--- /dev/null
+From stable+bounces-249026-greg=kroah.com@vger.kernel.org Sat May 16 21:09:12 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 16 May 2026 15:09:07 -0400
+Subject: btrfs: do not mark inode incompressible after inline attempt fails
+To: stable@vger.kernel.org
+Cc: Qu Wenruo <wqu@suse.com>, Filipe Manana <fdmanana@suse.com>, David Sterba <dsterba@suse.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260516190907.4016888-1-sashal@kernel.org>
+
+From: Qu Wenruo <wqu@suse.com>
+
+[ Upstream commit 2e0e3716c7b6f8d71df2fbe709b922e54700f71b ]
+
+[BUG]
+The following sequence will set the file with nocompress flag:
+
+ # mkfs.btrfs -f $dev
+ # mount $dev $mnt -o max_inline=4,compress
+ # xfs_io -f -c "pwrite 0 2k" -c sync $mnt/foobar
+
+The inode will have NOCOMPRESS flag, even if the content itself (all 0xcd)
+can still be compressed very well:
+
+ item 4 key (257 INODE_ITEM 0) itemoff 15879 itemsize 160
+ generation 9 transid 10 size 2097152 nbytes 1052672
+ block group 0 mode 100600 links 1 uid 0 gid 0 rdev 0
+ sequence 257 flags 0x8(NOCOMPRESS)
+
+Please note that, this behavior is there even before commit 59615e2c1f63
+("btrfs: reject single block sized compression early").
+
+[CAUSE]
+At compress_file_range(), after btrfs_compress_folios() call, we try
+making an inlined extent by calling cow_file_range_inline().
+
+But cow_file_range_inline() calls can_cow_file_range_inline() which has
+more accurate checks on if the range can be inlined.
+
+One of the user configurable conditions is the "max_inline=" mount
+option. If that value is set low (like the example, 4 bytes, which
+cannot store any header), or the compressed content is just slightly
+larger than 2K (the default value, meaning a 50% compression ratio),
+cow_file_range_inline() will return 1 immediately.
+
+And since we're here only to try inline the compressed data, the range
+is no larger than a single fs block.
+
+Thus compression is never going to make it a win, we fall back to
+marking the inode incompressible unavoidably.
+
+[FIX]
+Just add an extra check after inline attempt, so that if the inline
+attempt failed, do not set the nocompress flag.
+
+As there is no way to remove that flag, and the default 50% compression
+ratio is way too strict for the whole inode.
+
+CC: stable@vger.kernel.org # 6.12+
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/inode.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -1006,6 +1006,12 @@ again:
+ mapping_set_error(mapping, -EIO);
+ goto free_pages;
+ }
++ /*
++ * If a single block at file offset 0 cannot be inlined, fall back to
++ * regular writes without marking the file incompressible.
++ */
++ if (start == 0 && end <= blocksize)
++ goto cleanup_and_bail_uncompressed;
+
+ /*
+ * We aren't doing an inline extent. Round the compressed size up to a
--- /dev/null
+From fb44d589bf3148e13452185a6e772a7efbf2d684 Mon Sep 17 00:00:00 2001
+From: Ashutosh Desai <ashutoshdesai993@gmail.com>
+Date: Wed, 15 Apr 2026 05:00:00 +0000
+Subject: drm/v3d: Reject empty multisync extension to prevent infinite loop
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ashutosh Desai <ashutoshdesai993@gmail.com>
+
+commit fb44d589bf3148e13452185a6e772a7efbf2d684 upstream.
+
+v3d_get_extensions() walks a userspace-provided singly-linked list of
+ioctl extensions without any bound on the chain length. A local user
+can craft a self-referential extension (ext->next == &ext) with zero
+in_sync_count and out_sync_count, which bypasses the existing duplicate-
+extension guard:
+
+ if (se->in_sync_count || se->out_sync_count)
+ return -EINVAL;
+
+The guard never fires because v3d_get_multisync_post_deps() returns
+immediately when count is zero, leaving both fields at zero on every
+iteration. The result is an infinite loop in kernel context, blocking
+the calling thread and pegging a CPU core indefinitely.
+
+Fix this by rejecting a multisync extension where both in_sync_count
+and out_sync_count are zero in v3d_get_multisync_submit_deps(). An
+empty multisync carries no synchronization information and serves no
+useful purpose, so returning -EINVAL for such an extension is the
+correct defense against this attack vector.
