From 3146b1dffae8e94d76e52eba040984b679457414 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 20 May 2026 18:08:41 +0200 Subject: [PATCH] 6.12-stable patches added patches: btrfs-do-not-mark-inode-incompressible-after-inline-attempt-fails.patch btrfs-fix-missing-last_unlink_trans-update-when-removing-a-directory.patch btrfs-use-btrfs-inodes-in-btrfs_rmdir-to-avoid-so-much-usage-of-btrfs_i.patch btrfs-use-inode-already-stored-in-local-variable-at-btrfs_rmdir.patch drm-v3d-reject-empty-multisync-extension-to-prevent-infinite-loop.patch eventfs-use-list_add_tail_rcu-for-srcu-protected-children-list.patch f2fs-fix-false-alarm-of-lockdep-on-cp_global_sem-lock.patch f2fs-fix-incorrect-file-address-mapping-when-inline-inode-is-unwritten.patch iommufd-fix-return-value-of-iommufd_fault_fops_write.patch mptcp-drop-__mptcp_fastopen_gen_msk_ackseq.patch mptcp-fix-rx-timestamp-corruption-on-fastopen.patch mptcp-pm-prio-skip-closed-subflows.patch rdma-mana-remove-user-triggerable-warn_on-in-mana_ib_create_qp_rss.patch sched_ext-guard-scx_dsq_move-against-null-kit-dsq-after-failed-iter_new.patch smb-client-use-fullsessionkey-for-aes-256-encryption-key-derivation.patch spi-sifive-fix-controller-deregistration.patch spi-sifive-simplify-clock-handling-with-devm_clk_get_enabled.patch --- ...pressible-after-inline-attempt-fails.patch | 81 +++++++ ...ans-update-when-removing-a-directory.patch | 223 ++++++++++++++++++ ...ir-to-avoid-so-much-usage-of-btrfs_i.patch | 102 ++++++++ ...red-in-local-variable-at-btrfs_rmdir.patch | 40 ++++ ...c-extension-to-prevent-infinite-loop.patch | 56 +++++ ...rcu-for-srcu-protected-children-list.patch | 45 ++++ ...arm-of-lockdep-on-cp_global_sem-lock.patch | 102 ++++++++ ...pping-when-inline-inode-is-unwritten.patch | 68 ++++++ ...rn-value-of-iommufd_fault_fops_write.patch | 47 ++++ ...drop-__mptcp_fastopen_gen_msk_ackseq.patch | 137 +++++++++++ ...-rx-timestamp-corruption-on-fastopen.patch | 54 +++++ .../mptcp-pm-prio-skip-closed-subflows.patch | 46 ++++ ...ble-warn_on-in-mana_ib_create_qp_rss.patch | 45 ++++ ...t-null-kit-dsq-after-failed-iter_new.patch | 48 ++++ queue-6.12/series | 17 ++ ...or-aes-256-encryption-key-derivation.patch | 154 ++++++++++++ ...sifive-fix-controller-deregistration.patch | 57 +++++ ...k-handling-with-devm_clk_get_enabled.patch | 106 +++++++++ 18 files changed, 1428 insertions(+) create mode 100644 queue-6.12/btrfs-do-not-mark-inode-incompressible-after-inline-attempt-fails.patch create mode 100644 queue-6.12/btrfs-fix-missing-last_unlink_trans-update-when-removing-a-directory.patch create mode 100644 queue-6.12/btrfs-use-btrfs-inodes-in-btrfs_rmdir-to-avoid-so-much-usage-of-btrfs_i.patch create mode 100644 queue-6.12/btrfs-use-inode-already-stored-in-local-variable-at-btrfs_rmdir.patch create mode 100644 queue-6.12/drm-v3d-reject-empty-multisync-extension-to-prevent-infinite-loop.patch create mode 100644 queue-6.12/eventfs-use-list_add_tail_rcu-for-srcu-protected-children-list.patch create mode 100644 queue-6.12/f2fs-fix-false-alarm-of-lockdep-on-cp_global_sem-lock.patch create mode 100644 queue-6.12/f2fs-fix-incorrect-file-address-mapping-when-inline-inode-is-unwritten.patch create mode 100644 queue-6.12/iommufd-fix-return-value-of-iommufd_fault_fops_write.patch create mode 100644 queue-6.12/mptcp-drop-__mptcp_fastopen_gen_msk_ackseq.patch create mode 100644 queue-6.12/mptcp-fix-rx-timestamp-corruption-on-fastopen.patch create mode 100644 queue-6.12/mptcp-pm-prio-skip-closed-subflows.patch create mode 100644 queue-6.12/rdma-mana-remove-user-triggerable-warn_on-in-mana_ib_create_qp_rss.patch create mode 100644 queue-6.12/sched_ext-guard-scx_dsq_move-against-null-kit-dsq-after-failed-iter_new.patch create mode 100644 queue-6.12/smb-client-use-fullsessionkey-for-aes-256-encryption-key-derivation.patch create mode 100644 queue-6.12/spi-sifive-fix-controller-deregistration.patch create mode 100644 queue-6.12/spi-sifive-simplify-clock-handling-with-devm_clk_get_enabled.patch diff --git a/queue-6.12/btrfs-do-not-mark-inode-incompressible-after-inline-attempt-fails.patch b/queue-6.12/btrfs-do-not-mark-inode-incompressible-after-inline-attempt-fails.patch new file mode 100644 index 0000000000..91a4b2b724 --- /dev/null +++ b/queue-6.12/btrfs-do-not-mark-inode-incompressible-after-inline-attempt-fails.patch @@ -0,0 +1,81 @@ +From stable+bounces-249091-greg=kroah.com@vger.kernel.org Sun May 17 15:52:20 2026 +From: Sasha Levin +Date: Sun, 17 May 2026 09:52:07 -0400 +Subject: btrfs: do not mark inode incompressible after inline attempt fails +To: stable@vger.kernel.org +Cc: Qu Wenruo , Filipe Manana , David Sterba , Sasha Levin +Message-ID: <20260517135207.148738-1-sashal@kernel.org> + +From: Qu Wenruo + +[ Upstream commit 2e0e3716c7b6f8d71df2fbe709b922e54700f71b ] + +[BUG] +The following sequence will set the file with nocompress flag: + + # mkfs.btrfs -f $dev + # mount $dev $mnt -o max_inline=4,compress + # xfs_io -f -c "pwrite 0 2k" -c sync $mnt/foobar + +The inode will have NOCOMPRESS flag, even if the content itself (all 0xcd) +can still be compressed very well: + + item 4 key (257 INODE_ITEM 0) itemoff 15879 itemsize 160 + generation 9 transid 10 size 2097152 nbytes 1052672 + block group 0 mode 100600 links 1 uid 0 gid 0 rdev 0 + sequence 257 flags 0x8(NOCOMPRESS) + +Please note that, this behavior is there even before commit 59615e2c1f63 +("btrfs: reject single block sized compression early"). + +[CAUSE] +At compress_file_range(), after btrfs_compress_folios() call, we try +making an inlined extent by calling cow_file_range_inline(). + +But cow_file_range_inline() calls can_cow_file_range_inline() which has +more accurate checks on if the range can be inlined. + +One of the user configurable conditions is the "max_inline=" mount +option. If that value is set low (like the example, 4 bytes, which +cannot store any header), or the compressed content is just slightly +larger than 2K (the default value, meaning a 50% compression ratio), +cow_file_range_inline() will return 1 immediately. + +And since we're here only to try inline the compressed data, the range +is no larger than a single fs block. + +Thus compression is never going to make it a win, we fall back to +marking the inode incompressible unavoidably. + +[FIX] +Just add an extra check after inline attempt, so that if the inline +attempt failed, do not set the nocompress flag. + +As there is no way to remove that flag, and the default 50% compression +ratio is way too strict for the whole inode. + +CC: stable@vger.kernel.org # 6.12+ +Reviewed-by: Filipe Manana +Signed-off-by: Qu Wenruo +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/inode.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -1085,6 +1085,12 @@ again: + mapping_set_error(mapping, -EIO); + goto free_pages; + } ++ /* ++ * If a single block at file offset 0 cannot be inlined, fall back to ++ * regular writes without marking the file incompressible. ++ */ ++ if (start == 0 && end <= blocksize) ++ goto cleanup_and_bail_uncompressed; + + /* + * We aren't doing an inline extent. Round the compressed size up to a diff --git a/queue-6.12/btrfs-fix-missing-last_unlink_trans-update-when-removing-a-directory.patch b/queue-6.12/btrfs-fix-missing-last_unlink_trans-update-when-removing-a-directory.patch new file mode 100644 index 0000000000..420649ff6a --- /dev/null +++ b/queue-6.12/btrfs-fix-missing-last_unlink_trans-update-when-removing-a-directory.patch @@ -0,0 +1,223 @@ +From stable+bounces-249030-greg=kroah.com@vger.kernel.org Sat May 16 21:09:28 2026 +From: Sasha Levin +Date: Sat, 16 May 2026 15:09:18 -0400 +Subject: btrfs: fix missing last_unlink_trans update when removing a directory +To: stable@vger.kernel.org +Cc: Filipe Manana , Slava0135 , David Sterba , Sasha Levin +Message-ID: <20260516190918.4017278-3-sashal@kernel.org> + +From: Filipe Manana + +[ Upstream commit 999757231c49376cd1a37308d2c8c4c9932571e1 ] + +When removing a directory we are not updating its last_unlink_trans field, +which can result in incorrect fsync behaviour in case some one fsyncs the +directory after it was removed because