From 75b522131de2ac8a87c70f4eeaaed63a243abe42 Mon Sep 17 00:00:00 2001
From: Sasha Levin <sashal@kernel.org>
Date: Sun, 29 Dec 2024 20:33:17 -0500
Subject: [PATCH] Fixes for 6.12

Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 ...coredump-registration-to-the-worker-.patch | 152 ++++++++++++++++++
 ...ef-in-delayed-snapshot-capture-worke.patch |  65 ++++++++
 ...eport-frozen-tasks-as-d-instead-of-r.patch |  71 ++++++++
 ..._trans_unlocked_error-to-bcachefs-no.patch |  47 ++++++
 queue-6.12/series                             |   5 +
 ...isk-from-ublk-device-if-add_disk-fai.patch |  82 ++++++++++
 6 files changed, 422 insertions(+)
 create mode 100644 queue-6.12/drm-xe-move-the-coredump-registration-to-the-worker-.patch
 create mode 100644 queue-6.12/drm-xe-take-pm-ref-in-delayed-snapshot-capture-worke.patch
 create mode 100644 queue-6.12/freezer-sched-report-frozen-tasks-as-d-instead-of-r.patch
 create mode 100644 queue-6.12/objtool-add-bch2_trans_unlocked_error-to-bcachefs-no.patch
 create mode 100644 queue-6.12/ublk-detach-gendisk-from-ublk-device-if-add_disk-fai.patch

diff --git a/queue-6.12/drm-xe-move-the-coredump-registration-to-the-worker-.patch b/queue-6.12/drm-xe-move-the-coredump-registration-to-the-worker-.patch
new file mode 100644
index 00000000000..22b102dd677
--- /dev/null
+++ b/queue-6.12/drm-xe-move-the-coredump-registration-to-the-worker-.patch
@@ -0,0 +1,152 @@
+From 7b6a623eb6aa4f77f148f191ca82b632b2811b69 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Nov 2024 13:08:23 -0800
+Subject: drm/xe: Move the coredump registration to the worker thread
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: John Harrison <John.C.Harrison@Intel.com>
+
+[ Upstream commit 5dce85fecb87751ec94526e1ac516dd7871e2e0c ]
+
+Adding lockdep checking to the coredump code showed that there was an
+existing violation. The dev_coredumpm_timeout() call is used to
+register the dump with the base coredump subsystem. However, that
+makes multiple memory allocations, only some of which use the GFP_
+flags passed in. So that also needs to be deferred to the worker
+function where it is safe to allocate with arbitrary flags.
+
+In order to not add protoypes for the callback functions, moving the
+_timeout call also means moving the worker thread function to later in
+the file.
+
+v2: Rebased after other changes to the worker function.
+
+Fixes: e799485044cb ("drm/xe: Introduce the dev_coredump infrastructure.")
+Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
+Cc: Matthew Brost <matthew.brost@intel.com>
+Cc: Jani Nikula <jani.nikula@linux.intel.com>
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Cc: Francois Dugast <francois.dugast@intel.com>
+Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Cc: Lucas De Marchi <lucas.demarchi@intel.com>
+Cc: "Thomas Hellström" <thomas.hellstrom@linux.intel.com>
+Cc: Sumit Semwal <sumit.semwal@linaro.org>
+Cc: "Christian König" <christian.koenig@amd.com>
+Cc: intel-xe@lists.freedesktop.org
+Cc: linux-media@vger.kernel.org
+Cc: dri-devel@lists.freedesktop.org
+Cc: linaro-mm-sig@lists.linaro.org
+Cc: <stable@vger.kernel.org> # v6.8+
+Signed-off-by: John Harrison <John.C.Harrison@Intel.com>
+Reviewed-by: Matthew Brost <matthew.brost@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20241128210824.3302147-3-John.C.Harrison@Intel.com
+(cherry picked from commit 90f51a7f4ec1004fc4ddfbc6d1f1068d85ef4771)
+Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/xe/xe_devcoredump.c | 73 +++++++++++++++--------------
+ 1 file changed, 39 insertions(+), 34 deletions(-)
+
+diff --git a/drivers/gpu/drm/xe/xe_devcoredump.c b/drivers/gpu/drm/xe/xe_devcoredump.c
+index c40c91e27f71..c18e463092af 100644
+--- a/drivers/gpu/drm/xe/xe_devcoredump.c
++++ b/drivers/gpu/drm/xe/xe_devcoredump.c
+@@ -144,36 +144,6 @@ static void xe_devcoredump_snapshot_free(struct xe_devcoredump_snapshot *ss)
+ 	ss->vm = NULL;
+ }
+ 
+-static void xe_devcoredump_deferred_snap_work(struct work_struct *work)
+-{
+-	struct xe_devcoredump_snapshot *ss = container_of(work, typeof(*ss), work);
+-	struct xe_devcoredump *coredump = container_of(ss, typeof(*coredump), snapshot);
+-	struct xe_device *xe = coredump_to_xe(coredump);
+-	unsigned int fw_ref;
+-
+-	xe_pm_runtime_get(xe);
+-
+-	/* keep going if fw fails as we still want to save the memory and SW data */
+-	fw_ref = xe_force_wake_get(gt_to_fw(ss->gt), XE_FORCEWAKE_ALL);
+-	if (!xe_force_wake_ref_has_domain(fw_ref, XE_FORCEWAKE_ALL))
+-		xe_gt_info(ss->gt, "failed to get forcewake for coredump capture\n");
+-	xe_vm_snapshot_capture_delayed(ss->vm);
+-	xe_guc_exec_queue_snapshot_capture_delayed(ss->ge);
+-	xe_force_wake_put(gt_to_fw(ss->gt), fw_ref);
+-
+-	xe_pm_runtime_put(xe);
+-
+-	/* Calculate devcoredump size */
+-	ss->read.size = __xe_devcoredump_read(NULL, INT_MAX, coredump);
+-
+-	ss->read.buffer = kvmalloc(ss->read.size, GFP_USER);
+-	if (!ss->read.buffer)
+-		return;
+-
+-	__xe_devcoredump_read(ss->read.buffer, ss->read.size, coredump);
+-	xe_devcoredump_snapshot_free(ss);
+-}
+-
+ static ssize_t xe_devcoredump_read(char *buffer, loff_t offset,
+ 				   size_t count, void *data, size_t datalen)
+ {
+@@ -222,6 +192,45 @@ static void xe_devcoredump_free(void *data)
+ 		 "Xe device coredump has been deleted.\n");
+ }
+ 
++static void xe_devcoredump_deferred_snap_work(struct work_struct *work)
++{
++	struct xe_devcoredump_snapshot *ss = container_of(work, typeof(*ss), work);
++	struct xe_devcoredump *coredump = container_of(ss, typeof(*coredump), snapshot);
++	struct xe_device *xe = coredump_to_xe(coredump);
++	unsigned int fw_ref;
++
++	/*
++	 * NB: Despite passing a GFP_ flags parameter here, more allocations are done
++	 * internally using GFP_KERNEL expliictly. Hence this call must be in the worker
++	 * thread and not in the initial capture call.