+
+Fixes: e4165ae8304e ("drm/v3d: add multiple syncobjs support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ashutosh Desai <ashutoshdesai993@gmail.com>
+Link: https://patch.msgid.link/20260415050000.3816128-1-ashutoshdesai993@gmail.com
+Signed-off-by: MaĆra Canal <mcanal@igalia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/v3d/v3d_submit.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/gpu/drm/v3d/v3d_submit.c
++++ b/drivers/gpu/drm/v3d/v3d_submit.c
+@@ -390,6 +390,11 @@ v3d_get_multisync_submit_deps(struct drm
+ if (multisync.pad)
+ return -EINVAL;
+
++ if (!multisync.in_sync_count && !multisync.out_sync_count) {
++ DRM_DEBUG("Empty multisync extension\n");
++ return -EINVAL;
++ }
++
+ ret = v3d_get_multisync_post_deps(file_priv, se, multisync.out_sync_count,
+ multisync.out_syncs);
+ if (ret)
--- /dev/null
+From stable+bounces-247840-greg=kroah.com@vger.kernel.org Fri May 15 18:26:59 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 May 2026 11:36:49 -0400
+Subject: eventfs: Use list_add_tail_rcu() for SRCU-protected children list
+To: stable@vger.kernel.org
+Cc: David Carlier <devnexen@gmail.com>, Steven Rostedt <rostedt@goodmis.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260515153649.3315091-1-sashal@kernel.org>
+
+From: David Carlier <devnexen@gmail.com>
+
+[ Upstream commit f67950b2887fa10df50c4317a1fe98a65bc6875b ]
+
+Commit d2603279c7d6 ("eventfs: Use list_del_rcu() for SRCU protected
+list variable") converted the removal side to pair with the
+list_for_each_entry_srcu() walker in eventfs_iterate(). The insertion
+in eventfs_create_dir() was left as a plain list_add_tail(), which on
+weakly-ordered architectures can expose a new entry to the SRCU reader
+before its list pointers and fields are observable.
+
+Use list_add_tail_rcu() so the publication pairs with the existing
+list_del_rcu() and list_for_each_entry_srcu().
+
+Fixes: 43aa6f97c2d0 ("eventfs: Get rid of dentry pointers without refcounts")
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20260418152251.199343-1-devnexen@gmail.com
+Signed-off-by: David Carlier <devnexen@gmail.com>
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+[ adapted scoped_guard(mutex, &eventfs_mutex) block to explicit mutex_lock()/mutex_unlock() pair ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/tracefs/event_inode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/tracefs/event_inode.c
++++ b/fs/tracefs/event_inode.c
+@@ -732,7 +732,7 @@ struct eventfs_inode *eventfs_create_dir
+
+ mutex_lock(&eventfs_mutex);
+ if (!parent->is_freed)
+- list_add_tail(&ei->list, &parent->children);
++ list_add_tail_rcu(&ei->list, &parent->children);
+ mutex_unlock(&eventfs_mutex);
+
+ /* Was the parent freed? */
--- /dev/null
+From stable+bounces-249569-greg=kroah.com@vger.kernel.org Tue May 19 13:57:03 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 May 2026 07:53:09 -0400
+Subject: f2fs: fix false alarm of lockdep on cp_global_sem lock
+To: stable@vger.kernel.org
+Cc: Chao Yu <chao@kernel.org>, stable@kernel.org, Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>, Jaegeuk Kim <jaegeuk@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260519115310.2242131-1-sashal@kernel.org>
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit 6a5e3de9c2bb0b691d16789a5d19e9276a09b308 ]
+
+lockdep reported a potential deadlock:
+
+a) TCMU device removal context:
+ - call del_gendisk() to get q->q_usage_counter
+ - call start_flush_work() to get work_completion of wb->dwork
+b) f2fs writeback context:
+ - in wb_workfn(), which holds work_completion of wb->dwork
+ - call f2fs_balance_fs() to get sbi->gc_lock
+c) f2fs vfs_write context:
+ - call f2fs_gc() to get sbi->gc_lock
+ - call f2fs_write_checkpoint() to get sbi->cp_global_sem
+d) f2fs mount context:
+ - call recover_fsync_data() to get sbi->cp_global_sem
+ - call f2fs_check_and_fix_write_pointer() to call blkdev_report_zones()
+ that goes down to blk_mq_alloc_request and get q->q_usage_counter
+
+Original callstack is in Closes tag.
+
+However, I think this is a false alarm due to before mount returns
+successfully (context d), we can not access file therein via vfs_write
+(context c).
+
+Let's introduce per-sb cp_global_sem_key, and assign the key for
+cp_global_sem, so that lockdep can recognize cp_global_sem from
+different super block correctly.
+
+A lot of work are done by Shin'ichiro Kawasaki, thanks a lot for
+the work.
