From: Greg Kroah-Hartman Date: Wed, 20 May 2026 16:04:41 +0000 (+0200) Subject: 6.18-stable patches X-Git-Tag: v6.6.141~36 X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=d70563ecf057690952857f1ff5a594da290f77c6;p=thirdparty%2Fkernel%2Fstable-queue.git 6.18-stable patches added patches: btrfs-do-not-mark-inode-incompressible-after-inline-attempt-fails.patch drm-v3d-reject-empty-multisync-extension-to-prevent-infinite-loop.patch eventfs-use-list_add_tail_rcu-for-srcu-protected-children-list.patch f2fs-fix-false-alarm-of-lockdep-on-cp_global_sem-lock.patch perf-x86-intel-disable-pmi-for-self-reloaded-acr-events.patch sched_ext-guard-scx_dsq_move-against-null-kit-dsq-after-failed-iter_new.patch sched_ext-pass-held-rq-to-scx_call_op-for-core_sched_before.patch smb-client-use-fullsessionkey-for-aes-256-encryption-key-derivation.patch spi-sifive-fix-controller-deregistration.patch spi-sifive-simplify-clock-handling-with-devm_clk_get_enabled.patch --- diff --git a/queue-6.18/btrfs-do-not-mark-inode-incompressible-after-inline-attempt-fails.patch b/queue-6.18/btrfs-do-not-mark-inode-incompressible-after-inline-attempt-fails.patch new file mode 100644 index 0000000000..c9fe04442e --- /dev/null +++ b/queue-6.18/btrfs-do-not-mark-inode-incompressible-after-inline-attempt-fails.patch @@ -0,0 +1,81 @@ +From stable+bounces-249026-greg=kroah.com@vger.kernel.org Sat May 16 21:09:12 2026 +From: Sasha Levin +Date: Sat, 16 May 2026 15:09:07 -0400 +Subject: btrfs: do not mark inode incompressible after inline attempt fails +To: stable@vger.kernel.org +Cc: Qu Wenruo , Filipe Manana , David Sterba , Sasha Levin +Message-ID: <20260516190907.4016888-1-sashal@kernel.org> + +From: Qu Wenruo + +[ Upstream commit 2e0e3716c7b6f8d71df2fbe709b922e54700f71b ] + +[BUG] +The following sequence will set the file with nocompress flag: + + # mkfs.btrfs -f $dev + # mount $dev $mnt -o max_inline=4,compress + # xfs_io -f -c "pwrite 0 2k" -c sync $mnt/foobar + +The inode will have NOCOMPRESS flag, even if the content itself (all 0xcd) +can still be compressed very well: + + item 4 key (257 INODE_ITEM 0) itemoff 15879 itemsize 160 + generation 9 transid 10 size 2097152 nbytes 1052672 + block group 0 mode 100600 links 1 uid 0 gid 0 rdev 0 + sequence 257 flags 0x8(NOCOMPRESS) + +Please note that, this behavior is there even before commit 59615e2c1f63 +("btrfs: reject single block sized compression early"). + +[CAUSE] +At compress_file_range(), after btrfs_compress_folios() call, we try +making an inlined extent by calling cow_file_range_inline(). + +But cow_file_range_inline() calls can_cow_file_range_inline() which has +more accurate checks on if the range can be inlined. + +One of the user configurable conditions is the "max_inline=" mount +option. If that value is set low (like the example, 4 bytes, which +cannot store any header), or the compressed content is just slightly +larger than 2K (the default value, meaning a 50% compression ratio), +cow_file_range_inline() will return 1 immediately. + +And since we're here only to try inline the compressed data, the range +is no larger than a single fs block. + +Thus compression is never going to make it a win, we fall back to +marking the inode incompressible unavoidably. + +[FIX] +Just add an extra check after inline attempt, so that if the inline +attempt failed, do not set the nocompress flag. + +As there is no way to remove that flag, and the default 50% compression +ratio is way too strict for the whole inode. + +CC: stable@vger.kernel.org # 6.12+ +Reviewed-by: Filipe Manana +Signed-off-by: Qu Wenruo +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/inode.