++	 */
++	dev_coredumpm_timeout(gt_to_xe(ss->gt)->drm.dev, THIS_MODULE, coredump, 0, GFP_KERNEL,
++			      xe_devcoredump_read, xe_devcoredump_free,
++			      XE_COREDUMP_TIMEOUT_JIFFIES);
++
++	xe_pm_runtime_get(xe);
++
++	/* keep going if fw fails as we still want to save the memory and SW data */
++	fw_ref = xe_force_wake_get(gt_to_fw(ss->gt), XE_FORCEWAKE_ALL);
++	if (!xe_force_wake_ref_has_domain(fw_ref, XE_FORCEWAKE_ALL))
++		xe_gt_info(ss->gt, "failed to get forcewake for coredump capture\n");
++	xe_vm_snapshot_capture_delayed(ss->vm);
++	xe_guc_exec_queue_snapshot_capture_delayed(ss->ge);
++	xe_force_wake_put(gt_to_fw(ss->gt), fw_ref);
++
++	xe_pm_runtime_put(xe);
++
++	/* Calculate devcoredump size */
++	ss->read.size = __xe_devcoredump_read(NULL, INT_MAX, coredump);
++
++	ss->read.buffer = kvmalloc(ss->read.size, GFP_USER);
++	if (!ss->read.buffer)
++		return;
++
++	__xe_devcoredump_read(ss->read.buffer, ss->read.size, coredump);
++	xe_devcoredump_snapshot_free(ss);
++}
++
+ static void devcoredump_snapshot(struct xe_devcoredump *coredump,
+ 				 struct xe_sched_job *job)
+ {
+@@ -305,10 +314,6 @@ void xe_devcoredump(struct xe_sched_job *job)
+ 	drm_info(&xe->drm, "Xe device coredump has been created\n");
+ 	drm_info(&xe->drm, "Check your /sys/class/drm/card%d/device/devcoredump/data\n",
+ 		 xe->drm.primary->index);
+-
+-	dev_coredumpm_timeout(xe->drm.dev, THIS_MODULE, coredump, 0, GFP_KERNEL,
+-			      xe_devcoredump_read, xe_devcoredump_free,
+-			      XE_COREDUMP_TIMEOUT_JIFFIES);
+ }
+ 
+ static void xe_driver_devcoredump_fini(void *arg)
+-- 
+2.39.5
+
diff --git a/queue-6.12/drm-xe-take-pm-ref-in-delayed-snapshot-capture-worke.patch b/queue-6.12/drm-xe-take-pm-ref-in-delayed-snapshot-capture-worke.patch
new file mode 100644
index 00000000000..1523b8a9d0b
--- /dev/null
+++ b/queue-6.12/drm-xe-take-pm-ref-in-delayed-snapshot-capture-worke.patch
@@ -0,0 +1,65 @@
+From ffbcd654e86be11bc074933131a1a80fb7615a0f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 Nov 2024 09:46:11 -0800
+Subject: drm/xe: Take PM ref in delayed snapshot capture worker
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Matthew Brost <matthew.brost@intel.com>
+
+[ Upstream commit aef0b4a07277f715bfc2a0d76a16da2bc4e89205 ]
+
+The delayed snapshot capture worker can access the GPU or VRAM both of
+which require a PM reference. Take a reference in this worker.
+
+Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Fixes: 4f04d07c0a94 ("drm/xe: Faster devcoredump")
+Signed-off-by: Matthew Brost <matthew.brost@intel.com>
+Reviewed-by: Matthew Auld <matthew.auld@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20241126174615.2665852-5-matthew.brost@intel.com
+(cherry picked from commit 1c6878af115a4586a40d6c14d530fa9f93e0bd83)
+Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
+Stable-dep-of: 5dce85fecb87 ("drm/xe: Move the coredump registration to the worker thread")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/xe/xe_devcoredump.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/gpu/drm/xe/xe_devcoredump.c b/drivers/gpu/drm/xe/xe_devcoredump.c
+index 5221ee3f1214..c40c91e27f71 100644
+--- a/drivers/gpu/drm/xe/xe_devcoredump.c
++++ b/drivers/gpu/drm/xe/xe_devcoredump.c
+@@ -20,6 +20,7 @@
+ #include "xe_guc_ct.h"
+ #include "xe_guc_submit.h"
+ #include "xe_hw_engine.h"
++#include "xe_pm.h"