+
+Fixes: c426d99127b1 ("f2fs: Check write pointer consistency of open zones")
+Cc: stable@kernel.org
+Reported-and-tested-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+Closes: https://lore.kernel.org/linux-f2fs-devel/20260218125237.3340441-1-shinichiro.kawasaki@wdc.com
+Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+[ adapted context to use plain `init_f2fs_rwsem` instead of mainline's `init_f2fs_rwsem_trace` macro ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/f2fs.h | 3 +++
+ fs/f2fs/super.c | 11 +++++++++++
+ 2 files changed, 14 insertions(+)
+
+--- a/fs/f2fs/f2fs.h
++++ b/fs/f2fs/f2fs.h
+@@ -1967,6 +1967,9 @@ struct f2fs_sb_info {
+ spinlock_t iostat_lat_lock;
+ struct iostat_lat_info *iostat_io_lat;
+ #endif
++#ifdef CONFIG_DEBUG_LOCK_ALLOC
++ struct lock_class_key cp_global_sem_key;
++#endif
+ };
+
+ /* Definitions to access f2fs_sb_info */
+--- a/fs/f2fs/super.c
++++ b/fs/f2fs/super.c
+@@ -4889,6 +4889,11 @@ try_onemore:
+ init_f2fs_rwsem(&sbi->gc_lock);
+ mutex_init(&sbi->writepages);
+ init_f2fs_rwsem(&sbi->cp_global_sem);
++#ifdef CONFIG_DEBUG_LOCK_ALLOC
++ lockdep_register_key(&sbi->cp_global_sem_key);
++ lockdep_set_class(&sbi->cp_global_sem.internal_rwsem,
++ &sbi->cp_global_sem_key);
++#endif
+ init_f2fs_rwsem(&sbi->node_write);
+ init_f2fs_rwsem(&sbi->node_change);
+ spin_lock_init(&sbi->stat_lock);
+@@ -5360,6 +5365,9 @@ free_options:
+ free_sb_buf:
+ kfree(raw_super);
+ free_sbi:
++#ifdef CONFIG_DEBUG_LOCK_ALLOC
++ lockdep_unregister_key(&sbi->cp_global_sem_key);
++#endif
+ kfree(sbi);
+ sb->s_fs_info = NULL;
+
+@@ -5441,6 +5449,9 @@ static void kill_f2fs_super(struct super
+ /* Release block devices last, after fscrypt_destroy_keyring(). */
+ if (sbi) {
+ destroy_device_list(sbi);
++#ifdef CONFIG_DEBUG_LOCK_ALLOC
++ lockdep_unregister_key(&sbi->cp_global_sem_key);
++#endif
+ kfree(sbi);
+ sb->s_fs_info = NULL;
+ }
--- /dev/null
+From stable+bounces-249160-greg=kroah.com@vger.kernel.org Mon May 18 03:23:21 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 17 May 2026 21:23:15 -0400
+Subject: perf/x86/intel: Disable PMI for self-reloaded ACR events
+To: stable@vger.kernel.org
+Cc: Dapeng Mi <dapeng1.mi@linux.intel.com>, Andi Kleen <ak@linux.intel.com>, "Peter Zijlstra (Intel)" <peterz@infradead.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260518012315.481330-1-sashal@kernel.org>
+
+From: Dapeng Mi <dapeng1.mi@linux.intel.com>
+
+[ Upstream commit 1271aeccc307066315b2d3b0d5af2510e27018b5 ]
+
+On platforms with Auto Counter Reload (ACR) support, such as NVL, a
+"NMI received for unknown reason 30" warning is observed when running
+multiple events in a group with ACR enabled:
+
+ $ perf record -e '{instructions/period=20000,acr_mask=0x2/u,\
+ cycles/period=40000,acr_mask=0x3/u}' ./test
+
+The warning occurs because the Performance Monitoring Interrupt (PMI)
+is enabled for the self-reloaded event (the cycles event in this case).
+According to the Intel SDM, the overflow bit
+(IA32_PERF_GLOBAL_STATUS.PMCn_OVF) is never set for self-reloaded events.
+Since the bit is not set, the perf NMI handler cannot identify the source
+of the interrupt, leading to the "unknown reason" message.
+
+Furthermore, enabling PMI for self-reloaded events is unnecessary and
+can lead to extraneous records that pollute the user's requested data.
+
+Disable the interrupt bit for all events configured with ACR self-reload.