it's holding a file descriptor on +it. + +Example scenario: + + mkdir /mnt/dir1 + mkdir /mnt/dir1/dir2 + mkdir /mnt/dir3 + + sync -f /mnt + + # Do some change to the directory and fsync it. + chmod 700 /mnt/dir1 + xfs_io -c fsync /mnt/dir1 + + # Move dir2 out of dir1 so that dir1 becomes empty. + mv /mnt/dir1/dir2 /mnt/dir3/ + + open fd on /mnt/dir1 + call rmdir(2) on path "/mnt/dir1" + fsync fd + + + +When attempting to mount the filesystem, the log replay will fail with +an -EIO error and dmesg/syslog has the following: + + [445771.626482] BTRFS info (device dm-0): first mount of filesystem 0368bbea-6c5e-44b5-b409-09abe496e650 + [445771.626486] BTRFS info (device dm-0): using crc32c checksum algorithm + [445771.627912] BTRFS info (device dm-0): start tree-log replay + [445771.628335] page: refcount:2 mapcount:0 mapping:0000000061443ddc index:0x1d00 pfn:0x7072a5 + [445771.629453] memcg:ffff89f400351b00 + [445771.629892] aops:btree_aops [btrfs] ino:1 + [445771.630737] flags: 0x17fffc00000402a(uptodate|lru|private|writeback|node=0|zone=2|lastcpupid=0x1ffff) + [445771.632359] raw: 017fffc00000402a fffff47284d950c8 fffff472907b7c08 ffff89f458e412b8 + [445771.633713] raw: 0000000000001d00 ffff89f6c51d1a90 00000002ffffffff ffff89f400351b00 + [445771.635029] page dumped because: eb page dump + [445771.635825] BTRFS critical (device dm-0): corrupt leaf: root=5 block=30408704 slot=10 ino=258, invalid nlink: has 2 expect no more than 1 for dir + [445771.638088] BTRFS info (device dm-0): leaf 30408704 gen 10 total ptrs 17 free space 14878 owner 5 + [445771.638091] BTRFS info (device dm-0): refs 4 lock_owner 0 current 3581087 + [445771.638094] item 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160 + [445771.638097] inode generation 3 transid 9 size 16 nbytes 16384 + [445771.638098] block group 0 mode 40755 links 1 uid 0 gid 0 + [445771.638100] rdev 0 sequence 2 flags 0x0 + [445771.638102] atime 1775744884.0 + [445771.660056] ctime 1775744885.645502983 + [445771.660058] mtime 1775744885.645502983 + [445771.660060] otime 1775744884.0 + [445771.660062] item 1 key (256 INODE_REF 256) itemoff 16111 itemsize 12 + [445771.660064] index 0 name_len 2 + [445771.660066] item 2 key (256 DIR_ITEM 1843588421) itemoff 16077 itemsize 34 + [445771.660068] location key (259 1 0) type 2 + [445771.660070] transid 9 data_len 0 name_len 4 + [445771.660075] item 3 key (256 DIR_ITEM 2363071922) itemoff 16043 itemsize 34 + [445771.660076] location key (257 1 0) type 2 + [445771.660077] transid 9 data_len 0 name_len 4 + [445771.660078] item 4 key (256 DIR_INDEX 2) itemoff 16009 itemsize 34 + [445771.660079] location key (257 1 0) type 2 + [445771.660080] transid 9 data_len 0 name_len 4 + [445771.660081] item 5 key (256 DIR_INDEX 3) itemoff 15975 itemsize 34 + [445771.660082] location key (259 1 0) type 2 + [445771.660083] transid 9 data_len 0 name_len 4 + [445771.660084] item 6 key (257 INODE_ITEM 0) itemoff 15815 itemsize 160 + [445771.660086] inode generation 9 transid 9 size 8 nbytes 0 + [445771.660087] block group 0 mode 40777 links 1 uid 0 gid 0 + [445771.660088] rdev 0 sequence 2 flags 0x0 + [445771.660089] atime 1775744885.641174097 + [445771.660090] ctime 1775744885.645502983 + [445771.660091] mtime 1775744885.645502983 + [445771.660105] otime 1775744885.641174097 + [445771.660106] item 7 key (257 INODE_REF 256) itemoff 15801 itemsize 14 + [445771.660107] index 2 name_len 4 + [445771.660108] item 8 key (257 DIR_ITEM 2676584006) itemoff 15767 itemsize 34 + [445771.660109] location key (258 1 0) type 2 + [445771.660110] transid 9 data_len 0 name_len 4 + [445771.660111] item 9 key (257 DIR_INDEX 2) itemoff 15733 itemsize 34 + [445771.660112] location key (258 1 0) type 2 + [445771.660113] transid 9 data_len 0 name_len 4 + [445771.660114] item 10 key (258 INODE_ITEM 0) itemoff 15573 itemsize 160 + [445771.660115] inode generation 9 transid 10 size 0 nbytes 0 + [445771.660116] block group 0 mode 40755 links 2 uid 0 gid 0 + [445771.660117] rdev 0 sequence 0 flags 0x0 + [445771.660118] atime 1775744885.645502983 + [445771.660119] ctime 1775744885.645502983 + [445771.660120] mtime 1775744885.645502983 + [445771.660121] otime 1775744885.645502983 + [445771.660122] item 11 key (258 INODE_REF 257) itemoff 15559 itemsize 14 + [445771.660123] index 2 name_len 4 + [445771.660124] item 12 key (258 INODE_REF 259) itemoff 15545 itemsize 14 + [445771.660125] index 2 name_len 4 + [445771.660126] item 13 key (259 INODE_ITEM 0) itemoff 15385 itemsize 160 + [445771.660127] inode generation 9 transid 10 size 8 nbytes 0 + [445771.660128] block group 0 mode 40755 links 1 uid 0 gid 0 + [445771.660129] rdev 0 sequence 1 flags 0x0 + [445771.660130] atime 1775744885.645502983 + [445771.660130] ctime 1775744885.645502983 + [445771.660131] mtime 1775744885.645502983 + [445771.660132] otime 1775744885.645502983 + [445771.660133] item 14 key (259 INODE_REF 256) itemoff 15371 itemsize 14 + [445771.660134] index 3 name_len 4 + [445771.660135] item 15 key (259 DIR_ITEM 2676584006) itemoff 15337 itemsize 34 + [445771.660136] location key (258 1 0) type 2 + [445771.660137] transid 10 data_len 0 name_len 4 + [445771.660138] item 16 key (259 DIR_INDEX 2) itemoff 15303 itemsize 34 + [445771.660139] location key (258 1 0) type 2 + [445771.660140] transid 10 data_len 0 name_len 4 + [445771.660144] BTRFS error (device dm-0): block=30408704 write time tree block corruption detected + [445771.661650] ------------[ cut here ]------------ + [445771.662358] WARNING: fs/btrfs/disk-io.c:326 at btree_csum_one_bio+0x217/0x230 [btrfs], CPU#8: mount/3581087 + [445771.663588] Modules linked in: btrfs f2fs xfs (...) + [445771.671229] CPU: 8 UID: 0 PID: 3581087 Comm: mount Tainted: G W 7.0.0-rc6-btrfs-next-230+ #2 PREEMPT(full) + [445771.672575] Tainted: [W]=WARN + [445771.672987] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 + [445771.674460] RIP: 0010:btree_csum_one_bio+0x217/0x230 [btrfs] + [445771.675222] Code: 89 44 24 (...) + [445771.677364] RSP: 0018:ffffd23882247660 EFLAGS: 00010246 + [445771.678029] RAX: 0000000000000000 RBX: ffff89f6c51d1a90 RCX: 0000000000000000 + [445771.678975] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff89f406020000 + [445771.679983] RBP: ffff89f821204000 R08: 0000000000000000 R09: 00000000ffefffff + [445771.680905] R10: ffffd23882247448 R11: 0000000000000003 R12: ffffd23882247668 + [445771.681978] R13: ffff89f458e40fc0 R14: ffff89f737f4f500 R15: ffff89f737f4f500 + [445771.682912] FS: 00007f0447a98840(0000) GS:ffff89fb9771d000(0000) knlGS:0000000000000000 + [445771.684393] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [445771.685230] CR2: 00007f0447bf1330 CR3: 000000017cb02002 CR4: 0000000000370ef0 + [445771.686273] Call Trace: + [445771.686646] + [445771.686969] btrfs_submit_bbio+0x83f/0x860 [btrfs] + [445771.687750] ? write_one_eb+0x28f/0x340 [btrfs] + [445771.688428] btree_writepages+0x2e3/0x550 [btrfs] + [445771.689180] ? kmem_cache_alloc_noprof+0x12a/0x490 + [445771.689963] ? alloc_extent_state+0x19/0x120 [btrfs] + [445771.690801] ? kmem_cache_free+0x135/0x380 + [445771.691328] ? preempt_count_add+0x69/0xa0 + [445771.691831] ? set_extent_bit+0x252/0x8e0 [btrfs] + [445771.692468] ? xas_load+0x9/0xc0 + [445771.692873] ? xas_find+0x14d/0x1a0 + [445771.693304] do_writepages+0xc6/0x160 + [445771.693756] filemap_writeback+0xb8/0xe0 + [445771.694274] btrfs_write_marked_extents+0x61/0x170 [btrfs] + [445771.694999] btrfs_write_and_wait_transaction+0x4e/0xc0 [btrfs] + [445771.695818] btrfs_commit_transaction+0x5c8/0xd10 [btrfs] + [445771.696530] ? kmem_cache_free+0x135/0x380 + [445771.697120] ? release_extent_buffer+0x34/0x160 [btrfs] + [445771.697786] btrfs_recover_log_trees+0x7be/0x7e0 [btrfs] + [445771.698525] ? __pfx_replay_one_buffer+0x10/0x10 [btrfs] + [445771.699206] open_ctree+0x11e5/0x1810 [btrfs] + [445771.699776] btrfs_get_tree.cold+0xb/0x162 [btrfs] + [445771.700463] ? fscontext_read+0x165/0x180 + [445771.701146] ? rw_verify_area+0x50/0x180 + [445771.701866] vfs_get_tree+0x25/0xd0 + [445771.702491] vfs_cmd_create+0x59/0xe0 + [445771.703125] __do_sys_fsconfig+0x303/0x610 + [445771.703603] do_syscall_64+0xe9/0xf20 + [445771.703974] entry_SYSCALL_64_after_hwframe+0x76/0x7e + [445771.704700] RIP: 0033:0x7f0447cbd4aa + [445771.705108] Code: 73 01 c3 (...) + [445771.707263] RSP: 002b:00007ffc4e528318 EFLAGS: 00000246 ORIG_RAX: 00000000000001af + [445771.708107] RAX: ffffffffffffffda RBX: 00005561585d8c20 RCX: 00007f0447cbd4aa + [445771.708931] RDX: 0000000000000000 RSI: 0000000000000006 RDI: 0000000000000003 + [445771.709744] RBP: 00005561585d9120 R08: 0000000000000000 R09: 0000000000000000 + [445771.710674] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 + [445771.711477] R13: 00007f0447e4f580 R14: 00007f0447e5126c R15: 00007f0447e36a23 + [445771.712277] + [445771.712541] ---[ end trace 0000000000000000 ]--- + [445771.713382] BTRFS error (device dm-0): error while writing out transaction: -5 + [445771.714679] BTRFS warning (device dm-0): Skipping commit of aborted transaction. + [445771.715562] BTRFS error (device dm-0 state A): Transaction aborted (error -5) + [445771.716459] BTRFS: error (device dm-0 state A) in cleanup_transaction:2068: errno=-5 IO failure + [445771.717936] BTRFS error (device dm-0 state EA): failed to recover log trees with error: -5 + [445771.719681] BTRFS error (device dm-0 state EA): open_ctree failed: -5 + +The problem is that such a fsync should have result in a fallback to a +transaction commit, but that did not happen because through the +btrfs_rmdir() we never update the directory's last_unlink_trans field. +Any inode that had a link removed must have its last_unlink_trans updated +to the ID of transaction used for the operation, otherwise fsync and log +replay will not work correctly. + +btrfs_rmdir() calls btrfs_unlink_inode() and through that call chain we +never call btrfs_record_unlink_dir() in order to update last_unlink_trans. +However btrfs_unlink(), which is used for unlinking regular files, calls +btrfs_record_unlink_dir() and then calls btrfs_unlink_inode(). So fix +this by moving the call to btrfs_record_unlink_dir() from btrfs_unlink() +to btrfs_unlink_inode(). + +A test case for fstests will follow soon. + +Reported-by: Slava0135 +Link: https://lore.kernel.org/linux-btrfs/CAAJYhww5ov62Hm+n+tmhcL-e_4cBobg+OWogKjOJxVUXivC=MQ@mail.gmail.com/ +CC: stable@vger.kernel.org +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/inode.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -4801,6 +4801,8 @@ static int btrfs_rmdir(struct inode *vfs + if (ret) + goto out; + ++ btrfs_record_unlink_dir(trans, dir, inode, false); ++ + /* now the directory is empty */ + ret = btrfs_unlink_inode(trans, dir, inode, &fname.disk_name); + if (!ret) diff --git a/queue-6.12/btrfs-use-btrfs-inodes-in-btrfs_rmdir-to-avoid-so-much-usage-of-btrfs_i.patch b/queue-6.12/btrfs-use-btrfs-inodes-in-btrfs_rmdir-to-avoid-so-much-usage-of-btrfs_i.patch new file mode 100644 index 0000000000..38696b0304 --- /dev/null +++ b/queue-6.12/btrfs-use-btrfs-inodes-in-btrfs_rmdir-to-avoid-so-much-usage-of-btrfs_i.patch @@ -0,0 +1,102 @@ +From stable+bounces-249029-greg=kroah.com@vger.kernel.org Sat May 16 21:09:26 2026 +From: Sasha Levin +Date: Sat, 16 May 2026 15:09:17 -0400 +Subject: btrfs: use btrfs inodes in btrfs_rmdir() to avoid so much usage of BTRFS_I() +To: stable@vger.kernel.org +Cc: Filipe Manana , Johannes Thumshirn , Qu Wenruo , David Sterba , Sasha Levin +Message-ID: <20260516190918.4017278-2-sashal@kernel.org> + +From: Filipe Manana + +[ Upstream commit 98060e1611177ddc842601a58258876ab435fdbf ] + +Almost everywhere we want to use a btrfs inode and therefore we have a +lot of calls to BTRFS_I(), making the code more verbose. Instead use btrfs +inode local variables to avoid so much use of BTRFS_I(). + +Reviewed-by: Johannes Thumshirn +Reviewed-by: Qu Wenruo +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Stable-dep-of: 999757231c49 ("btrfs: fix missing last_unlink_trans update when removing a directory") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/inode.c | 31 ++++++++++++++++--------------- + 1 file changed, 16 insertions(+), 15 deletions(-) + +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -4743,32 +4743,33 @@ out_up_write: + return ret; + } + +-static int btrfs_rmdir(struct inode *dir, struct dentry *dentry) ++static int btrfs_rmdir(struct inode *vfs_dir, struct dentry *dentry) + { +- struct inode *inode = d_inode(dentry); +- struct btrfs_fs_info *fs_info = BTRFS_I(inode)->root->fs_info; ++ struct btrfs_inode *dir = BTRFS_I(vfs_dir); ++ struct btrfs_inode *inode = BTRFS_I(d_inode(dentry)); ++ struct btrfs_fs_info *fs_info = inode->root->fs_info; + int ret = 0; + struct btrfs_trans_handle *trans; + struct fscrypt_name fname; + +- if (inode->i_size > BTRFS_EMPTY_DIR_SIZE) ++ if (inode->vfs_inode.i_size > BTRFS_EMPTY_DIR_SIZE) + return -ENOTEMPTY; +- if (btrfs_ino(BTRFS_I(inode)) == BTRFS_FIRST_FREE_OBJECTID) { ++ if (btrfs_ino(inode) == BTRFS_FIRST_FREE_OBJECTID) { + if (unlikely(btrfs_fs_incompat(fs_info, EXTENT_TREE_V2))) { + btrfs_err(fs_info, + "extent tree v2 doesn't support snapshot deletion yet"); + return -EOPNOTSUPP; + } +- return btrfs_delete_subvolume(BTRFS_I(dir), dentry); ++ return btrfs_delete_subvolume(dir, dentry); + } + +- ret = fscrypt_setup_filename(dir, &dentry->d_name, 1, &fname); ++ ret = fscrypt_setup_filename(vfs_dir, &dentry->d_name, 1, &fname); + if (ret) + return ret; + + /* This needs to handle no-key deletions later on */ + +- trans = __unlink_start_trans(BTRFS_I(dir)); ++ trans = __unlink_start_trans(dir); + if (IS_ERR(trans)) { + ret = PTR_ERR(trans); + goto out_notrans; +@@ -4788,22 +4789,22 @@ static int btrfs_rmdir(struct inode *dir + * This is because we can't unlink other roots when replaying the dir + * deletes for directory foo. + */ +- if (BTRFS_I(inode)->last_unlink_trans >= trans->transid) +- btrfs_record_snapshot_destroy(trans, BTRFS_I(dir)); ++ if (inode->last_unlink_trans >= trans->transid) ++ btrfs_record_snapshot_destroy(trans, dir); + +- if (unlikely(btrfs_ino(BTRFS_I(inode)) == BTRFS_EMPTY_SUBVOL_DIR_OBJECTID)) { +- ret = btrfs_unlink_subvol(trans, BTRFS_I(dir), dentry); ++ if (unlikely(btrfs_ino(inode) == BTRFS_EMPTY_SUBVOL_DIR_OBJECTID)) { ++ ret = btrfs_unlink_subvol(trans, dir, dentry); + goto out; + } + +- ret = btrfs_orphan_add(trans, BTRFS_I(inode)); ++ ret = btrfs_orphan_add(trans, inode); + if (ret) + goto out; + + /* now the directory is empty */ +- ret = btrfs_unlink_inode(trans, BTRFS_I(dir), BTRFS_I(inode), &fname.disk_name); ++ ret = btrfs_unlink_inode(trans, dir, inode, &fname.disk_name); + if (!ret) +- btrfs_i_size_write(BTRFS_I(inode), 0); ++ btrfs_i_size_write(inode, 0); + out: + btrfs_end_transaction(trans); + out_notrans: diff --git a/queue-6.12/btrfs-use-inode-already-stored-in-local-variable-at-btrfs_rmdir.patch b/queue-6.12/btrfs-use-inode-already-stored-in-local-variable-at-btrfs_rmdir.patch new file mode 100644 index 0000000000..b6aad6723b --- /dev/null +++ b/queue-6.12/btrfs-use-inode-already-stored-in-local-variable-at-btrfs_rmdir.patch @@ -0,0 +1,40 @@ +From stable+bounces-249028-greg=kroah.com@vger.kernel.org Sat May 16 21:09:24 2026 +From: Sasha Levin +Date: Sat, 16 May 2026 15:09:16 -0400 +Subject: btrfs: use inode already stored in local variable at btrfs_rmdir() +To: stable@vger.kernel.org +Cc: Filipe Manana , Johannes Thumshirn , Qu Wenruo , David Sterba , Sasha Levin +Message-ID: <20260516190918.4017278-1-sashal@kernel.org> + +From: Filipe Manana + +[ Upstream commit 9f82a4ed34d870b5719f9b95f7da4f74d3325a6f ] + +There's no need to call d_inode(dentry) when calling btrfs_unlink_inode() +since we have already stored that in a local inode variable. So just use +the local variable to make the code less verbose. + +Reviewed-by: Johannes Thumshirn +Reviewed-by: Qu Wenruo +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Stable-dep-of: 999757231c49 ("btrfs: fix missing last_unlink_trans update when removing a directory") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/inode.