+ #include "xe_sched_job.h"
+ #include "xe_vm.h"
+ 
+@@ -147,8 +148,11 @@ static void xe_devcoredump_deferred_snap_work(struct work_struct *work)
+ {
+ 	struct xe_devcoredump_snapshot *ss = container_of(work, typeof(*ss), work);
+ 	struct xe_devcoredump *coredump = container_of(ss, typeof(*coredump), snapshot);
++	struct xe_device *xe = coredump_to_xe(coredump);
+ 	unsigned int fw_ref;
+ 
++	xe_pm_runtime_get(xe);
++
+ 	/* keep going if fw fails as we still want to save the memory and SW data */
+ 	fw_ref = xe_force_wake_get(gt_to_fw(ss->gt), XE_FORCEWAKE_ALL);
+ 	if (!xe_force_wake_ref_has_domain(fw_ref, XE_FORCEWAKE_ALL))
+@@ -157,6 +161,8 @@ static void xe_devcoredump_deferred_snap_work(struct work_struct *work)
+ 	xe_guc_exec_queue_snapshot_capture_delayed(ss->ge);
+ 	xe_force_wake_put(gt_to_fw(ss->gt), fw_ref);
+ 
++	xe_pm_runtime_put(xe);
++
+ 	/* Calculate devcoredump size */
+ 	ss->read.size = __xe_devcoredump_read(NULL, INT_MAX, coredump);
+ 
+-- 
+2.39.5
+
diff --git a/queue-6.12/freezer-sched-report-frozen-tasks-as-d-instead-of-r.patch b/queue-6.12/freezer-sched-report-frozen-tasks-as-d-instead-of-r.patch
new file mode 100644
index 00000000000..288bf48e004
--- /dev/null
+++ b/queue-6.12/freezer-sched-report-frozen-tasks-as-d-instead-of-r.patch
@@ -0,0 +1,71 @@
+From d7b7674fe28c838c76a256437cff9270bd14f74e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Dec 2024 00:48:18 +0000
+Subject: freezer, sched: Report frozen tasks as 'D' instead of 'R'
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Chen Ridong <chenridong@huawei.com>
+
+[ Upstream commit f718faf3940e95d5d34af9041f279f598396ab7d ]
+
+Before commit:
+
+  f5d39b020809 ("freezer,sched: Rewrite core freezer logic")
+
+the frozen task stat was reported as 'D' in cgroup v1.
+
+However, after rewriting the core freezer logic, the frozen task stat is
+reported as 'R'. This is confusing, especially when a task with stat of
+'S' is frozen.
+
+This bug can be reproduced with these steps:
+
+	$ cd /sys/fs/cgroup/freezer/
+	$ mkdir test
+	$ sleep 1000 &
+	[1] 739         // task whose stat is 'S'
+	$ echo 739 > test/cgroup.procs
+	$ echo FROZEN > test/freezer.state
+	$ ps -aux | grep 739
+	root     739  0.1  0.0   8376  1812 pts/0    R    10:56   0:00 sleep 1000
+
+As shown above, a task whose stat is 'S' was changed to 'R' when it was
+frozen.
+
+To solve this regression, simply maintain the same reported state as
+before the rewrite.
+
+[ mingo: Enhanced the changelog and comments ]
+
+Fixes: f5d39b020809 ("freezer,sched: Rewrite core freezer logic")
+Signed-off-by: Chen Ridong <chenridong@huawei.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Acked-by: Tejun Heo <tj@kernel.org>
+Acked-by: Michal Koutný <mkoutny@suse.com>
+Link: https://lore.kernel.org/r/20241217004818.3200515-1-chenridong@huaweicloud.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/sched.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/include/linux/sched.h b/include/linux/sched.h
+index c14446c6164d..02eaf84c8626 100644
+--- a/include/linux/sched.h
++++ b/include/linux/sched.h
+@@ -1633,8 +1633,9 @@ static inline unsigned int __task_state_index(unsigned int tsk_state,
+ 	 * We're lying here, but rather than expose a completely new task state
+ 	 * to userspace, we can make this appear as if the task has gone through
+ 	 * a regular rt_mutex_lock() call.