+
+Fixes: ec980e4facef ("perf/x86/intel: Support auto counter reload")
+Reported-by: Andi Kleen <ak@linux.intel.com>
+Signed-off-by: Dapeng Mi <dapeng1.mi@linux.intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20260430002558.712334-4-dapeng1.mi@linux.intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/events/intel/core.c | 17 +++++++++++++----
+ arch/x86/events/perf_event.h | 10 ++++++++++
+ 2 files changed, 23 insertions(+), 4 deletions(-)
+
+--- a/arch/x86/events/intel/core.c
++++ b/arch/x86/events/intel/core.c
+@@ -2866,11 +2866,11 @@ static void intel_pmu_enable_fixed(struc
+ intel_set_masks(event, idx);
+
+ /*
+- * Enable IRQ generation (0x8), if not PEBS,
+- * and enable ring-3 counting (0x2) and ring-0 counting (0x1)
+- * if requested:
++ * Enable IRQ generation (0x8), if not PEBS or self-reloaded
++ * ACR event, and enable ring-3 counting (0x2) and ring-0
++ * counting (0x1) if requested:
+ */
+- if (!event->attr.precise_ip)
++ if (!event->attr.precise_ip && !is_acr_self_reload_event(event))
+ bits |= INTEL_FIXED_0_ENABLE_PMI;
+ if (hwc->config & ARCH_PERFMON_EVENTSEL_USR)
+ bits |= INTEL_FIXED_0_USER;
+@@ -2955,6 +2955,15 @@ static void intel_pmu_enable_event(struc
+ enable_mask |= ARCH_PERFMON_EVENTSEL_BR_CNTR;
+ intel_set_masks(event, idx);
+ static_call_cond(intel_pmu_enable_acr_event)(event);
++ /*
++ * For self-reloaded ACR event, don't enable PMI since
++ * HW won't set overflow bit in GLOBAL_STATUS. Otherwise,
++ * the PMI would be recognized as a suspicious NMI.
++ */
++ if (is_acr_self_reload_event(event))
++ hwc->config &= ~ARCH_PERFMON_EVENTSEL_INT;
++ else if (!event->attr.precise_ip)
++ hwc->config |= ARCH_PERFMON_EVENTSEL_INT;
+ __x86_pmu_enable_event(hwc, enable_mask);
+ break;
+ case INTEL_PMC_IDX_FIXED ... INTEL_PMC_IDX_FIXED_BTS - 1:
+--- a/arch/x86/events/perf_event.h
++++ b/arch/x86/events/perf_event.h
+@@ -133,6 +133,16 @@ static inline bool is_acr_event_group(st
+ return check_leader_group(event->group_leader, PERF_X86_EVENT_ACR);
+ }
+
++static inline bool is_acr_self_reload_event(struct perf_event *event)
++{
++ struct hw_perf_event *hwc = &event->hw;
++
++ if (hwc->idx < 0)
++ return false;
++
++ return test_bit(hwc->idx, (unsigned long *)&hwc->config1);
++}
++
+ struct amd_nb {
+ int nb_id; /* NorthBridge id */
+ int refcnt; /* reference count */
--- /dev/null
+From stable+bounces-249167-greg=kroah.com@vger.kernel.org Mon May 18 04:11:07 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 17 May 2026 22:11:00 -0400
+Subject: sched_ext: Guard scx_dsq_move() against NULL kit->dsq after failed iter_new
+To: stable@vger.kernel.org
+Cc: Tejun Heo <tj@kernel.org>, Chris Mason <clm@meta.com>, Andrea Righi <arighi@nvidia.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260518021100.535042-1-sashal@kernel.org>
+
+From: Tejun Heo <tj@kernel.org>
+
+[ Upstream commit 4fda9f0e7c950da4fe03cedeb2ac818edf5d03e9 ]
+
+bpf_iter_scx_dsq_new() clears kit->dsq on failure and
+bpf_iter_scx_dsq_{next,destroy}() guard against that. scx_dsq_move() doesn't -
+it dereferences kit->dsq immediately, so a BPF program that calls
+scx_bpf_dsq_move[_vtime]() after a failed iter_new oopses the kernel.
+
+Return false if kit->dsq is NULL.
+
+Fixes: 4c30f5ce4f7a ("sched_ext: Implement scx_bpf_dispatch[_vtime]_from_dsq()")
+Cc: stable@vger.kernel.org # v6.12+
+Reported-by: Chris Mason <clm@meta.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Reviewed-by: Andrea Righi <arighi@nvidia.com>
+[ dropped upstream `sch = src_dsq->sched` reordering since stable initializes `sch` from `scx_root` instead ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/sched/ext.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/kernel/sched/ext.c
++++ b/kernel/sched/ext.c
+@@ -5650,6 +5650,14 @@ static bool scx_dsq_move(struct bpf_iter
+ bool in_balance;
+ unsigned long flags;
+
++ /*
++ * The verifier considers an iterator slot initialized on any
++ * KF_ITER_NEW return, so a BPF program may legally reach here after
++ * bpf_iter_scx_dsq_new() failed and left @kit->dsq NULL.