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -1006,6 +1006,12 @@ again: + mapping_set_error(mapping, -EIO); + goto free_pages; + } ++ /* ++ * If a single block at file offset 0 cannot be inlined, fall back to ++ * regular writes without marking the file incompressible. ++ */ ++ if (start == 0 && end <= blocksize) ++ goto cleanup_and_bail_uncompressed; + + /* + * We aren't doing an inline extent. Round the compressed size up to a diff --git a/queue-6.18/drm-v3d-reject-empty-multisync-extension-to-prevent-infinite-loop.patch b/queue-6.18/drm-v3d-reject-empty-multisync-extension-to-prevent-infinite-loop.patch new file mode 100644 index 0000000000..36c73d14ef --- /dev/null +++ b/queue-6.18/drm-v3d-reject-empty-multisync-extension-to-prevent-infinite-loop.patch @@ -0,0 +1,56 @@ +From fb44d589bf3148e13452185a6e772a7efbf2d684 Mon Sep 17 00:00:00 2001 +From: Ashutosh Desai +Date: Wed, 15 Apr 2026 05:00:00 +0000 +Subject: drm/v3d: Reject empty multisync extension to prevent infinite loop +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ashutosh Desai + +commit fb44d589bf3148e13452185a6e772a7efbf2d684 upstream. + +v3d_get_extensions() walks a userspace-provided singly-linked list of +ioctl extensions without any bound on the chain length. A local user +can craft a self-referential extension (ext->next == &ext) with zero +in_sync_count and out_sync_count, which bypasses the existing duplicate- +extension guard: + + if (se->in_sync_count || se->out_sync_count) + return -EINVAL; + +The guard never fires because v3d_get_multisync_post_deps() returns +immediately when count is zero, leaving both fields at zero on every +iteration. The result is an infinite loop in kernel context, blocking +the calling thread and pegging a CPU core indefinitely. + +Fix this by rejecting a multisync extension where both in_sync_count +and out_sync_count are zero in v3d_get_multisync_submit_deps(). An +empty multisync carries no synchronization information and serves no +useful purpose, so returning -EINVAL for such an extension is the +correct defense against this attack vector. + +Fixes: e4165ae8304e ("drm/v3d: add multiple syncobjs support") +Cc: stable@vger.kernel.org +Signed-off-by: Ashutosh Desai +Link: https://patch.msgid.link/20260415050000.3816128-1-ashutoshdesai993@gmail.com +Signed-off-by: Maíra Canal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/v3d/v3d_submit.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/gpu/drm/v3d/v3d_submit.c ++++ b/drivers/gpu/drm/v3d/v3d_submit.c +@@ -390,6 +390,11 @@ v3d_get_multisync_submit_deps(struct drm + if (multisync.pad) + return -EINVAL; + ++ if (!multisync.in_sync_count && !multisync.out_sync_count) { ++ DRM_DEBUG("Empty multisync extension\n"); ++ return -EINVAL; ++ } ++ + ret = v3d_get_multisync_post_deps(file_priv, se, multisync.out_sync_count, + multisync.out_syncs); + if (ret) diff --git a/queue-6.18/eventfs-use-list_add_tail_rcu-for-srcu-protected-children-list.patch b/queue-6.18/eventfs-use-list_add_tail_rcu-for-srcu-protected-children-list.patch new file mode 100644 index 0000000000..1914948dd9 --- /dev/null +++ b/queue-6.18/eventfs-use-list_add_tail_rcu-for-srcu-protected-children-list.patch @@ -0,0 +1,45 @@ +From stable+bounces-247840-greg=kroah.com@vger.kernel.org Fri May 15 18:26:59 2026 +From: Sasha Levin +Date: Fri, 15 May 2026 11:36:49 -0400 +Subject: eventfs: Use list_add_tail_rcu() for SRCU-protected children list +To: stable@vger.kernel.org +Cc: David Carlier , Steven Rostedt , Sasha Levin +Message-ID: <20260515153649.3315091-1-sashal@kernel.org> + +From: David Carlier + +[ Upstream commit f67950b2887fa10df50c4317a1fe98a65bc6875b ] + +Commit d2603279c7d6 ("eventfs: Use list_del_rcu() for SRCU protected +list variable") converted the removal side to pair with the +list_for_each_entry_srcu() walker in eventfs_iterate(). The insertion +in eventfs_create_dir() was left as a plain list_add_tail(), which on +weakly-ordered architectures can expose a new entry to the SRCU reader +before its list pointers and fields are observable. + +Use list_add_tail_rcu() so the publication pairs with the existing +list_del_rcu() and list_for_each_entry_srcu(). + +Fixes: 43aa6f97c2d0 ("eventfs: Get rid of dentry pointers without refcounts") +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20260418152251.199343-1-devnexen@gmail.com +Signed-off-by: David Carlier +Signed-off-by: Steven Rostedt +[ adapted scoped_guard(mutex, &eventfs_mutex) block to explicit mutex_lock()/mutex_unlock() pair ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/tracefs/event_inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/tracefs/event_inode.c ++++ b/fs/tracefs/event_inode.c +@@ -732,7 +732,7 @@ struct eventfs_inode *eventfs_create_dir + + mutex_lock(&eventfs_mutex); + if (!parent->is_freed) +- list_add_tail(&ei->list, &parent->children); ++ list_add_tail_rcu(&ei->list, &parent->children); + mutex_unlock(&eventfs_mutex); + + /* Was the parent freed? */ diff --git a/queue-6.18/f2fs-fix-false-alarm-of-lockdep-on-cp_global_sem-lock.patch b/queue-6.18/f2fs-fix-false-alarm-of-lockdep-on-cp_global_sem-lock.patch new file mode 100644 index 0000000000..2836cdd2d8 --- /dev/null +++ b/queue-6.18/f2fs-fix-false-alarm-of-lockdep-on-cp_global_sem-lock.patch @@ -0,0 +1,102 @@ +From stable+bounces-249569-greg=kroah.com@vger.kernel.org Tue May 19 13:57:03 2026 +From: Sasha Levin +Date: Tue, 19 May 2026 07:53:09 -0400 +Subject: f2fs: fix false alarm of lockdep on cp_global_sem lock +To: stable@vger.kernel.org +Cc: Chao Yu , stable@kernel.org, Shin'ichiro Kawasaki , Jaegeuk Kim , Sasha Levin +Message-ID: <20260519115310.2242131-1-sashal@kernel.org> + +From: Chao Yu + +[ Upstream commit 6a5e3de9c2bb0b691d16789a5d19e9276a09b308 ] + +lockdep reported a potential deadlock: + +a) TCMU device removal context: + - call del_gendisk() to get q->q_usage_counter + - call start_flush_work() to get work_completion of wb->dwork +b) f2fs writeback context: + - in wb_workfn(), which holds work_completion of wb->dwork + - call f2fs_balance_fs() to get sbi->gc_lock +c) f2fs vfs_write context: + - call f2fs_gc() to get sbi->gc_lock + - call f2fs_write_checkpoint() to get sbi->cp_global_sem +d) f2fs mount context: + - call recover_fsync_data() to get sbi->cp_global_sem + - call f2fs_check_and_fix_write_pointer() to call blkdev_report_zones() + that goes down to blk_mq_alloc_request and get q->q_usage_counter + +Original callstack is in Closes tag. + +However, I think this is a false alarm due to before mount returns +successfully (context d), we can not access file therein via vfs_write +(context c). + +Let's introduce per-sb cp_global_sem_key, and assign the key for +cp_global_sem, so that lockdep can recognize cp_global_sem from +different super block correctly. + +A lot of work are done by Shin'ichiro Kawasaki, thanks a lot for +the work. + +Fixes: c426d99127b1 ("f2fs: Check write pointer consistency of open zones") +Cc: stable@kernel.org +Reported-and-tested-by: Shin'ichiro Kawasaki +Closes: https://lore.kernel.org/linux-f2fs-devel/20260218125237.3340441-1-shinichiro.kawasaki@wdc.com +Signed-off-by: Shin'ichiro Kawasaki +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +[ adapted context to use plain `init_f2fs_rwsem` instead of mainline's `init_f2fs_rwsem_trace` macro ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/f2fs.h | 3 +++ + fs/f2fs/super.c | 11 +++++++++++ + 2 files changed, 14 insertions(+) + +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -1967,6 +1967,9 @@ struct f2fs_sb_info { + spinlock_t iostat_lat_lock; + struct iostat_lat_info *iostat_io_lat; + #endif ++#ifdef CONFIG_DEBUG_LOCK_ALLOC ++ struct lock_class_key cp_global_sem_key; ++#endif + }; + + /* Definitions to access f2fs_sb_info */ +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -4889,6 +4889,11 @@ try_onemore: + init_f2fs_rwsem(&sbi->gc_lock); + mutex_init(&sbi->writepages); + init_f2fs_rwsem(&sbi->cp_global_sem); ++#ifdef CONFIG_DEBUG_LOCK_ALLOC ++ lockdep_register_key(&sbi->cp_global_sem_key); ++ lockdep_set_class(&sbi->cp_global_sem.internal_rwsem, ++ &sbi->cp_global_sem_key); ++#endif + init_f2fs_rwsem(&sbi->node_write); + init_f2fs_rwsem(&sbi->node_change); + spin_lock_init(&sbi->stat_lock); +@@ -5360,6 +5365,9 @@ free_options: + free_sb_buf: + kfree(raw_super); + free_sbi: ++#ifdef CONFIG_DEBUG_LOCK_ALLOC ++ lockdep_unregister_key(&sbi->cp_global_sem_key); ++#endif + kfree(sbi); + sb->s_fs_info = NULL; + +@@ -5441,6 +5449,9 @@ static void kill_f2fs_super(struct super + /* Release block devices last, after fscrypt_destroy_keyring(). */ + if (sbi) { + destroy_device_list(sbi); ++#ifdef