++	 * Report frozen tasks as uninterruptible.
+ 	 */
+-	if (tsk_state & TASK_RTLOCK_WAIT)
++	if ((tsk_state & TASK_RTLOCK_WAIT) || (tsk_state & TASK_FROZEN))
+ 		state = TASK_UNINTERRUPTIBLE;
+ 
+ 	return fls(state);
+-- 
+2.39.5
+
diff --git a/queue-6.12/objtool-add-bch2_trans_unlocked_error-to-bcachefs-no.patch b/queue-6.12/objtool-add-bch2_trans_unlocked_error-to-bcachefs-no.patch
new file mode 100644
index 00000000000..f6796a4fed7
--- /dev/null
+++ b/queue-6.12/objtool-add-bch2_trans_unlocked_error-to-bcachefs-no.patch
@@ -0,0 +1,47 @@
+From 83071f871738a5c98bbeaee71556eba89692306e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Dec 2024 15:48:47 +0800
+Subject: objtool: Add bch2_trans_unlocked_error() to bcachefs noreturns
+
+From: chenchangcheng <ccc194101@163.com>
+
+[ Upstream commit 31ad36a271290648e7c2288a03d7b933d20254d6 ]
+
+Fix the following objtool warning during build time:
+
+    fs/bcachefs/btree_trans_commit.o: warning: objtool: bch2_trans_commit_write_locked.isra.0() falls through to next function do_bch2_trans_commit.isra.0()
+    fs/bcachefs/btree_trans_commit.o: warning: objtool: .text: unexpected end of section
+......
+    fs/bcachefs/btree_update.o: warning: objtool: bch2_trans_update_get_key_cache() falls through to next function flush_new_cached_update()
+    fs/bcachefs/btree_update.o: warning: objtool: flush_new_cached_update() falls through to next function bch2_trans_update_by_path()
+
+bch2_trans_unlocked_error() is an Obviously Correct (tm) panic() wrapper,
+add it to the list of known noreturns.
+
+[ mingo: Improved the changelog ]
+
+Fixes: fd104e2967b7 ("bcachefs: bch2_trans_verify_not_unlocked()")
+Signed-off-by: chenchangcheng <chenchangcheng@kylinos.cn>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Link: https://lkml.kernel.org/r/20241220074847.3418134-1-ccc194101@163.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/objtool/noreturns.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/objtool/noreturns.h b/tools/objtool/noreturns.h
+index e7da92489167..f98dc0e1c99c 100644
+--- a/tools/objtool/noreturns.h
++++ b/tools/objtool/noreturns.h
+@@ -20,6 +20,7 @@ NORETURN(__x64_sys_exit_group)
+ NORETURN(arch_cpu_idle_dead)
+ NORETURN(bch2_trans_in_restart_error)
+ NORETURN(bch2_trans_restart_error)
++NORETURN(bch2_trans_unlocked_error)
+ NORETURN(cpu_bringup_and_idle)
+ NORETURN(cpu_startup_entry)
+ NORETURN(do_exit)
+-- 
+2.39.5
+
diff --git a/queue-6.12/series b/queue-6.12/series
index 2d282df5053..d5c2f6d261f 100644
--- a/queue-6.12/series
+++ b/queue-6.12/series
@@ -76,3 +76,8 @@ drm-dp_mst-ensure-mst_primary-pointer-is-valid-in-dr.patch
 virtio-blk-don-t-keep-queue-frozen-during-system-sus.patch
 blk-mq-register-cpuhp-callback-after-hctx-is-added-t.patch
 wifi-iwlwifi-be-less-noisy-if-the-nic-is-dead-in-s3.patch
+ublk-detach-gendisk-from-ublk-device-if-add_disk-fai.patch
+drm-xe-take-pm-ref-in-delayed-snapshot-capture-worke.patch
+drm-xe-move-the-coredump-registration-to-the-worker-.patch
+objtool-add-bch2_trans_unlocked_error-to-bcachefs-no.patch
+freezer-sched-report-frozen-tasks-as-d-instead-of-r.patch
diff --git a/queue-6.12/ublk-detach-gendisk-from-ublk-device-if-add_disk-fai.patch b/queue-6.12/ublk-detach-gendisk-from-ublk-device-if-add_disk-fai.patch
new file mode 100644
index 00000000000..feb010a6724
--- /dev/null
+++ b/queue-6.12/ublk-detach-gendisk-from-ublk-device-if-add_disk-fai.patch
@@ -0,0 +1,82 @@
+From 66fde12991d8f8dfb3d4c16af51fa88eee95bf56 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Dec 2024 19:06:40 +0800
+Subject: ublk: detach gendisk from ublk device if add_disk() fails
+
+From: Ming Lei <ming.lei@redhat.com>
+
+[ Upstream commit 75cd4005da5492129917a4a4ee45e81660556104 ]
+
+Inside ublk_abort_requests(), gendisk is grabbed for aborting all
+inflight requests. And ublk_abort_requests() is called when exiting
+the uring context or handling timeout.