++ */
++ if (unlikely(!src_dsq))
++ return false;
++
+ if (!scx_kf_allowed_if_unlocked() &&
+ !scx_kf_allowed(sch, SCX_KF_DISPATCH))
+ return false;
--- /dev/null
+From stable+bounces-249261-greg=kroah.com@vger.kernel.org Mon May 18 13:50:17 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 May 2026 07:48:25 -0400
+Subject: sched_ext: Pass held rq to SCX_CALL_OP() for core_sched_before
+To: stable@vger.kernel.org
+Cc: Tejun Heo <tj@kernel.org>, Chris Mason <clm@meta.com>, Andrea Righi <arighi@nvidia.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260518114825.789656-1-sashal@kernel.org>
+
+From: Tejun Heo <tj@kernel.org>
+
+[ Upstream commit 4155fb489fa175ec74eedde7d02219cf2fe74303 ]
+
+scx_prio_less() runs from core-sched's pick_next_task() path with rq
+locked but invokes ops.core_sched_before() with NULL locked_rq, leaving
+scx_locked_rq_state NULL. If the BPF callback calls a kfunc that
+re-acquires rq based on scx_locked_rq() - e.g. scx_bpf_cpuperf_set(cpu)
+- it re-acquires the already-held rq.
+
+Pass task_rq(a).
+
+Fixes: 7b0888b7cc19 ("sched_ext: Implement core-sched support")
+Cc: stable@vger.kernel.org # v6.12+
+Reported-by: Chris Mason <clm@meta.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Reviewed-by: Andrea Righi <arighi@nvidia.com>
+[ adapted call to use stable's single `sch`/`SCX_KF_REST` mask and `scx_rq_bypassing(task_rq(a))` signature ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/sched/ext.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/sched/ext.c
++++ b/kernel/sched/ext.c
+@@ -2522,7 +2522,7 @@ bool scx_prio_less(const struct task_str
+ if (SCX_HAS_OP(sch, core_sched_before) &&
+ !scx_rq_bypassing(task_rq(a)))
+ return SCX_CALL_OP_2TASKS_RET(sch, SCX_KF_REST, core_sched_before,
+- NULL,
++ task_rq(a),
+ (struct task_struct *)a,
+ (struct task_struct *)b);
+ else
drm-gma500-oaktrail_hdmi-fix-i2c-adapter-leak-on-setup.patch
drm-gma500-oaktrail_lvds-fix-hang-on-init-failure.patch
drm-gma500-oaktrail_lvds-fix-i2c-adapter-leaks-on-init.patch
+drm-v3d-reject-empty-multisync-extension-to-prevent-infinite-loop.patch
+eventfs-use-list_add_tail_rcu-for-srcu-protected-children-list.patch
+smb-client-use-fullsessionkey-for-aes-256-encryption-key-derivation.patch
+btrfs-do-not-mark-inode-incompressible-after-inline-attempt-fails.patch
+perf-x86-intel-disable-pmi-for-self-reloaded-acr-events.patch
+sched_ext-guard-scx_dsq_move-against-null-kit-dsq-after-failed-iter_new.patch
+sched_ext-pass-held-rq-to-scx_call_op-for-core_sched_before.patch
+f2fs-fix-false-alarm-of-lockdep-on-cp_global_sem-lock.patch
+spi-sifive-simplify-clock-handling-with-devm_clk_get_enabled.patch
+spi-sifive-fix-controller-deregistration.patch
--- /dev/null
+From stable+bounces-248923-greg=kroah.com@vger.kernel.org Fri May 15 23:38:05 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 May 2026 17:35:02 -0400
+Subject: smb: client: Use FullSessionKey for AES-256 encryption key derivation
+To: stable@vger.kernel.org
+Cc: Piyush Sachdeva <s.piyush1024@gmail.com>, Bharath SM <bharathsm@microsoft.com>, Piyush Sachdeva <psachdeva@microsoft.com>, Steve French <stfrench@microsoft.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260515213502.3509663-1-sashal@kernel.org>
+
+From: Piyush Sachdeva <s.piyush1024@gmail.com>
+
+[ Upstream commit 5be7a0cef3229fb3b63a07c0d289daf752545424 ]
+
+When Kerberos authentication is used with AES-256 encryption (AES-256-CCM
+or AES-256-GCM), the SMB3 encryption and decryption keys must be derived
+using the full session key (Session.FullSessionKey) rather than just the
+first 16 bytes (Session.SessionKey).