CONFIG_DEBUG_LOCK_ALLOC ++ lockdep_unregister_key(&sbi->cp_global_sem_key); ++#endif + kfree(sbi); + sb->s_fs_info = NULL; + } diff --git a/queue-6.18/perf-x86-intel-disable-pmi-for-self-reloaded-acr-events.patch b/queue-6.18/perf-x86-intel-disable-pmi-for-self-reloaded-acr-events.patch new file mode 100644 index 0000000000..f8a8971954 --- /dev/null +++ b/queue-6.18/perf-x86-intel-disable-pmi-for-self-reloaded-acr-events.patch @@ -0,0 +1,97 @@ +From stable+bounces-249160-greg=kroah.com@vger.kernel.org Mon May 18 03:23:21 2026 +From: Sasha Levin +Date: Sun, 17 May 2026 21:23:15 -0400 +Subject: perf/x86/intel: Disable PMI for self-reloaded ACR events +To: stable@vger.kernel.org +Cc: Dapeng Mi , Andi Kleen , "Peter Zijlstra (Intel)" , Sasha Levin +Message-ID: <20260518012315.481330-1-sashal@kernel.org> + +From: Dapeng Mi + +[ Upstream commit 1271aeccc307066315b2d3b0d5af2510e27018b5 ] + +On platforms with Auto Counter Reload (ACR) support, such as NVL, a +"NMI received for unknown reason 30" warning is observed when running +multiple events in a group with ACR enabled: + + $ perf record -e '{instructions/period=20000,acr_mask=0x2/u,\ + cycles/period=40000,acr_mask=0x3/u}' ./test + +The warning occurs because the Performance Monitoring Interrupt (PMI) +is enabled for the self-reloaded event (the cycles event in this case). +According to the Intel SDM, the overflow bit +(IA32_PERF_GLOBAL_STATUS.PMCn_OVF) is never set for self-reloaded events. +Since the bit is not set, the perf NMI handler cannot identify the source +of the interrupt, leading to the "unknown reason" message. + +Furthermore, enabling PMI for self-reloaded events is unnecessary and +can lead to extraneous records that pollute the user's requested data. + +Disable the interrupt bit for all events configured with ACR self-reload. + +Fixes: ec980e4facef ("perf/x86/intel: Support auto counter reload") +Reported-by: Andi Kleen +Signed-off-by: Dapeng Mi +Signed-off-by: Peter Zijlstra (Intel) +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20260430002558.712334-4-dapeng1.mi@linux.intel.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/events/intel/core.c | 17 +++++++++++++---- + arch/x86/events/perf_event.h | 10 ++++++++++ + 2 files changed, 23 insertions(+), 4 deletions(-) + +--- a/arch/x86/events/intel/core.c ++++ b/arch/x86/events/intel/core.c +@@ -2866,11 +2866,11 @@ static void intel_pmu_enable_fixed(struc + intel_set_masks(event, idx); + + /* +- * Enable IRQ generation (0x8), if not PEBS, +- * and enable ring-3 counting (0x2) and ring-0 counting (0x1) +- * if requested: ++ * Enable IRQ generation (0x8), if not PEBS or self-reloaded ++ * ACR event, and enable ring-3 counting (0x2) and ring-0 ++ * counting (0x1) if requested: + */ +- if (!event->attr.precise_ip) ++ if (!event->attr.precise_ip && !is_acr_self_reload_event(event)) + bits |= INTEL_FIXED_0_ENABLE_PMI; + if (hwc->config & ARCH_PERFMON_EVENTSEL_USR) + bits |= INTEL_FIXED_0_USER; +@@ -2955,6 +2955,15 @@ static void intel_pmu_enable_event(struc + enable_mask |= ARCH_PERFMON_EVENTSEL_BR_CNTR; + intel_set_masks(event, idx); + static_call_cond(intel_pmu_enable_acr_event)(event); ++ /* ++ * For self-reloaded ACR event, don't enable PMI since ++ * HW won't set overflow bit in GLOBAL_STATUS. Otherwise, ++ * the PMI would be recognized as a suspicious NMI. ++ */ ++ if (is_acr_self_reload_event(event)) ++ hwc->config &= ~ARCH_PERFMON_EVENTSEL_INT; ++ else if (!event->attr.precise_ip) ++ hwc->config |= ARCH_PERFMON_EVENTSEL_INT; + __x86_pmu_enable_event(hwc, enable_mask); + break; + case INTEL_PMC_IDX_FIXED ... INTEL_PMC_IDX_FIXED_BTS - 1: +--- a/arch/x86/events/perf_event.h ++++ b/arch/x86/events/perf_event.h +@@ -133,6 +133,16 @@ static inline bool is_acr_event_group(st + return check_leader_group(event->group_leader, PERF_X86_EVENT_ACR); + } + ++static inline bool is_acr_self_reload_event(struct perf_event *event) ++{ ++ struct hw_perf_event *hwc = &event->hw; ++ ++ if (hwc->idx < 0) ++ return false; ++ ++ return test_bit(hwc->idx, (unsigned long *)&hwc->config1); ++} ++ + struct amd_nb { + int