+
+If add_disk() fails, the gendisk may have been freed when calling
+ublk_abort_requests(), so use-after-free can be caused when getting
+disk's reference in ublk_abort_requests().
+
+Fixes the bug by detaching gendisk from ublk device if add_disk() fails.
+
+Fixes: bd23f6c2c2d0 ("ublk: quiesce request queue when aborting queue")
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Link: https://lore.kernel.org/r/20241225110640.351531-1-ming.lei@redhat.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/ublk_drv.c | 26 +++++++++++++++++---------
+ 1 file changed, 17 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
+index 90bc605ff6c2..458ac54e7b20 100644
+--- a/drivers/block/ublk_drv.c
++++ b/drivers/block/ublk_drv.c
+@@ -1599,6 +1599,21 @@ static void ublk_unquiesce_dev(struct ublk_device *ub)
+ 	blk_mq_kick_requeue_list(ub->ub_disk->queue);
+ }
+ 
++static struct gendisk *ublk_detach_disk(struct ublk_device *ub)
++{
++	struct gendisk *disk;
++
++	/* Sync with ublk_abort_queue() by holding the lock */
++	spin_lock(&ub->lock);
++	disk = ub->ub_disk;
++	ub->dev_info.state = UBLK_S_DEV_DEAD;
++	ub->dev_info.ublksrv_pid = -1;
++	ub->ub_disk = NULL;
++	spin_unlock(&ub->lock);
++
++	return disk;
++}
++
+ static void ublk_stop_dev(struct ublk_device *ub)
+ {
+ 	struct gendisk *disk;
+@@ -1612,14 +1627,7 @@ static void ublk_stop_dev(struct ublk_device *ub)
+ 		ublk_unquiesce_dev(ub);
+ 	}
+ 	del_gendisk(ub->ub_disk);
+-
+-	/* Sync with ublk_abort_queue() by holding the lock */
+-	spin_lock(&ub->lock);
+-	disk = ub->ub_disk;
+-	ub->dev_info.state = UBLK_S_DEV_DEAD;
+-	ub->dev_info.ublksrv_pid = -1;
+-	ub->ub_disk = NULL;
+-	spin_unlock(&ub->lock);
++	disk = ublk_detach_disk(ub);
+ 	put_disk(disk);
+  unlock:
+ 	mutex_unlock(&ub->mutex);
+@@ -2295,7 +2303,7 @@ static int ublk_ctrl_start_dev(struct ublk_device *ub, struct io_uring_cmd *cmd)
+ 
+ out_put_cdev:
+ 	if (ret) {
+-		ub->dev_info.state = UBLK_S_DEV_DEAD;
++		ublk_detach_disk(ub);
+ 		ublk_put_device(ub);
+ 	}
+ 	if (ret)
+-- 
+2.39.5
+
-- 
2.47.3