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -4801,8 +4801,7 @@ static int btrfs_rmdir(struct inode *dir + goto out; + + /* now the directory is empty */ +- ret = btrfs_unlink_inode(trans, BTRFS_I(dir), BTRFS_I(d_inode(dentry)), +- &fname.disk_name); ++ ret = btrfs_unlink_inode(trans, BTRFS_I(dir), BTRFS_I(inode), &fname.disk_name); + if (!ret) + btrfs_i_size_write(BTRFS_I(inode), 0); + out: diff --git a/queue-6.12/drm-v3d-reject-empty-multisync-extension-to-prevent-infinite-loop.patch b/queue-6.12/drm-v3d-reject-empty-multisync-extension-to-prevent-infinite-loop.patch new file mode 100644 index 0000000000..ee7b984458 --- /dev/null +++ b/queue-6.12/drm-v3d-reject-empty-multisync-extension-to-prevent-infinite-loop.patch @@ -0,0 +1,56 @@ +From stable+bounces-248916-greg=kroah.com@vger.kernel.org Fri May 15 23:01:51 2026 +From: "Maíra Canal" +Date: Fri, 15 May 2026 17:58:09 -0300 +Subject: drm/v3d: Reject empty multisync extension to prevent infinite loop +To: stable@vger.kernel.org +Cc: kernel-dev@igalia.com, "Ashutosh Desai" , "Maíra Canal" +Message-ID: <20260515205808.2392987-2-mcanal@igalia.com> + +From: Ashutosh Desai + +v3d_get_extensions() walks a userspace-provided singly-linked list of +ioctl extensions without any bound on the chain length. A local user +can craft a self-referential extension (ext->next == &ext) with zero +in_sync_count and out_sync_count, which bypasses the existing duplicate- +extension guard: + + if (se->in_sync_count || se->out_sync_count) + return -EINVAL; + +The guard never fires because v3d_get_multisync_post_deps() returns +immediately when count is zero, leaving both fields at zero on every +iteration. The result is an infinite loop in kernel context, blocking +the calling thread and pegging a CPU core indefinitely. + +Fix this by rejecting a multisync extension where both in_sync_count +and out_sync_count are zero in v3d_get_multisync_submit_deps(). An +empty multisync carries no synchronization information and serves no +useful purpose, so returning -EINVAL for such an extension is the +correct defense against this attack vector. + +Fixes: e4165ae8304e ("drm/v3d: add multiple syncobjs support") +Cc: stable@vger.kernel.org +Signed-off-by: Ashutosh Desai +Link: https://patch.msgid.link/20260415050000.3816128-1-ashutoshdesai993@gmail.com +Signed-off-by: Maíra Canal +(cherry picked from commit fb44d589bf3148e13452185a6e772a7efbf2d684) +Signed-off-by: Maíra Canal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/v3d/v3d_submit.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/gpu/drm/v3d/v3d_submit.c ++++ b/drivers/gpu/drm/v3d/v3d_submit.c +@@ -389,6 +389,11 @@ v3d_get_multisync_submit_deps(struct drm + if (multisync.pad) + return -EINVAL; + ++ if (!multisync.in_sync_count && !multisync.out_sync_count) { ++ DRM_DEBUG("Empty multisync extension\n"); ++ return -EINVAL; ++ } ++ + ret = v3d_get_multisync_post_deps(file_priv, se, multisync.out_sync_count, + multisync.out_syncs); + if (ret) diff --git a/queue-6.12/eventfs-use-list_add_tail_rcu-for-srcu-protected-children-list.patch b/queue-6.12/eventfs-use-list_add_tail_rcu-for-srcu-protected-children-list.patch new file mode 100644 index 0000000000..d84a16d55b --- /dev/null +++ b/queue-6.12/eventfs-use-list_add_tail_rcu-for-srcu-protected-children-list.patch @@ -0,0 +1,45 @@ +From stable+bounces-247972-greg=kroah.com@vger.kernel.org Fri May 15 18:37:29 2026 +From: Sasha Levin +Date: Fri, 15 May 2026 11:55:40 -0400 +Subject: eventfs: Use list_add_tail_rcu() for SRCU-protected children list +To: stable@vger.kernel.org +Cc: David Carlier , Steven Rostedt , Sasha Levin +Message-ID: <20260515155540.3359697-1-sashal@kernel.org> + +From: David Carlier + +[ Upstream commit f67950b2887fa10df50c4317a1fe98a65bc6875b ] + +Commit d2603279c7d6 ("eventfs: Use list_del_rcu() for SRCU protected +list variable") converted the removal side to pair with the +list_for_each_entry_srcu() walker in eventfs_iterate(). The insertion +in eventfs_create_dir() was left as a plain list_add_tail(), which on +weakly-ordered architectures can expose a new entry to the SRCU reader +before its list pointers and fields are observable. + +Use list_add_tail_rcu() so the publication pairs with the existing +list_del_rcu() and list_for_each_entry_srcu(). + +Fixes: 43aa6f97c2d0 ("eventfs: Get rid of dentry pointers without refcounts") +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20260418152251.199343-1-devnexen@gmail.com +Signed-off-by: David Carlier +Signed-off-by: Steven Rostedt +[ adapted scoped_guard(mutex, &eventfs_mutex) block to explicit mutex_lock()/mutex_unlock() pair ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/tracefs/event_inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/tracefs/event_inode.c ++++ b/fs/tracefs/event_inode.c +@@ -732,7 +732,7 @@ struct eventfs_inode *eventfs_create_dir + + mutex_lock(&eventfs_mutex); + if (!parent->is_freed) +- list_add_tail(&ei->list, &parent->children); ++ list_add_tail_rcu(&ei->list, &parent->children); + mutex_unlock(&eventfs_mutex); + + /* Was the parent freed? */ diff --git a/queue-6.12/f2fs-fix-false-alarm-of-lockdep-on-cp_global_sem-lock.patch b/queue-6.12/f2fs-fix-false-alarm-of-lockdep-on-cp_global_sem-lock.patch new file mode 100644 index 0000000000..6be53907b6 --- /dev/null +++ b/queue-6.12/f2fs-fix-false-alarm-of-lockdep-on-cp_global_sem-lock.patch @@ -0,0 +1,102 @@ +From stable+bounces-249579-greg=kroah.com@vger.kernel.org Tue May 19 14:44:42 2026 +From: Sasha Levin +Date: Tue, 19 May 2026 08:41:56 -0400 +Subject: f2fs: fix false alarm of lockdep on cp_global_sem lock +To: stable@vger.kernel.org +Cc: Chao Yu , stable@kernel.org, Shin'ichiro Kawasaki , Jaegeuk Kim , Sasha Levin +Message-ID: <20260519124156.2447314-1-sashal@kernel.org> + +From: Chao Yu + +[ Upstream commit 6a5e3de9c2bb0b691d16789a5d19e9276a09b308 ] + +lockdep reported a potential deadlock: + +a) TCMU device removal context: + - call del_gendisk() to get q->q_usage_counter + - call start_flush_work() to get work_completion of wb->dwork +b) f2fs writeback context: + - in wb_workfn(), which holds work_completion of wb->dwork + - call f2fs_balance_fs() to get sbi->gc_lock +c) f2fs vfs_write context: + - call f2fs_gc() to get sbi->gc_lock + - call f2fs_write_checkpoint() to get sbi->cp_global_sem +d) f2fs mount context: + - call recover_fsync_data() to get sbi->cp_global_sem + - call f2fs_check_and_fix_write_pointer() to call blkdev_report_zones() + that goes down to blk_mq_alloc_request and get q->q_usage_counter + +Original callstack is in Closes tag. + +However, I think this is a false alarm due to before mount returns +successfully (context d), we can not access file therein via vfs_write +(context c). + +Let's introduce per-sb cp_global_sem_key, and assign the key for +cp_global_sem, so that lockdep can recognize cp_global_sem from +different super block correctly. + +A lot of work are done by Shin'ichiro Kawasaki, thanks a lot for +the work. + +Fixes: c426d99127b1 ("f2fs: Check write pointer consistency of open zones") +Cc: stable@kernel.org +Reported-and-tested-by: Shin'ichiro Kawasaki +Closes: https://lore.kernel.org/linux-f2fs-devel/20260218125237.3340441-1-shinichiro.kawasaki@wdc.com +Signed-off-by: Shin'ichiro Kawasaki +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +[ adapted context to use `init_f2fs_rwsem()` instead of the not-yet-backported `init_f2fs_rwsem_trace()` macro ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/f2fs.h | 3 +++ + fs/f2fs/super.c | 11 +++++++++++ + 2 files changed, 14 insertions(+) + +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -1858,6 +1858,9 @@ struct f2fs_sb_info { + spinlock_t iostat_lat_lock; + struct iostat_lat_info *iostat_io_lat; + #endif ++#ifdef CONFIG_DEBUG_LOCK_ALLOC ++ struct lock_class_key cp_global_sem_key; ++#endif + }; + + /* Definitions to access f2fs_sb_info */ +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -4490,6 +4490,11 @@ try_onemore: + init_f2fs_rwsem(&sbi->gc_lock); + mutex_init(&sbi->writepages); + init_f2fs_rwsem(&sbi->cp_global_sem); ++#ifdef CONFIG_DEBUG_LOCK_ALLOC ++ lockdep_register_key(&sbi->cp_global_sem_key); ++ lockdep_set_class(&sbi->cp_global_sem.internal_rwsem, ++ &sbi->cp_global_sem_key); ++#endif + init_f2fs_rwsem(&sbi->node_write); + init_f2fs_rwsem(&sbi->node_change); + spin_lock_init(&sbi->stat_lock); +@@ -4963,6 +4968,9 @@ free_sb_buf: + free_sbi: + if (sbi->s_chksum_driver) + crypto_free_shash(sbi->s_chksum_driver); ++#ifdef CONFIG_DEBUG_LOCK_ALLOC ++ lockdep_unregister_key(&sbi->cp_global_sem_key); ++#endif + kfree(sbi); + sb->s_fs_info = NULL; + +@@ -5015,6 +5023,9 @@ static void kill_f2fs_super(struct super + /* Release block devices last, after fscrypt_destroy_keyring(). */ + if (sbi) { + destroy_device_list(sbi); ++#ifdef CONFIG_DEBUG_LOCK_ALLOC ++ lockdep_unregister_key(&sbi->cp_global_sem_key); ++#endif + kfree(sbi); + sb->s_fs_info = NULL; + } diff --git a/queue-6.12/f2fs-fix-incorrect-file-address-mapping-when-inline-inode-is-unwritten.patch b/queue-6.12/f2fs-fix-incorrect-file-address-mapping-when-inline-inode-is-unwritten.patch new file mode 100644 index 0000000000..47b0e9ca62 --- /dev/null +++ b/queue-6.12/f2fs-fix-incorrect-file-address-mapping-when-inline-inode-is-unwritten.patch @@ -0,0 +1,68 @@ +From stable+bounces-249578-greg=kroah.com@vger.kernel.org Tue May 19 14:44:06 2026 +From: Sasha Levin +Date: Tue, 19 May 2026 08:41:45 -0400 +Subject: f2fs: fix incorrect file address mapping when inline inode is unwritten +To: stable@vger.kernel.org +Cc: Yongpeng Yang , stable@kernel.org, Chao Yu , Jaegeuk Kim , Sasha Levin +Message-ID: <20260519124145.2443975-1-sashal@kernel.org> + +From: Yongpeng Yang + +[ Upstream commit 68a0178981a0f493295afa29f8880246e561494c ] + +When `fileinfo->fi_flags` does not have the `FIEMAP_FLAG_SYNC` bit set +and inline data has not been persisted yet, the physical address of the +extent is calculated incorrectly for unwritten inline inodes. + +root@vm:/mnt/f2fs# dd if=/dev/zero of=data.3k bs=3k count=1 +root@vm:/mnt/f2fs# f2fs_io fiemap 0 100 data.3k +Fiemap: offset = 0 len = 100 + logical addr. physical addr. length flags +0 0000000000000000 00000ffffffff16c 0000000000000c00 00000301 + +This patch fixes the issue by checking if the inode's address is valid. +If the inline inode is unwritten, set the physical address to 0 and +mark the extent with `FIEMAP_EXTENT_UNKNOWN | FIEMAP_EXTENT_DELALLOC` +flags. + +Cc: stable@kernel.org +Fixes: 67f8cf3cee6f ("f2fs: support fiemap for inline_data") +Signed-off-by: Yongpeng Yang +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +[ renamed `ifolio` to `ipage` in `inline_data_addr()` and `F2FS_INODE()` calls ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/inline.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/fs/f2fs/inline.c ++++ b/fs/f2fs/inline.c +@@ -790,7 +790,7 @@ int f2fs_read_inline_dir(struct file *fi + int f2fs_inline_data_fiemap(struct inode *inode, + struct fiemap_extent_info *fieinfo, __u64 start, __u64 len) + { +- __u64 byteaddr, ilen; ++ __u64 byteaddr = 0, ilen; + __u32 flags = FIEMAP_EXTENT_DATA_INLINE | FIEMAP_EXTENT_NOT_ALIGNED | + FIEMAP_EXTENT_LAST; + struct node_info ni; +@@ -823,9 +823,14 @@ int f2fs_inline_data_fiemap(struct inode + if (err) + goto out; + +- byteaddr = (__u64)ni.blk_addr << inode->i_sb->s_blocksize_bits; +- byteaddr += (char *)inline_data_addr(inode, ipage) - +- (char *)F2FS_INODE(ipage); ++ if (__is_valid_data_blkaddr(ni.blk_addr)) { ++ byteaddr = (__u64)ni.blk_addr << inode->i_sb->s_blocksize_bits; ++ byteaddr += (char *)inline_data_addr(inode, ipage) - ++ (char *)F2FS_INODE(ipage); ++ } else { ++ f2fs_bug_on(F2FS_I_SB(inode), ni.blk_addr != NEW_ADDR); ++ flags |= FIEMAP_EXTENT_DELALLOC | FIEMAP_EXTENT_UNKNOWN; ++ } + err = fiemap_fill_next_extent(fieinfo, start, byteaddr, ilen, flags); + trace_f2fs_fiemap(inode, start, byteaddr, ilen, flags, err); + out: diff --git a/queue-6.12/iommufd-fix-return-value-of-iommufd_fault_fops_write.patch b/queue-6.12/iommufd-fix-return-value-of-iommufd_fault_fops_write.patch new file mode 100644 index 0000000000..53955f9184 --- /dev/null +++ b/queue-6.12/iommufd-fix-return-value-of-iommufd_fault_fops_write.patch @@ -0,0 +1,47 @@ +From stable+bounces-247841-greg=kroah.com@vger.kernel.org Fri May 15 18:27:00 2026 +From: Sasha Levin +Date: Fri, 15 May 2026 11:37:08 -0400 +Subject: iommufd: Fix return value of iommufd_fault_fops_write() +To: stable@vger.kernel.org +Cc: Zhenzhong Duan , Lu Baolu , Pranjal Shrivastava , Shuai Xue , Kevin Tian , Jason Gunthorpe , Sasha Levin +Message-ID: <20260515153708.3323159-1-sashal@kernel.org> + +From: Zhenzhong Duan + +[ Upstream commit aaca2aa92785a6ab8e3183e7184bca447a99cd76 ] + +copy_from_user() may return number of bytes failed to copy, we should +not pass over this number to user space to cheat that write() succeed. +Instead, -EFAULT should be returned. + +Link: https://patch.msgid.link/r/20260330030755.12856-1-zhenzhong.duan@intel.com +Cc: stable@vger.kernel.org +Fixes: 07838f7fd529 ("iommufd: Add iommufd fault object") +Signed-off-by: Zhenzhong Duan +Reviewed-by: Lu Baolu +Reviewed-by: Pranjal Shrivastava +Reviewed-by: Shuai Xue +Reviewed-by: Kevin Tian +Signed-off-by: Jason Gunthorpe +[ applied identical hunk to drivers/iommu/iommufd/fault.c ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/iommufd/fault.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/iommu/iommufd/fault.c ++++ b/drivers/iommu/iommufd/fault.c +@@ -317,9 +317,10 @@ static ssize_t iommufd_fault_fops_write( + + mutex_lock(&fault->mutex); + while (count > done) { +- rc = copy_from_user(&response, buf + done, response_size); +- if (rc) ++ if (copy_from_user(&response, buf + done, response_size)) { ++ rc = -EFAULT; + break; ++ } + + static_assert((int)IOMMUFD_PAGE_RESP_SUCCESS == + (int)IOMMU_PAGE_RESP_SUCCESS); diff --git a/queue-6.12/mptcp-drop-__mptcp_fastopen_gen_msk_ackseq.patch b/queue-6.12/mptcp-drop-__mptcp_fastopen_gen_msk_ackseq.patch new file mode 100644 index 0000000000..6fc2eff62e --- /dev/null +++ b/queue-6.12/mptcp-drop-__mptcp_fastopen_gen_msk_ackseq.patch @@ -0,0 +1,137 @@ +From stable+bounces-249259-greg=kroah.com@vger.kernel.org Mon May 18 13:55:13 2026 +From: Sasha Levin +Date: Mon, 18 May 2026 07:48:21 -0400 +Subject: mptcp: drop __mptcp_fastopen_gen_msk_ackseq() +To: stable@vger.kernel.org +Cc: Paolo Abeni , "Matthieu Baerts (NGI0)" , Jakub Kicinski , Sasha Levin +Message-ID: <20260518114822.789572-1-sashal@kernel.org> + +From: Paolo Abeni + +[ Upstream commit f03afb3aeb9d81f6c5ab728a61a040012923e3b3 ] + +When we will move the whole RX path under the msk socket lock, updating +the already queued skb for passive fastopen socket at 3rd ack time will +be extremely painful and race prone + +The map_seq for already enqueued skbs is used only to allow correct +coalescing with later data; preventing collapsing to the first skb of +a fastopen connect we can completely remove the +__mptcp_fastopen_gen_msk_ackseq() helper. + +Before dropping this helper, a new item had to be added to the +mptcp_skb_cb structure. Because this item will be frequently tested in +the fast path -- almost on every packet -- and because there is free +space there, a single byte is used instead of a bitfield. This micro +optimisation slightly reduces the number of CPU operations to do the +associated check. + +Signed-off-by: Paolo Abeni +Reviewed-by: Matthieu Baerts (NGI0) +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20250218-net-next-mptcp-rx-path-refactor-v1-2-4a47d90d7998@kernel.org +Signed-off-by: Jakub Kicinski +Stable-dep-of: 6254a16d6f0c ("mptcp: fix rx timestamp corruption on fastopen") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/fastopen.c | 24 ++---------------------- + net/mptcp/protocol.c | 4 +++- + net/mptcp/protocol.h | 5 ++--- + net/mptcp/subflow.c | 3 --- + 4 files changed, 7 insertions(+), 29 deletions(-) + +--- a/net/mptcp/fastopen.c ++++ b/net/mptcp/fastopen.c +@@ -40,13 +40,12 @@ void mptcp_fastopen_subflow_synack_set_p + tp->copied_seq += skb->len; + subflow->ssn_offset += skb->len; + +- /* initialize a dummy sequence number, we will update it at MPC +- * completion, if needed +- */ ++ /* Only the sequence delta is relevant */ + MPTCP_SKB_CB(skb)->map_seq = -skb->len; + MPTCP_SKB_CB(skb)->end_seq = 0; + MPTCP_SKB_CB(skb)->offset = 0; + MPTCP_SKB_CB(skb)->has_rxtstamp = TCP_SKB_CB(skb)->has_rxtstamp; ++ MPTCP_SKB_CB(skb)->cant_coalesce = 1; + + mptcp_data_lock(sk); + +@@ -58,22 +57,3 @@ void mptcp_fastopen_subflow_synack_set_p + + mptcp_data_unlock(sk); + } +- +-void __mptcp_fastopen_gen_msk_ackseq(struct mptcp_sock *msk, struct mptcp_subflow_context *subflow, +- const struct mptcp_options_received *mp_opt) +-{ +- struct sock *sk = (struct sock *)msk; +- struct sk_buff *skb; +- +- skb = skb_peek_tail(&sk->sk_receive_queue); +- if (skb) { +- WARN_ON_ONCE(MPTCP_SKB_CB(skb)->end_seq); +- pr_debug("msk %p moving seq %llx -> %llx end_seq %llx -> %llx\n", sk, +- MPTCP_SKB_CB(skb)->map_seq, MPTCP_SKB_CB(skb)->map_seq + msk->ack_seq, +- MPTCP_SKB_CB(skb)->end_seq, MPTCP_SKB_CB(skb)->end_seq + msk->ack_seq); +- MPTCP_SKB_CB(skb)->map_seq += msk->ack_seq; +- MPTCP_SKB_CB(skb)->end_seq += msk->ack_seq; +- } +- +- pr_debug("msk=%p ack_seq=%llx\n", msk, msk->ack_seq); +-} +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -137,7 +137,8 @@ static bool mptcp_try_coalesce(struct so + bool fragstolen; + int delta; + +- if (MPTCP_SKB_CB(from)->offset || ++ if (unlikely(MPTCP_SKB_CB(to)->cant_coalesce) || ++ MPTCP_SKB_CB(from)->offset || + ((to->len + from->len) > (sk->sk_rcvbuf >> 3)) || + !skb_try_coalesce(to, from, &fragstolen, &delta)) + return false; +@@ -368,6 +369,7 @@ static bool __mptcp_move_skb(struct mptc + MPTCP_SKB_CB(skb)->end_seq = MPTCP_SKB_CB(skb)->map_seq + copy_len; + MPTCP_SKB_CB(skb)->offset = offset; + MPTCP_SKB_CB(skb)->has_rxtstamp = has_rxtstamp; ++ MPTCP_SKB_CB(skb)->cant_coalesce = 0; + + if (MPTCP_SKB_CB(skb)->map_seq == msk->ack_seq) { + /* in sequence */ +--- a/net/mptcp/protocol.h ++++ b/net/mptcp/protocol.h +@@ -129,7 +129,8 @@ struct mptcp_skb_cb { + u64 map_seq; + u64 end_seq; + u32 offset; +- u8 has_rxtstamp:1; ++ u8 has_rxtstamp; ++ u8 cant_coalesce; + }; + + #define MPTCP_SKB_CB(__skb) ((struct mptcp_skb_cb *)&((__skb)->cb[0])) +@@ -1069,8 +1070,6 @@ void mptcp_event_pm_listener(const struc + enum mptcp_event_type event); + bool mptcp_userspace_pm_active(const struct mptcp_sock *msk); + +-void __mptcp_fastopen_gen_msk_ackseq(struct mptcp_sock *msk, struct mptcp_subflow_context *subflow, +- const struct mptcp_options_received *mp_opt); + void mptcp_fastopen_subflow_synack_set_params(struct mptcp_subflow_context *subflow, + struct request_sock *req); + int mptcp_nl_fill_addr(struct sk_buff *skb, +--- a/net/mptcp/subflow.c ++++ b/net/mptcp/subflow.c +@@ -802,9 +802,6 @@ void __mptcp_subflow_fully_established(s + subflow_set_remote_key(msk, subflow, mp_opt); + WRITE_ONCE(subflow->fully_established, true); + WRITE_ONCE(msk->fully_established, true); +- +- if (subflow->is_mptfo) +- __mptcp_fastopen_gen_msk_ackseq(msk, subflow, mp_opt); + } + + static struct sock *subflow_syn_recv_sock(const struct sock *sk, diff --git a/queue-6.12/mptcp-fix-rx-timestamp-corruption-on-fastopen.patch b/queue-6.12/mptcp-fix-rx-timestamp-corruption-on-fastopen.patch new file mode 100644 index 0000000000..8c9f8d5b20 --- /dev/null +++ b/queue-6.12/mptcp-fix-rx-timestamp-corruption-on-fastopen.patch @@ -0,0 +1,54 @@ +From stable+bounces-249260-greg=kroah.com@vger.kernel.org Mon May 18 14:01:13 2026 +From: Sasha Levin +Date: Mon, 18 May 2026 07:48:22 -0400 +Subject: mptcp: fix rx timestamp corruption on fastopen +To: stable@vger.kernel.org +Cc: Paolo Abeni , "Matthieu Baerts (NGI0)" , Jakub Kicinski , Sasha Levin +Message-ID: <20260518114822.789572-2-sashal@kernel.org> + +From: Paolo Abeni + +[ Upstream commit 6254a16d6f0c672e3809ca5d7c9a28a55d71f764 ] + +The skb cb offset containing the timestamp presence flag is cleared +before loading such information. Cache such value before MPTCP CB +initialization. + +Fixes: 36b122baf6a8 ("mptcp: add subflow_v(4,6)_send_synack()") +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Abeni +Reviewed-by: Matthieu Baerts (NGI0) +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20260501-net-mptcp-misc-fixes-7-1-rc3-v1-3-b70118df778e@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/fastopen.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/mptcp/fastopen.c ++++ b/net/mptcp/fastopen.c +@@ -12,6 +12,7 @@ void mptcp_fastopen_subflow_synack_set_p + struct sock *sk, *ssk; + struct sk_buff *skb; + struct tcp_sock *tp; ++ bool has_rxtstamp; + + /* on early fallback the subflow context is deleted by + * subflow_syn_recv_sock() +@@ -39,12 +40,13 @@ void mptcp_fastopen_subflow_synack_set_p + */ + tp->copied_seq += skb->len; + subflow->ssn_offset += skb->len; ++ has_rxtstamp = TCP_SKB_CB(skb)->has_rxtstamp; + + /* Only the sequence delta is relevant */ + MPTCP_SKB_CB(skb)->map_seq = -skb->len; + MPTCP_SKB_CB(skb)->end_seq = 0; + MPTCP_SKB_CB(skb)->offset = 0; +- MPTCP_SKB_CB(skb)->has_rxtstamp = TCP_SKB_CB(skb)->has_rxtstamp; ++ MPTCP_SKB_CB(skb)->has_rxtstamp = has_rxtstamp; + MPTCP_SKB_CB(skb)->cant_coalesce = 1; + + mptcp_data_lock(sk); diff --git a/queue-6.12/mptcp-pm-prio-skip-closed-subflows.patch b/queue-6.12/mptcp-pm-prio-skip-closed-subflows.patch new file mode 100644 index 0000000000..5eb04b726a --- /dev/null +++ b/queue-6.12/mptcp-pm-prio-skip-closed-subflows.patch @@ -0,0 +1,46 @@ +From stable+bounces-249262-greg=kroah.com@vger.kernel.org Mon May 18 13:51:24 2026 +From: Sasha Levin +Date: Mon, 18 May 2026 07:48:40 -0400 +Subject: mptcp: pm: prio: skip closed subflows +To: stable@vger.kernel.org +Cc: "Matthieu Baerts (NGI0)" , Mat Martineau , Jakub Kicinski , Sasha Levin +Message-ID: <20260518114840.790663-1-sashal@kernel.org> + +From: "Matthieu Baerts (NGI0)" + +[ Upstream commit 166b78344031bf7ac9f55cb5282776cfd85f220e ] + +When sending an MP_PRIO, closed subflows need to be skipped. + +This fixes the case where the initial subflow got closed, re-opened +later, then an MP_PRIO is needed for the same local address. + +Note that explicit MP_PRIO cannot be sent during the 3WHS, so it is fine +to use __mptcp_subflow_active(). + +Fixes: 067065422fcd ("mptcp: add the outgoing MP_PRIO support") +Cc: stable@vger.kernel.org +Fixes: b29fcfb54cd7 ("mptcp: full disconnect implementation") +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20260505-net-mptcp-pm-fixes-7-1-rc3-v1-9-fca8091060a4@kernel.org +Signed-off-by: Jakub Kicinski +[ applied to renamed function `mptcp_pm_nl_mp_prio_send_ack()` in `pm_netlink.c` ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/pm_netlink.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/mptcp/pm_netlink.c ++++ b/net/mptcp/pm_netlink.c +@@ -920,6 +920,9 @@ int mptcp_pm_nl_mp_prio_send_ack(struct + struct sock *ssk = mptcp_subflow_tcp_sock(subflow); + struct mptcp_addr_info local, remote; + ++ if (!__mptcp_subflow_active(subflow)) ++ continue; ++ + mptcp_local_address((struct sock_common *)ssk, &local); + if (!mptcp_addresses_equal(&local, addr, addr->port)) + continue; diff --git a/queue-6.12/rdma-mana-remove-user-triggerable-warn_on-in-mana_ib_create_qp_rss.patch b/queue-6.12/rdma-mana-remove-user-triggerable-warn_on-in-mana_ib_create_qp_rss.patch new file mode 100644 index 0000000000..cfbe7ae78d --- /dev/null +++ b/queue-6.12/rdma-mana-remove-user-triggerable-warn_on-in-mana_ib_create_qp_rss.patch @@ -0,0 +1,45 @@ +From stable+bounces-249162-greg=kroah.com@vger.kernel.org Mon May 18 03:23:49 2026 +From: Sasha Levin +Date: Sun, 17 May 2026 21:23:44 -0400 +Subject: RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss() +To: stable@vger.kernel.org +Cc: Jason Gunthorpe , Long Li , Sasha Levin +Message-ID: <20260518012344.482192-1-sashal@kernel.org> + +From: Jason Gunthorpe + +[ Upstream commit 159f2efabc89d3f931d38f2d35876535d4abf0a3 ] + +Sashiko points out that the user can specify WQs sharing the same CQ as a +part of the uAPI and this will trigger the WARN_ON() then go on to corrupt +the kernel. + +Just reject it outright and fail the QP creation. + +Cc: stable@vger.kernel.org +Fixes: c15d7802a424 ("RDMA/mana_ib: Add CQ interrupt support for RAW QP") +Link: https://sashiko.dev/#/patchset/0-v2-1c49eeb88c48%2B91-rdma_udata_rep_jgg%40nvidia.com?part=1 +Link: https://patch.msgid.link/r/5-v1-41f3135e5565+9d2-rdma_ai_fixes1_jgg@nvidia.com +Reviewed-by: Long Li +Signed-off-by: Jason Gunthorpe +[ adjusted context ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/mana/cq.