nb_id; /* NorthBridge id */ + int refcnt; /* reference count */ diff --git a/queue-6.18/sched_ext-guard-scx_dsq_move-against-null-kit-dsq-after-failed-iter_new.patch b/queue-6.18/sched_ext-guard-scx_dsq_move-against-null-kit-dsq-after-failed-iter_new.patch new file mode 100644 index 0000000000..dd2104c621 --- /dev/null +++ b/queue-6.18/sched_ext-guard-scx_dsq_move-against-null-kit-dsq-after-failed-iter_new.patch @@ -0,0 +1,48 @@ +From stable+bounces-249167-greg=kroah.com@vger.kernel.org Mon May 18 04:11:07 2026 +From: Sasha Levin +Date: Sun, 17 May 2026 22:11:00 -0400 +Subject: sched_ext: Guard scx_dsq_move() against NULL kit->dsq after failed iter_new +To: stable@vger.kernel.org +Cc: Tejun Heo , Chris Mason , Andrea Righi , Sasha Levin +Message-ID: <20260518021100.535042-1-sashal@kernel.org> + +From: Tejun Heo + +[ Upstream commit 4fda9f0e7c950da4fe03cedeb2ac818edf5d03e9 ] + +bpf_iter_scx_dsq_new() clears kit->dsq on failure and +bpf_iter_scx_dsq_{next,destroy}() guard against that. scx_dsq_move() doesn't - +it dereferences kit->dsq immediately, so a BPF program that calls +scx_bpf_dsq_move[_vtime]() after a failed iter_new oopses the kernel. + +Return false if kit->dsq is NULL. + +Fixes: 4c30f5ce4f7a ("sched_ext: Implement scx_bpf_dispatch[_vtime]_from_dsq()") +Cc: stable@vger.kernel.org # v6.12+ +Reported-by: Chris Mason +Signed-off-by: Tejun Heo +Reviewed-by: Andrea Righi +[ dropped upstream `sch = src_dsq->sched` reordering since stable initializes `sch` from `scx_root` instead ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sched/ext.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/kernel/sched/ext.c ++++ b/kernel/sched/ext.c +@@ -5650,6 +5650,14 @@ static bool scx_dsq_move(struct bpf_iter + bool in_balance; + unsigned long flags; + ++ /* ++ * The verifier considers an iterator slot initialized on any ++ * KF_ITER_NEW return, so a BPF program may legally reach here after ++ * bpf_iter_scx_dsq_new() failed and left @kit->dsq NULL. ++ */ ++ if (unlikely(!src_dsq)) ++ return false; ++ + if (!scx_kf_allowed_if_unlocked() && + !scx_kf_allowed(sch, SCX_KF_DISPATCH)) + return false; diff --git a/queue-6.18/sched_ext-pass-held-rq-to-scx_call_op-for-core_sched_before.patch b/queue-6.18/sched_ext-pass-held-rq-to-scx_call_op-for-core_sched_before.patch new file mode 100644 index 0000000000..0a261921d5 --- /dev/null +++ b/queue-6.18/sched_ext-pass-held-rq-to-scx_call_op-for-core_sched_before.patch @@ -0,0 +1,43 @@ +From stable+bounces-249261-greg=kroah.com@vger.kernel.org Mon May 18 13:50:17 2026 +From: Sasha Levin +Date: Mon, 18 May 2026 07:48:25 -0400 +Subject: sched_ext: Pass held rq to SCX_CALL_OP() for core_sched_before +To: stable@vger.kernel.org +Cc: Tejun Heo , Chris Mason , Andrea Righi , Sasha Levin +Message-ID: <20260518114825.789656-1-sashal@kernel.org> + +From: Tejun Heo + +[ Upstream commit 4155fb489fa175ec74eedde7d02219cf2fe74303 ] + +scx_prio_less() runs from core-sched's pick_next_task() path with rq +locked but invokes ops.core_sched_before() with NULL locked_rq, leaving +scx_locked_rq_state NULL. If the BPF callback calls a kfunc that +re-acquires rq based on scx_locked_rq() - e.g. scx_bpf_cpuperf_set(cpu) +- it re-acquires the already-held rq. + +Pass task_rq(a). + +Fixes: 7b0888b7cc19 ("sched_ext: Implement core-sched support") +Cc: stable@vger.kernel.org # v6.12+ +Reported-by: Chris Mason +Signed-off-by: Tejun Heo +Reviewed-by: Andrea Righi +[ adapted call to use stable's single `sch`/`SCX_KF_REST` mask and `scx_rq_bypassing(task_rq(a))` signature ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sched/ext.