+
+Per MS-SMB2 section 3.2.5.3.1, when Connection.Dialect is "3.1.1" and
+Connection.CipherId is AES-256-CCM or AES-256-GCM, Session.FullSessionKey
+must be set to the full cryptographic key from the GSS authentication
+context. The encryption and decryption key derivation (SMBC2SCipherKey,
+SMBS2CCipherKey) must use this FullSessionKey as the KDF input. The
+signing key derivation continues to use Session.SessionKey (first 16
+bytes) in all cases.
+
+Previously, generate_key() hardcoded SMB2_NTLMV2_SESSKEY_SIZE (16) as the
+HMAC-SHA256 key input length for all derivations. When Kerberos with
+AES-256 provides a 32-byte session key, the KDF for encryption/decryption
+was using only the first 16 bytes, producing keys that did not match the
+server's, causing mount failures with sec=krb5 and require_gcm_256=1.
+
+Add a full_key_size parameter to generate_key() and pass the appropriate
+size from generate_smb3signingkey():
+ - Signing: always SMB2_NTLMV2_SESSKEY_SIZE (16 bytes)
+ - Encryption/Decryption: ses->auth_key.len when AES-256, otherwise 16
+
+Also fix cifs_dump_full_key() to report the actual session key length for
+AES-256 instead of hardcoded CIFS_SESS_KEY_SIZE, so that userspace tools
+like Wireshark receive the correct key for decryption.
+
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Bharath SM <bharathsm@microsoft.com>
+Signed-off-by: Piyush Sachdeva <psachdeva@microsoft.com>
+Signed-off-by: Piyush Sachdeva <s.piyush1024@gmail.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/ioctl.c | 2 +-
+ fs/smb/client/smb2transport.c | 32 +++++++++++++++++++++++++-------
+ 2 files changed, 26 insertions(+), 8 deletions(-)
+
+--- a/fs/smb/client/ioctl.c
++++ b/fs/smb/client/ioctl.c
+@@ -297,7 +297,7 @@ search_end:
+ break;
+ case SMB2_ENCRYPTION_AES256_CCM:
+ case SMB2_ENCRYPTION_AES256_GCM:
+- out.session_key_length = CIFS_SESS_KEY_SIZE;
++ out.session_key_length = ses->auth_key.len;
+ out.server_in_key_length = out.server_out_key_length = SMB3_GCM256_CRYPTKEY_SIZE;
+ break;
+ default:
+--- a/fs/smb/client/smb2transport.c
++++ b/fs/smb/client/smb2transport.c
+@@ -259,7 +259,8 @@ smb2_calc_signature(struct smb_rqst *rqs
+ }
+
+ static int generate_key(struct cifs_ses *ses, struct kvec label,
+- struct kvec context, __u8 *key, unsigned int key_size)
++ struct kvec context, __u8 *key, unsigned int key_size,
++ unsigned int full_key_size)
+ {
+ unsigned char zero = 0x0;
+ __u8 i[4] = {0, 0, 0, 1};
+@@ -280,7 +281,7 @@ static int generate_key(struct cifs_ses
+ }
+
+ hmac_sha256_init_usingrawkey(&hmac_ctx, ses->auth_key.response,
+- SMB2_NTLMV2_SESSKEY_SIZE);
++ full_key_size);
+ hmac_sha256_update(&hmac_ctx, i, 4);
+ hmac_sha256_update(&hmac_ctx, label.iov_base, label.iov_len);
+ hmac_sha256_update(&hmac_ctx, &zero, 1);
+@@ -314,6 +315,7 @@ generate_smb3signingkey(struct cifs_ses
+ struct TCP_Server_Info *server,
+ const struct derivation_triplet *ptriplet)
+ {
++ unsigned int full_key_size = SMB2_NTLMV2_SESSKEY_SIZE;
+ int rc;
+ bool is_binding = false;
+ int chan_index = 0;
+@@ -348,17 +350,31 @@ generate_smb3signingkey(struct cifs_ses
+ rc = generate_key(ses, ptriplet->signing.label,
+ ptriplet->signing.context,
+ ses->chans[chan_index].signkey,
+- SMB3_SIGN_KEY_SIZE);
++ SMB3_SIGN_KEY_SIZE,
++ SMB2_NTLMV2_SESSKEY_SIZE);
+ if (rc)
+ return rc;
+ } else {
+ rc = generate_key(ses, ptriplet->signing.label,
+ ptriplet->signing.context,
+ ses->smb3signingkey,
+- SMB3_SIGN_KEY_SIZE);
++ SMB3_SIGN_KEY_SIZE,
++ SMB2_NTLMV2_SESSKEY_SIZE);
+ if (rc)
+ return rc;
+
++ /*
++ * Per MS-SMB2 3.2.5.3.1, signing key always uses Session.SessionKey
++ * (first 16 bytes). Encryption/decryption keys use
++ * Session.FullSessionKey when dialect is 3.1.1 and cipher is
++ * AES-256-CCM or AES-256-GCM, otherwise Session.SessionKey.