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/infiniband/hw/mana/cq.c ++++ b/drivers/infiniband/hw/mana/cq.c +@@ -120,8 +120,9 @@ int mana_ib_install_cq_cb(struct mana_ib + + if (cq->queue.id >= gc->max_num_cqs) + return -EINVAL; +- /* Create CQ table entry */ +- WARN_ON(gc->cq_table[cq->queue.id]); ++ /* Create CQ table entry, sharing a CQ between WQs is not supported */ ++ if (gc->cq_table[cq->queue.id]) ++ return -EINVAL; + gdma_cq = kzalloc(sizeof(*gdma_cq), GFP_KERNEL); + if (!gdma_cq) + return -ENOMEM; diff --git a/queue-6.12/sched_ext-guard-scx_dsq_move-against-null-kit-dsq-after-failed-iter_new.patch b/queue-6.12/sched_ext-guard-scx_dsq_move-against-null-kit-dsq-after-failed-iter_new.patch new file mode 100644 index 0000000000..bff185713f --- /dev/null +++ b/queue-6.12/sched_ext-guard-scx_dsq_move-against-null-kit-dsq-after-failed-iter_new.patch @@ -0,0 +1,48 @@ +From stable+bounces-249176-greg=kroah.com@vger.kernel.org Mon May 18 05:28:06 2026 +From: Sasha Levin +Date: Sun, 17 May 2026 23:28:00 -0400 +Subject: sched_ext: Guard scx_dsq_move() against NULL kit->dsq after failed iter_new +To: stable@vger.kernel.org +Cc: Tejun Heo , Chris Mason , Andrea Righi , Sasha Levin +Message-ID: <20260518032800.587649-1-sashal@kernel.org> + +From: Tejun Heo + +[ Upstream commit 4fda9f0e7c950da4fe03cedeb2ac818edf5d03e9 ] + +bpf_iter_scx_dsq_new() clears kit->dsq on failure and +bpf_iter_scx_dsq_{next,destroy}() guard against that. scx_dsq_move() doesn't - +it dereferences kit->dsq immediately, so a BPF program that calls +scx_bpf_dsq_move[_vtime]() after a failed iter_new oopses the kernel. + +Return false if kit->dsq is NULL. + +Fixes: 4c30f5ce4f7a ("sched_ext: Implement scx_bpf_dispatch[_vtime]_from_dsq()") +Cc: stable@vger.kernel.org # v6.12+ +Reported-by: Chris Mason +Signed-off-by: Tejun Heo +Reviewed-by: Andrea Righi +[ dropped the `struct scx_sched *sch` declaration and `sch = src_dsq->sched` line ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sched/ext.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/kernel/sched/ext.c ++++ b/kernel/sched/ext.c +@@ -6346,6 +6346,14 @@ static bool scx_dispatch_from_dsq(struct + bool in_balance; + unsigned long flags; + ++ /* ++ * The verifier considers an iterator slot initialized on any ++ * KF_ITER_NEW return, so a BPF program may legally reach here after ++ * bpf_iter_scx_dsq_new() failed and left @kit->dsq NULL. ++ */ ++ if (unlikely(!src_dsq)) ++ return false; ++ + if (!scx_kf_allowed_if_unlocked() && !scx_kf_allowed(SCX_KF_DISPATCH)) + return false; + diff --git a/queue-6.12/series b/queue-6.12/series index 6b94e86a9e..2d368041ed 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -644,3 +644,20 @@ drm-xe-dma-buf-handle-empty-bo-and-uaf-races.patch drm-gma500-oaktrail_hdmi-fix-i2c-adapter-leak-on-setup.patch drm-gma500-oaktrail_lvds-fix-hang-on-init-failure.patch drm-gma500-oaktrail_lvds-fix-i2c-adapter-leaks-on-init.patch +iommufd-fix-return-value-of-iommufd_fault_fops_write.patch +eventfs-use-list_add_tail_rcu-for-srcu-protected-children-list.patch +drm-v3d-reject-empty-multisync-extension-to-prevent-infinite-loop.patch +btrfs-use-inode-already-stored-in-local-variable-at-btrfs_rmdir.patch +btrfs-use-btrfs-inodes-in-btrfs_rmdir-to-avoid-so-much-usage-of-btrfs_i.patch +btrfs-fix-missing-last_unlink_trans-update-when-removing-a-directory.patch +smb-client-use-fullsessionkey-for-aes-256-encryption-key-derivation.patch +btrfs-do-not-mark-inode-incompressible-after-inline-attempt-fails.patch +rdma-mana-remove-user-triggerable-warn_on-in-mana_ib_create_qp_rss.patch +sched_ext-guard-scx_dsq_move-against-null-kit-dsq-after-failed-iter_new.patch +mptcp-pm-prio-skip-closed-subflows.patch +mptcp-drop-__mptcp_fastopen_gen_msk_ackseq.patch +mptcp-fix-rx-timestamp-corruption-on-fastopen.patch +f2fs-fix-incorrect-file-address-mapping-when-inline-inode-is-unwritten.patch +f2fs-fix-false-alarm-of-lockdep-on-cp_global_sem-lock.patch +spi-sifive-simplify-clock-handling-with-devm_clk_get_enabled.patch +spi-sifive-fix-controller-deregistration.patch diff --git a/queue-6.12/smb-client-use-fullsessionkey-for-aes-256-encryption-key-derivation.patch b/queue-6.12/smb-client-use-fullsessionkey-for-aes-256-encryption-key-derivation.patch new file mode 100644 index 0000000000..140952a70d --- /dev/null +++ b/queue-6.12/smb-client-use-fullsessionkey-for-aes-256-encryption-key-derivation.patch @@ -0,0 +1,154 @@ +From stable+bounces-249031-greg=kroah.com@vger.kernel.org Sat May 16 21:09:54 2026 +From: Sasha Levin +Date: Sat, 16 May 2026 15:09:46 -0400 +Subject: smb: client: Use FullSessionKey for AES-256 encryption key derivation +To: stable@vger.kernel.org +Cc: Piyush Sachdeva , Bharath SM , Piyush Sachdeva , Steve French , Sasha Levin +Message-ID: <20260516190946.4018100-1-sashal@kernel.org> + +From: Piyush Sachdeva + +[ Upstream commit 5be7a0cef3229fb3b63a07c0d289daf752545424 ] + +When Kerberos authentication is used with AES-256 encryption (AES-256-CCM +or AES-256-GCM), the SMB3 encryption and decryption keys must be derived +using the full session key (Session.FullSessionKey) rather than just the +first 16 bytes (Session.SessionKey). + +Per MS-SMB2 section 3.2.5.3.1, when Connection.Dialect is "3.1.1" and +Connection.CipherId is AES-256-CCM or AES-256-GCM, Session.FullSessionKey +must be set to the full cryptographic key from the GSS authentication +context. The encryption and decryption key derivation (SMBC2SCipherKey, +SMBS2CCipherKey) must use this FullSessionKey as the KDF input. The +signing key derivation continues to use Session.SessionKey (first 16 +bytes) in all cases. + +Previously, generate_key() hardcoded SMB2_NTLMV2_SESSKEY_SIZE (16) as the +HMAC-SHA256 key input length for all derivations. When Kerberos with +AES-256 provides a 32-byte session key, the KDF for encryption/decryption +was using only the first 16 bytes, producing keys that did not match the +server's, causing mount failures with sec=krb5 and require_gcm_256=1. + +Add a full_key_size parameter to generate_key() and pass the appropriate +size from generate_smb3signingkey(): + - Signing: always SMB2_NTLMV2_SESSKEY_SIZE (16 bytes) + - Encryption/Decryption: ses->auth_key.len when AES-256, otherwise 16 + +Also fix cifs_dump_full_key() to report the actual session key length for +AES-256 instead of hardcoded CIFS_SESS_KEY_SIZE, so that userspace tools +like Wireshark receive the correct key for decryption. + +Cc: +Reviewed-by: Bharath SM +Signed-off-by: Piyush Sachdeva +Signed-off-by: Piyush Sachdeva +Signed-off-by: Steve French +[ adapted upstream's void/hmac_sha256_init_usingrawkey-based generate_key() to 6.12's int-return crypto_shash_* form while threading full_key_size through all callers. ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/ioctl.c | 2 +- + fs/smb/client/smb2transport.c | 32 +++++++++++++++++++++++++------- + 2 files changed, 26 insertions(+), 8 deletions(-) + +--- a/fs/smb/client/ioctl.c ++++ b/fs/smb/client/ioctl.c +@@ -300,7 +300,7 @@ search_end: + break; + case SMB2_ENCRYPTION_AES256_CCM: + case SMB2_ENCRYPTION_AES256_GCM: +- out.session_key_length = CIFS_SESS_KEY_SIZE; ++ out.session_key_length = ses->auth_key.len; + out.server_in_key_length = out.server_out_key_length = SMB3_GCM256_CRYPTKEY_SIZE; + break; + default: +--- a/fs/smb/client/smb2transport.c ++++ b/fs/smb/client/smb2transport.c +@@ -334,7 +334,8 @@ out: + } + + static int generate_key(struct cifs_ses *ses, struct kvec label, +- struct kvec context, __u8 *key, unsigned int key_size) ++ struct kvec context, __u8 *key, unsigned int key_size, ++ unsigned int full_key_size) + { + unsigned char zero = 0x0; + __u8 i[4] = {0, 0, 0, 1}; +@@ -355,7 +356,7 @@ static int generate_key(struct cifs_ses + } + + rc = crypto_shash_setkey(server->secmech.hmacsha256->tfm, +- ses->auth_key.response, SMB2_NTLMV2_SESSKEY_SIZE); ++ ses->auth_key.response, full_key_size); + if (rc) { + cifs_server_dbg(VFS, "%s: Could not set with session key\n", __func__); + goto