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/sched/ext.c ++++ b/kernel/sched/ext.c +@@ -2522,7 +2522,7 @@ bool scx_prio_less(const struct task_str + if (SCX_HAS_OP(sch, core_sched_before) && + !scx_rq_bypassing(task_rq(a))) + return SCX_CALL_OP_2TASKS_RET(sch, SCX_KF_REST, core_sched_before, +- NULL, ++ task_rq(a), + (struct task_struct *)a, + (struct task_struct *)b); + else diff --git a/queue-6.18/series b/queue-6.18/series index 3426404886..0d4cbc1ff3 100644 --- a/queue-6.18/series +++ b/queue-6.18/series @@ -945,3 +945,13 @@ drm-ttm-convert-eagain-from-dmem_cgroup_try_charge-to-enospc.patch drm-gma500-oaktrail_hdmi-fix-i2c-adapter-leak-on-setup.patch drm-gma500-oaktrail_lvds-fix-hang-on-init-failure.patch drm-gma500-oaktrail_lvds-fix-i2c-adapter-leaks-on-init.patch +drm-v3d-reject-empty-multisync-extension-to-prevent-infinite-loop.patch +eventfs-use-list_add_tail_rcu-for-srcu-protected-children-list.patch +smb-client-use-fullsessionkey-for-aes-256-encryption-key-derivation.patch +btrfs-do-not-mark-inode-incompressible-after-inline-attempt-fails.patch +perf-x86-intel-disable-pmi-for-self-reloaded-acr-events.patch +sched_ext-guard-scx_dsq_move-against-null-kit-dsq-after-failed-iter_new.patch +sched_ext-pass-held-rq-to-scx_call_op-for-core_sched_before.patch +f2fs-fix-false-alarm-of-lockdep-on-cp_global_sem-lock.patch +spi-sifive-simplify-clock-handling-with-devm_clk_get_enabled.patch +spi-sifive-fix-controller-deregistration.patch diff --git a/queue-6.18/smb-client-use-fullsessionkey-for-aes-256-encryption-key-derivation.patch b/queue-6.18/smb-client-use-fullsessionkey-for-aes-256-encryption-key-derivation.patch new file mode 100644 index 0000000000..4b964f73d5 --- /dev/null +++ b/queue-6.18/smb-client-use-fullsessionkey-for-aes-256-encryption-key-derivation.patch @@ -0,0 +1,153 @@ +From stable+bounces-248923-greg=kroah.com@vger.kernel.org Fri May 15 23:38:05 2026 +From: Sasha Levin +Date: Fri, 15 May 2026 17:35:02 -0400 +Subject: smb: client: Use FullSessionKey for AES-256 encryption key derivation +To: stable@vger.kernel.org +Cc: Piyush Sachdeva , Bharath SM , Piyush Sachdeva , Steve French , Sasha Levin +Message-ID: <20260515213502.3509663-1-sashal@kernel.org> + +From: Piyush Sachdeva + +[ Upstream commit 5be7a0cef3229fb3b63a07c0d289daf752545424 ] + +When Kerberos authentication is used with AES-256 encryption (AES-256-CCM +or AES-256-GCM), the SMB3 encryption and decryption keys must be derived +using the full session key (Session.FullSessionKey) rather than just the +first 16 bytes (Session.SessionKey). + +Per MS-SMB2 section 3.2.5.3.1, when Connection.Dialect is "3.1.1" and +Connection.CipherId is AES-256-CCM or AES-256-GCM, Session.FullSessionKey +must be set to the full cryptographic key from the GSS authentication +context. The encryption and decryption key derivation (SMBC2SCipherKey, +SMBS2CCipherKey) must use this FullSessionKey as the KDF input. The +signing key derivation continues to use Session.SessionKey (first 16 +bytes) in all cases. + +Previously, generate_key() hardcoded SMB2_NTLMV2_SESSKEY_SIZE (16) as the +HMAC-SHA256 key input length for all derivations. When Kerberos with +AES-256 provides a 32-byte session key, the KDF for encryption/decryption +was using only the first 16 bytes, producing keys that did not match the +server's, causing mount failures with sec=krb5 and require_gcm_256=1. + +Add a full_key_size parameter to generate_key() and pass the appropriate +size from generate_smb3signingkey(): + - Signing: always SMB2_NTLMV2_SESSKEY_SIZE (16 bytes) + - Encryption/Decryption: ses->auth_key.len when AES-256, otherwise 16 + +Also fix cifs_dump_full_key() to report the actual session key length for +AES-256 instead of hardcoded CIFS_SESS_KEY_SIZE, so that userspace tools +like Wireshark receive the correct key for decryption. + +Cc: +Reviewed-by: Bharath SM +Signed-off-by: Piyush Sachdeva +Signed-off-by: Piyush Sachdeva +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/ioctl.c | 2 +- + fs/smb/client/smb2transport.c | 32 +++++++++++++++++++++++++------- + 2 files changed, 26 insertions(+), 8 deletions(-) + +--- a/fs/smb/client/ioctl.c ++++ b/fs/smb/client/ioctl.c +@@ -297,7 +297,7 @@ search_end: + break; + case SMB2_ENCRYPTION_AES256_CCM: + case SMB2_ENCRYPTION_AES256_GCM: +- out.session_key_length = CIFS_SESS_KEY_SIZE; ++ out.session_key_length = ses->auth_key.len; + out.server_in_key_length = out.server_out_key_length = SMB3_GCM256_CRYPTKEY_SIZE; + break; + default: +--- a/fs/smb/client/smb2transport.c ++++ b/fs/smb/client/smb2transport.c +@@ -259,7 +259,8 @@ smb2_calc_signature(struct smb_rqst *rqs + } + + static int generate_key(struct cifs_ses *ses, struct kvec label, +- struct kvec context, __u8 *key, unsigned int key_size) ++ struct kvec context, __u8 *key, unsigned int key_size, ++ unsigned int full_key_size) + { + unsigned char zero = 0x0; + __u8 i[4] = {0, 0, 0, 1}; +@@ -280,7 +281,7 @@ static int generate_key(struct cifs_ses + } + + hmac_sha256_init_usingrawkey(&hmac_ctx, ses->auth_key.response, +- SMB2_NTLMV2_SESSKEY_SIZE); ++ full_key_size); + hmac_sha256_update(&hmac_ctx, i, 4); + hmac_sha256_update(&hmac_ctx, label.iov_base, label.iov_len); + hmac_sha256_update(&hmac_ctx, &zero, 1); +@@ -314,6 +315,7 @@ generate_smb3signingkey(struct cifs_ses + struct TCP_Server_Info *server, + const struct derivation_triplet *ptriplet) + { ++ unsigned int full_key_size = SMB2_NTLMV2_SESSKEY_SIZE; + int rc; + bool is_binding = false; + int chan_index = 0; +@@ -348,17 +350,31 @@ generate_smb3signingkey(struct cifs_ses + rc = generate_key(ses, ptriplet->signing.label, + ptriplet->signing.context, + ses->chans[chan_index].signkey, +- SMB3_SIGN_KEY_SIZE); ++ SMB3_SIGN_KEY_SIZE, ++ SMB2_NTLMV2_SESSKEY_SIZE); + if (rc) + return rc; + } else { + rc = generate_key(ses, ptriplet->signing.label, + ptriplet->signing.context, + ses->smb3signingkey, +- SMB3_SIGN_KEY_SIZE); ++ SMB3_SIGN_KEY_SIZE, ++ SMB2_NTLMV2_SESSKEY_SIZE); + if (rc) + return rc; + ++ /* ++ * Per MS-SMB2 3.2.5.3.1, signing key always uses Session.SessionKey ++ * (first 16 bytes). Encryption/decryption keys use ++ * Session.FullSessionKey when dialect is 3.1.1 and cipher is ++ * AES-256-CCM or AES-256-GCM, otherwise Session.SessionKey. ++ */ ++ ++ if (server->dialect == SMB311_PROT_ID && ++ (server->cipher_type == SMB2_ENCRYPTION_AES256_CCM || ++ server->cipher_type == SMB2_ENCRYPTION_AES256_GCM)) ++ full_key_size = ses->auth_key.len; ++ + /* safe to access primary channel, since it will never go away */ + spin_lock(&ses->chan_lock); + memcpy(ses->chans[chan_index].signkey, ses->smb3signingkey, +@@ -368,13 +384,15 @@ generate_smb3signingkey(struct cifs_ses + rc = generate_key(ses, ptriplet->encryption.label, + ptriplet->encryption.context, + ses->smb3encryptionkey, +- SMB3_ENC_DEC_KEY_SIZE); ++ SMB3_ENC_DEC_KEY_SIZE, ++ full_key_size); + if (rc) + return rc; + rc = generate_key(ses, ptriplet->decryption.label, + ptriplet->decryption.context, + ses->smb3decryptionkey, +- SMB3_ENC_DEC_KEY_SIZE); ++ SMB3_ENC_DEC_KEY_SIZE, ++ full_key_size); + if (rc) + return rc; + } +@@ -389,7 +407,7 @@ generate_smb3signingkey(struct cifs_ses + &ses->Suid); + cifs_dbg(VFS, "Cipher type %d\n", server->cipher_type); + cifs_dbg(VFS, "Session Key %*ph\n", +- SMB2_NTLMV2_SESSKEY_SIZE, ses->auth_key.response); ++ (int)ses->auth_key.len, ses->auth_key.response); + cifs_dbg(VFS, "Signing Key %*ph\n", + SMB3_SIGN_KEY_SIZE, ses->smb3signingkey); + if ((server->cipher_type == SMB2_ENCRYPTION_AES256_CCM) || diff --git a/queue-6.18/spi-sifive-fix-controller-deregistration.patch b/queue-6.18/spi-sifive-fix-controller-deregistration.patch new file mode 100644 index 0000000000..96d93809c5 --- /dev/null +++ b/queue-6.18/spi-sifive-fix-controller-deregistration.patch @@ -0,0 +1,57 @@ +From stable+bounces-249916-greg=kroah.com@vger.kernel.org Wed May 20 15:20:11 2026 +From: Sasha Levin +Date: Wed, 20 May 2026 09:11:28 -0400 +Subject: spi: sifive: fix controller deregistration +To: stable@vger.kernel.org +Cc: Johan Hovold , Yash Shah , Mark Brown , Sasha Levin +Message-ID: <20260520131128.3608456-2-sashal@kernel.org> + +From: Johan Hovold + +[ Upstream commit 0f25236694a2854627c1597465a071e6bb6fe572 ] + +Make sure to deregister the controller before disabling underlying +resources like interrupts during driver unbind. + +Note that clocks were also disabled before the recent commit +140039c23aca ("spi: sifive: Simplify clock handling with +devm_clk_get_enabled()"). + +Fixes: 484a9a68d669 ("spi: sifive: Add driver for the SiFive SPI controller") +Cc: stable@vger.kernel.org # 5.1 +Cc: Yash Shah +Signed-off-by: Johan Hovold +Link: https://patch.msgid.link/20260410081757.503099-15-johan@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-sifive.