++ */
++
++ if (server->dialect == SMB311_PROT_ID &&
++ (server->cipher_type == SMB2_ENCRYPTION_AES256_CCM ||
++ server->cipher_type == SMB2_ENCRYPTION_AES256_GCM))
++ full_key_size = ses->auth_key.len;
++
+ /* safe to access primary channel, since it will never go away */
+ spin_lock(&ses->chan_lock);
+ memcpy(ses->chans[chan_index].signkey, ses->smb3signingkey,
+@@ -368,13 +384,15 @@ generate_smb3signingkey(struct cifs_ses
+ rc = generate_key(ses, ptriplet->encryption.label,
+ ptriplet->encryption.context,
+ ses->smb3encryptionkey,
+- SMB3_ENC_DEC_KEY_SIZE);
++ SMB3_ENC_DEC_KEY_SIZE,
++ full_key_size);
+ if (rc)
+ return rc;
+ rc = generate_key(ses, ptriplet->decryption.label,
+ ptriplet->decryption.context,
+ ses->smb3decryptionkey,
+- SMB3_ENC_DEC_KEY_SIZE);
++ SMB3_ENC_DEC_KEY_SIZE,
++ full_key_size);
+ if (rc)
+ return rc;
+ }
+@@ -389,7 +407,7 @@ generate_smb3signingkey(struct cifs_ses
+ &ses->Suid);
+ cifs_dbg(VFS, "Cipher type %d\n", server->cipher_type);
+ cifs_dbg(VFS, "Session Key %*ph\n",
+- SMB2_NTLMV2_SESSKEY_SIZE, ses->auth_key.response);
++ (int)ses->auth_key.len, ses->auth_key.response);
+ cifs_dbg(VFS, "Signing Key %*ph\n",
+ SMB3_SIGN_KEY_SIZE, ses->smb3signingkey);
+ if ((server->cipher_type == SMB2_ENCRYPTION_AES256_CCM) ||
--- /dev/null
+From stable+bounces-249916-greg=kroah.com@vger.kernel.org Wed May 20 15:20:11 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 May 2026 09:11:28 -0400
+Subject: spi: sifive: fix controller deregistration
+To: stable@vger.kernel.org
+Cc: Johan Hovold <johan@kernel.org>, Yash Shah <yash.shah@sifive.com>, Mark Brown <broonie@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260520131128.3608456-2-sashal@kernel.org>
+
+From: Johan Hovold <johan@kernel.org>
+
+[ Upstream commit 0f25236694a2854627c1597465a071e6bb6fe572 ]
+
+Make sure to deregister the controller before disabling underlying
+resources like interrupts during driver unbind.
+
+Note that clocks were also disabled before the recent commit
+140039c23aca ("spi: sifive: Simplify clock handling with
+devm_clk_get_enabled()").
+
+Fixes: 484a9a68d669 ("spi: sifive: Add driver for the SiFive SPI controller")
+Cc: stable@vger.kernel.org # 5.1
+Cc: Yash Shah <yash.shah@sifive.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260410081757.503099-15-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-sifive.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-sifive.c
++++ b/drivers/spi/spi-sifive.c
+@@ -393,7 +393,7 @@ static int sifive_spi_probe(struct platf
+ dev_info(&pdev->dev, "mapped; irq=%d, cs=%d\n",
+ irq, host->num_chipselect);
+
+- ret = devm_spi_register_controller(&pdev->dev, host);
++ ret = spi_register_controller(host);
+ if (ret < 0) {
+ dev_err(&pdev->dev, "spi_register_host failed\n");
+ goto put_host;
+@@ -412,8 +412,14 @@ static void sifive_spi_remove(struct pla
+ struct spi_controller *host = platform_get_drvdata(pdev);
+ struct sifive_spi *spi = spi_controller_get_devdata(host);
+
++ spi_controller_get(host);
++
++ spi_unregister_controller(host);
++
+ /* Disable all the interrupts just in case */
+ sifive_spi_write(spi, SIFIVE_SPI_REG_IE, 0);
++
++ spi_controller_put(host);
+ }
+
+ static int sifive_spi_suspend(struct device *dev)
--- /dev/null
+From stable+bounces-249917-greg=kroah.com@vger.kernel.org Wed May 20 15:20:07 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 May 2026 09:11:27 -0400
+Subject: spi: sifive: Simplify clock handling with devm_clk_get_enabled()
+To: stable@vger.kernel.org
+Cc: Pei Xiao <xiaopei01@kylinos.cn>, Mark Brown <broonie@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260520131128.3608456-1-sashal@kernel.org>
+
+From: Pei Xiao <xiaopei01@kylinos.cn>
+
+[ Upstream commit 140039c23aca067b9ff0242e3c0ce96276bb95f3 ]
+
+Replace devm_clk_get() followed by clk_prepare_enable() with
+devm_clk_get_enabled() for the bus clock. This reduces boilerplate code
+and error handling, as the managed API automatically disables the clock
+when the device is removed or if probe fails.