smb3signkey_ret; +@@ -430,6 +431,7 @@ generate_smb3signingkey(struct cifs_ses + struct TCP_Server_Info *server, + const struct derivation_triplet *ptriplet) + { ++ unsigned int full_key_size = SMB2_NTLMV2_SESSKEY_SIZE; + int rc; + bool is_binding = false; + int chan_index = 0; +@@ -464,17 +466,31 @@ generate_smb3signingkey(struct cifs_ses + rc = generate_key(ses, ptriplet->signing.label, + ptriplet->signing.context, + ses->chans[chan_index].signkey, +- SMB3_SIGN_KEY_SIZE); ++ SMB3_SIGN_KEY_SIZE, ++ SMB2_NTLMV2_SESSKEY_SIZE); + if (rc) + return rc; + } else { + rc = generate_key(ses, ptriplet->signing.label, + ptriplet->signing.context, + ses->smb3signingkey, +- SMB3_SIGN_KEY_SIZE); ++ SMB3_SIGN_KEY_SIZE, ++ SMB2_NTLMV2_SESSKEY_SIZE); + if (rc) + return rc; + ++ /* ++ * Per MS-SMB2 3.2.5.3.1, signing key always uses Session.SessionKey ++ * (first 16 bytes). Encryption/decryption keys use ++ * Session.FullSessionKey when dialect is 3.1.1 and cipher is ++ * AES-256-CCM or AES-256-GCM, otherwise Session.SessionKey. ++ */ ++ ++ if (server->dialect == SMB311_PROT_ID && ++ (server->cipher_type == SMB2_ENCRYPTION_AES256_CCM || ++ server->cipher_type == SMB2_ENCRYPTION_AES256_GCM)) ++ full_key_size = ses->auth_key.len; ++ + /* safe to access primary channel, since it will never go away */ + spin_lock(&ses->chan_lock); + memcpy(ses->chans[chan_index].signkey, ses->smb3signingkey, +@@ -484,13 +500,15 @@ generate_smb3signingkey(struct cifs_ses + rc = generate_key(ses, ptriplet->encryption.label, + ptriplet->encryption.context, + ses->smb3encryptionkey, +- SMB3_ENC_DEC_KEY_SIZE); ++ SMB3_ENC_DEC_KEY_SIZE, ++ full_key_size); + if (rc) + return rc; + rc = generate_key(ses, ptriplet->decryption.label, + ptriplet->decryption.context, + ses->smb3decryptionkey, +- SMB3_ENC_DEC_KEY_SIZE); ++ SMB3_ENC_DEC_KEY_SIZE, ++ full_key_size); + if (rc) + return rc; + } +@@ -505,7 +523,7 @@ generate_smb3signingkey(struct cifs_ses + &ses->Suid); + cifs_dbg(VFS, "Cipher type %d\n", server->cipher_type); + cifs_dbg(VFS, "Session Key %*ph\n", +- SMB2_NTLMV2_SESSKEY_SIZE, ses->auth_key.response); ++ (int)ses->auth_key.len, ses->auth_key.response); + cifs_dbg(VFS, "Signing Key %*ph\n", + SMB3_SIGN_KEY_SIZE, ses->smb3signingkey); + if ((server->cipher_type == SMB2_ENCRYPTION_AES256_CCM) || diff --git a/queue-6.12/spi-sifive-fix-controller-deregistration.patch b/queue-6.12/spi-sifive-fix-controller-deregistration.patch new file mode 100644 index 0000000000..c0afcb25ae --- /dev/null +++ b/queue-6.12/spi-sifive-fix-controller-deregistration.patch @@ -0,0 +1,57 @@ +From stable+bounces-249943-greg=kroah.com@vger.kernel.org Wed May 20 16:46:25 2026 +From: Sasha Levin +Date: Wed, 20 May 2026 10:27:26 -0400 +Subject: spi: sifive: fix controller deregistration +To: stable@vger.kernel.org +Cc: Johan Hovold , Yash Shah , Mark Brown , Sasha Levin +Message-ID: <20260520142726.3646738-2-sashal@kernel.org> + +From: Johan Hovold + +[ Upstream commit 0f25236694a2854627c1597465a071e6bb6fe572 ] + +Make sure to deregister the controller before disabling underlying +resources like interrupts during driver unbind. + +Note that clocks were also disabled before the recent commit +140039c23aca ("spi: sifive: Simplify clock handling with +devm_clk_get_enabled()"). + +Fixes: 484a9a68d669 ("spi: sifive: Add driver for the SiFive SPI controller") +Cc: stable@vger.kernel.org # 5.1 +Cc: Yash Shah +Signed-off-by: Johan Hovold +Link: https://patch.msgid.link/20260410081757.503099-15-johan@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-sifive.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/spi/spi-sifive.c ++++ b/drivers/spi/spi-sifive.c +@@ -393,7 +393,7 @@ static int sifive_spi_probe(struct platf + dev_info(&pdev->dev, "mapped; irq=%d, cs=%d\n", + irq, host->num_chipselect); + +- ret = devm_spi_register_controller(&pdev->dev, host); ++ ret = spi_register_controller(host); + if (ret < 0) { + dev_err(&pdev->dev, "spi_register_host failed\n"); + goto put_host; +@@ -412,8 +412,14 @@ static void sifive_spi_remove(struct pla + struct spi_controller *host = platform_get_drvdata(pdev); + struct sifive_spi *spi = spi_controller_get_devdata(host); + ++ spi_controller_get(host); ++ ++ spi_unregister_controller(host); ++ + /* Disable all the interrupts just in case */ + sifive_spi_write(spi, SIFIVE_SPI_REG_IE, 0); ++ ++ spi_controller_put(host); + } + + static int sifive_spi_suspend(struct device *dev) diff --git a/queue-6.12/spi-sifive-simplify-clock-handling-with-devm_clk_get_enabled.patch b/queue-6.12/spi-sifive-simplify-clock-handling-with-devm_clk_get_enabled.patch new file mode 100644 index 0000000000..55b9901008 --- /dev/null +++ b/queue-6.12/spi-sifive-simplify-clock-handling-with-devm_clk_get_enabled.patch @@ -0,0 +1,106 @@ +From stable+bounces-249942-greg=kroah.com@vger.kernel.org Wed May 20 16:46:15 2026 +From: Sasha Levin +Date: Wed, 20 May 2026 10:27:25 -0400 +Subject: spi: sifive: Simplify clock handling with devm_clk_get_enabled() +To: stable@vger.kernel.org +Cc: Pei Xiao , Mark Brown , Sasha Levin +Message-ID: <20260520142726.3646738-1-sashal@kernel.org> + +From: Pei Xiao + +[ Upstream commit 140039c23aca067b9ff0242e3c0ce96276bb95f3 ] + +Replace devm_clk_get() followed by clk_prepare_enable() with +devm_clk_get_enabled() for the bus clock. This reduces boilerplate code +and error handling, as the managed API automatically disables the clock +when the device is removed or if probe fails. + +Remove the now-unnecessary clk_disable_unprepare() calls from the probe +error path and the remove callback. Adjust the error handling to use the +existing put_host label. + +Signed-off-by: Pei Xiao +Link: https://patch.msgid.link/73d0d8ecb4e1af5a558d6a7866c0f886d94fe3d1.1773885292.git.xiaopei01@kylinos.cn +Signed-off-by: Mark Brown +Stable-dep-of: 0f25236694a2 ("spi: sifive: fix controller deregistration") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-sifive.c | 21 ++++++--------------- + 1 file changed, 6 insertions(+), 15 deletions(-) + +--- a/drivers/spi/spi-sifive.c ++++ b/drivers/spi/spi-sifive.c +@@ -312,7 +312,8 @@ static int sifive_spi_probe(struct platf + goto put_host; + } + +- spi->clk = devm_clk_get(&pdev->dev, NULL); ++ /* Spin up the bus clock before hitting registers */ ++ spi->clk = devm_clk_get_enabled(&pdev->dev, NULL); + if (IS_ERR(spi->clk)) { + dev_err(&pdev->dev, "Unable to find bus clock\n"); + ret = PTR_ERR(spi->clk); +@@ -342,13 +343,6 @@ static int sifive_spi_probe(struct platf + goto put_host; + } + +- /* Spin up the bus clock before hitting registers */ +- ret = clk_prepare_enable(spi->clk); +- if (ret) { +- dev_err(&pdev->dev, "Unable to enable bus clock\n"); +- goto put_host; +- } +- + /* probe the number of CS lines */ + spi->cs_inactive = sifive_spi_read(spi, SIFIVE_SPI_REG_CSDEF); + sifive_spi_write(spi, SIFIVE_SPI_REG_CSDEF, 0xffffffffU); +@@ -357,14 +351,14 @@ static int sifive_spi_probe(struct platf + if (!cs_bits) { + dev_err(&pdev->dev, "Could not auto probe CS lines\n"); + ret = -EINVAL; +- goto disable_clk; ++ goto put_host; + } + + num_cs = ilog2(cs_bits) + 1; + if (num_cs > SIFIVE_SPI_MAX_CS) { + dev_err(&pdev->dev, "Invalid number of spi targets\n"); + ret = -EINVAL; +- goto disable_clk; ++ goto put_host; + } + + /* Define our host */ +@@ -393,7 +387,7 @@ static int sifive_spi_probe(struct platf + dev_name(&pdev->dev), spi); + if (ret) { + dev_err(&pdev->dev, "Unable to bind to interrupt\n"); +- goto disable_clk; ++ goto put_host; + } + + dev_info(&pdev->dev, "mapped; irq=%d, cs=%d\n", +@@ -402,13 +396,11 @@ static int sifive_spi_probe(struct platf + ret = devm_spi_register_controller(&pdev->dev, host); + if (ret < 0) { + dev_err(&pdev->dev, "spi_register_host failed\n"); +- goto disable_clk; ++ goto put_host; + } + + return 0; + +-disable_clk: +- clk_disable_unprepare(spi->clk); + put_host: + spi_controller_put(host); + +@@ -422,7 +414,6 @@ static void sifive_spi_remove(struct pla + + /* Disable all the interrupts just in case */ + sifive_spi_write(spi, SIFIVE_SPI_REG_IE, 0); +- clk_disable_unprepare(spi->clk); + } + + static int sifive_spi_suspend(struct device *dev) -- 2.47.3