ ++ ret = platform_driver_register(&qcom_slim_ngd_driver); ++ if (ret) ++ return ret; ++ ++ ret = platform_driver_register(&qcom_slim_ngd_ctrl_driver); ++ if (ret) ++ platform_driver_unregister(&qcom_slim_ngd_driver); ++ ++ return ret; ++} ++ ++static void qcom_slim_ngd_exit(void) ++{ ++ platform_driver_unregister(&qcom_slim_ngd_ctrl_driver); ++ platform_driver_unregister(&qcom_slim_ngd_driver); ++} ++ ++module_init(qcom_slim_ngd_init); ++module_exit(qcom_slim_ngd_exit); + MODULE_LICENSE("GPL v2"); + MODULE_DESCRIPTION("Qualcomm SLIMBus NGD controller");