--- /dev/null
+From d2346e2836318a227057ed41061114cbebee5d2a Mon Sep 17 00:00:00 2001
+From: Steve French <stfrench@microsoft.com>
+Date: Tue, 9 Jul 2024 18:07:35 -0500
+Subject: cifs: fix setting SecurityFlags to true
+
+From: Steve French <stfrench@microsoft.com>
+
+commit d2346e2836318a227057ed41061114cbebee5d2a upstream.
+
+If you try to set /proc/fs/cifs/SecurityFlags to 1 it
+will set them to CIFSSEC_MUST_NTLMV2 which no longer is
+relevant (the less secure ones like lanman have been removed
+from cifs.ko) and is also missing some flags (like for
+signing and encryption) and can even cause mount to fail,
+so change this to set it to Kerberos in this case.
+
+Also change the description of the SecurityFlags to remove mention
+of flags which are no longer supported.
+
+Cc: stable@vger.kernel.org
+Reviewed-by: Shyam Prasad N <sprasad@microsoft.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/admin-guide/cifs/usage.rst | 34 +++++++++----------------------
+ fs/smb/client/cifsglob.h | 4 +--
+ 2 files changed, 12 insertions(+), 26 deletions(-)
+
+--- a/Documentation/admin-guide/cifs/usage.rst
++++ b/Documentation/admin-guide/cifs/usage.rst
+@@ -723,40 +723,26 @@ Configuration pseudo-files:
+ ======================= =======================================================
+ SecurityFlags Flags which control security negotiation and
+ also packet signing. Authentication (may/must)
+- flags (e.g. for NTLM and/or NTLMv2) may be combined with
++ flags (e.g. for NTLMv2) may be combined with
+ the signing flags. Specifying two different password
+ hashing mechanisms (as "must use") on the other hand
+ does not make much sense. Default flags are::
+
+- 0x07007
++ 0x00C5
+
+- (NTLM, NTLMv2 and packet signing allowed). The maximum
+- allowable flags if you want to allow mounts to servers
+- using weaker password hashes is 0x37037 (lanman,
+- plaintext, ntlm, ntlmv2, signing allowed). Some
+- SecurityFlags require the corresponding menuconfig
+- options to be enabled. Enabling plaintext
+- authentication currently requires also enabling
+- lanman authentication in the security flags
+- because the cifs module only supports sending
+- laintext passwords using the older lanman dialect
+- form of the session setup SMB. (e.g. for authentication
+- using plain text passwords, set the SecurityFlags
+- to 0x30030)::
++ (NTLMv2 and packet signing allowed). Some SecurityFlags
++ may require enabling a corresponding menuconfig option.
+
+ may use packet signing 0x00001
+ must use packet signing 0x01001
+- may use NTLM (most common password hash) 0x00002
+- must use NTLM 0x02002
+ may use NTLMv2 0x00004
+ must use NTLMv2 0x04004
+- may use Kerberos security 0x00008
+- must use Kerberos 0x08008
+- may use lanman (weak) password hash 0x00010
+- must use lanman password hash 0x10010
+- may use plaintext passwords 0x00020
+- must use plaintext passwords 0x20020
+- (reserved for future packet encryption) 0x00040
++ may use Kerberos security (krb5) 0x00008
++ must use Kerberos 0x08008
++ may use NTLMSSP 0x00080
++ must use NTLMSSP 0x80080
++ seal (packet encryption) 0x00040
++ must seal (not implemented yet) 0x40040
+
+ cifsFYI If set to non-zero value, additional debug information
+ will be logged to the system error log. This field
+--- a/fs/smb/client/cifsglob.h
++++ b/fs/smb/client/cifsglob.h
+@@ -1938,8 +1938,8 @@ require use of the stronger protocol */
+ #define CIFSSEC_MUST_SEAL 0x40040 /* not supported yet */
+ #define CIFSSEC_MUST_NTLMSSP 0x80080 /* raw ntlmssp with ntlmv2 */
+
+-#define CIFSSEC_DEF (CIFSSEC_MAY_SIGN | CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_NTLMSSP)
+-#define CIFSSEC_MAX (CIFSSEC_MUST_NTLMV2)
++#define CIFSSEC_DEF (CIFSSEC_MAY_SIGN | CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_NTLMSSP | CIFSSEC_MAY_SEAL)
++#define CIFSSEC_MAX (CIFSSEC_MAY_SIGN | CIFSSEC_MUST_KRB5 | CIFSSEC_MAY_SEAL)
+ #define CIFSSEC_AUTH_MASK (CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_KRB5 | CIFSSEC_MAY_NTLMSSP)
+ /*
+ *****************************************************************
--- /dev/null
+From 2feab2492deb2f14f9675dd6388e9e2bf669c27a Mon Sep 17 00:00:00 2001
+From: Josh Don <joshdon@google.com>
+Date: Thu, 20 Jun 2024 14:44:50 -0700
+Subject: Revert "sched/fair: Make sure to try to detach at least one movable task"
+
+From: Josh Don <joshdon@google.com>
+
+commit 2feab2492deb2f14f9675dd6388e9e2bf669c27a upstream.
+
+This reverts commit b0defa7ae03ecf91b8bfd10ede430cff12fcbd06.
+
+b0defa7ae03ec changed the load balancing logic to ignore env.max_loop if
+all tasks examined to that point were pinned. The goal of the patch was
+to make it more likely to be able to detach a task buried in a long list
+of pinned tasks. However, this has the unfortunate side effect of
+creating an O(n) iteration in detach_tasks(), as we now must fully
+iterate every task on a cpu if all or most are pinned. Since this load
+balance code is done with rq lock held, and often in softirq context, it
+is very easy to trigger hard lockups. We observed such hard lockups with
+a user who affined O(10k) threads to a single cpu.
+
+When I discussed this with Vincent he initially suggested that we keep
+the limit on the number of tasks to detach, but increase the number of
+tasks we can search. However, after some back and forth on the mailing
+list, he recommended we instead revert the original patch, as it seems
+likely no one was actually getting hit by the original issue.
+
+Fixes: b0defa7ae03e ("sched/fair: Make sure to try to detach at least one movable task")
+Signed-off-by: Josh Don <joshdon@google.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Vincent Guittot <vincent.guittot@linaro.org>
+Link: https://lore.kernel.org/r/20240620214450.316280-1-joshdon@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/sched/fair.c | 12 +++---------
+ 1 file changed, 3 insertions(+), 9 deletions(-)
+
+--- a/kernel/sched/fair.c
++++ b/kernel/sched/fair.c
+@@ -9106,12 +9106,8 @@ static int detach_tasks(struct lb_env *e
+ break;
+
+ env->loop++;
+- /*
+- * We've more or less seen every task there is, call it quits
+- * unless we haven't found any movable task yet.
+- */
+- if (env->loop > env->loop_max &&
+- !(env->flags & LBF_ALL_PINNED))
++ /* We've more or less seen every task there is, call it quits */
++ if (env->loop > env->loop_max)
+ break;
+
+ /* take a breather every nr_migrate tasks */
+@@ -11363,9 +11359,7 @@ more_balance:
+
+ if (env.flags & LBF_NEED_BREAK) {
+ env.flags &= ~LBF_NEED_BREAK;
+- /* Stop if we tried all running tasks */
+- if (env.loop < busiest->nr_running)
+- goto more_balance;
++ goto more_balance;
+ }
+
+ /*
projects / thirdparty / kernel / stable-queue.git / commitdiff