+
+Remove the now-unnecessary clk_disable_unprepare() calls from the probe
+error path and the remove callback. Adjust the error handling to use the
+existing put_host label.
+
+Signed-off-by: Pei Xiao <xiaopei01@kylinos.cn>
+Link: https://patch.msgid.link/73d0d8ecb4e1af5a558d6a7866c0f886d94fe3d1.1773885292.git.xiaopei01@kylinos.cn
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Stable-dep-of: 0f25236694a2 ("spi: sifive: fix controller deregistration")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-sifive.c | 21 ++++++---------------
+ 1 file changed, 6 insertions(+), 15 deletions(-)
+
+--- a/drivers/spi/spi-sifive.c
++++ b/drivers/spi/spi-sifive.c
+@@ -312,7 +312,8 @@ static int sifive_spi_probe(struct platf
+ goto put_host;
+ }
+
+- spi->clk = devm_clk_get(&pdev->dev, NULL);
++ /* Spin up the bus clock before hitting registers */
++ spi->clk = devm_clk_get_enabled(&pdev->dev, NULL);
+ if (IS_ERR(spi->clk)) {
+ dev_err(&pdev->dev, "Unable to find bus clock\n");
+ ret = PTR_ERR(spi->clk);
+@@ -342,13 +343,6 @@ static int sifive_spi_probe(struct platf
+ goto put_host;
+ }
+
+- /* Spin up the bus clock before hitting registers */
+- ret = clk_prepare_enable(spi->clk);
+- if (ret) {
+- dev_err(&pdev->dev, "Unable to enable bus clock\n");
+- goto put_host;
+- }
+-
+ /* probe the number of CS lines */
+ spi->cs_inactive = sifive_spi_read(spi, SIFIVE_SPI_REG_CSDEF);
+ sifive_spi_write(spi, SIFIVE_SPI_REG_CSDEF, 0xffffffffU);
+@@ -357,14 +351,14 @@ static int sifive_spi_probe(struct platf
+ if (!cs_bits) {
+ dev_err(&pdev->dev, "Could not auto probe CS lines\n");
+ ret = -EINVAL;
+- goto disable_clk;
++ goto put_host;
+ }
+
+ num_cs = ilog2(cs_bits) + 1;
+ if (num_cs > SIFIVE_SPI_MAX_CS) {
+ dev_err(&pdev->dev, "Invalid number of spi targets\n");
+ ret = -EINVAL;
+- goto disable_clk;
++ goto put_host;
+ }
+
+ /* Define our host */
+@@ -393,7 +387,7 @@ static int sifive_spi_probe(struct platf
+ dev_name(&pdev->dev), spi);
+ if (ret) {
+ dev_err(&pdev->dev, "Unable to bind to interrupt\n");
+- goto disable_clk;
++ goto put_host;
+ }
+
+ dev_info(&pdev->dev, "mapped; irq=%d, cs=%d\n",
+@@ -402,13 +396,11 @@ static int sifive_spi_probe(struct platf
+ ret = devm_spi_register_controller(&pdev->dev, host);
+ if (ret < 0) {
+ dev_err(&pdev->dev, "spi_register_host failed\n");
+- goto disable_clk;
++ goto put_host;
+ }
+
+ return 0;
+
+-disable_clk:
+- clk_disable_unprepare(spi->clk);
+ put_host:
+ spi_controller_put(host);
+
+@@ -422,7 +414,6 @@ static void sifive_spi_remove(struct pla
+
+ /* Disable all the interrupts just in case */
+ sifive_spi_write(spi, SIFIVE_SPI_REG_IE, 0);
+- clk_disable_unprepare(spi->clk);
+ }
+
+ static int sifive_spi_suspend(struct device *dev)
projects / thirdparty / kernel / stable-queue.git / commitdiff