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/spi/spi-sifive.c ++++ b/drivers/spi/spi-sifive.c +@@ -393,7 +393,7 @@ static int sifive_spi_probe(struct platf + dev_info(&pdev->dev, "mapped; irq=%d, cs=%d\n", + irq, host->num_chipselect); + +- ret = devm_spi_register_controller(&pdev->dev, host); ++ ret = spi_register_controller(host); + if (ret < 0) { + dev_err(&pdev->dev, "spi_register_host failed\n"); + goto put_host; +@@ -412,8 +412,14 @@ static void sifive_spi_remove(struct pla + struct spi_controller *host = platform_get_drvdata(pdev); + struct sifive_spi *spi = spi_controller_get_devdata(host); + ++ spi_controller_get(host); ++ ++ spi_unregister_controller(host); ++ + /* Disable all the interrupts just in case */ + sifive_spi_write(spi, SIFIVE_SPI_REG_IE, 0); ++ ++ spi_controller_put(host); + } + + static int sifive_spi_suspend(struct device *dev) diff --git a/queue-6.18/spi-sifive-simplify-clock-handling-with-devm_clk_get_enabled.patch b/queue-6.18/spi-sifive-simplify-clock-handling-with-devm_clk_get_enabled.patch new file mode 100644 index 0000000000..eb9d1f58e0 --- /dev/null +++ b/queue-6.18/spi-sifive-simplify-clock-handling-with-devm_clk_get_enabled.patch @@ -0,0 +1,106 @@ +From stable+bounces-249917-greg=kroah.com@vger.kernel.org Wed May 20 15:20:07 2026 +From: Sasha Levin +Date: Wed, 20 May 2026 09:11:27 -0400 +Subject: spi: sifive: Simplify clock handling with devm_clk_get_enabled() +To: stable@vger.kernel.org +Cc: Pei Xiao , Mark Brown , Sasha Levin +Message-ID: <20260520131128.3608456-1-sashal@kernel.org> + +From: Pei Xiao + +[ Upstream commit 140039c23aca067b9ff0242e3c0ce96276bb95f3 ] + +Replace devm_clk_get() followed by clk_prepare_enable() with +devm_clk_get_enabled() for the bus clock. This reduces boilerplate code +and error handling, as the managed API automatically disables the clock +when the device is removed or if probe fails. + +Remove the now-unnecessary clk_disable_unprepare() calls from the probe +error path and the remove callback. Adjust the error handling to use the +existing put_host label. + +Signed-off-by: Pei Xiao +Link: https://patch.msgid.link/73d0d8ecb4e1af5a558d6a7866c0f886d94fe3d1.1773885292.git.xiaopei01@kylinos.cn +Signed-off-by: Mark Brown +Stable-dep-of: 0f25236694a2 ("spi: sifive: fix controller deregistration") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-sifive.c | 21 ++++++--------------- + 1 file changed, 6 insertions(+), 15 deletions(-) + +--- a/drivers/spi/spi-sifive.c ++++ b/drivers/spi/spi-sifive.c +@@ -312,7 +312,8 @@ static int sifive_spi_probe(struct platf + goto put_host; + } + +- spi->clk = devm_clk_get(&pdev->dev, NULL); ++ /* Spin up the bus clock before hitting registers */ ++ spi->clk = devm_clk_get_enabled(&pdev->dev, NULL); + if (IS_ERR(spi->clk)) { + dev_err(&pdev->dev, "Unable to find bus clock\n"); + ret = PTR_ERR(spi->clk); +@@ -342,13 +343,6 @@ static int sifive_spi_probe(struct platf + goto put_host; + } + +- /* Spin up the bus clock before hitting registers */ +- ret = clk_prepare_enable(spi->clk); +- if (ret) { +- dev_err(&pdev->dev, "Unable to enable bus clock\n"); +- goto put_host; +- } +- + /* probe the number of CS lines */ + spi->cs_inactive = sifive_spi_read(spi, SIFIVE_SPI_REG_CSDEF); + sifive_spi_write(spi, SIFIVE_SPI_REG_CSDEF, 0xffffffffU); +@@ -357,14 +351,14 @@ static int sifive_spi_probe(struct platf + if (!cs_bits) { + dev_err(&pdev->dev, "Could not auto probe CS lines\n"); + ret = -EINVAL; +- goto disable_clk; ++ goto put_host; + } + + num_cs = ilog2(cs_bits) + 1; + if (num_cs > SIFIVE_SPI_MAX_CS) { + dev_err(&pdev->dev, "Invalid number of spi targets\n"); + ret = -EINVAL; +- goto disable_clk; ++ goto put_host; + } + + /* Define our host */ +@@ -393,7 +387,7 @@ static int sifive_spi_probe(struct platf + dev_name(&pdev->dev), spi); + if (ret) { + dev_err(&pdev->dev, "Unable to bind to interrupt\n"); +- goto disable_clk; ++ goto put_host; + } + + dev_info(&pdev->dev, "mapped; irq=%d, cs=%d\n", +@@ -402,13 +396,11 @@ static int sifive_spi_probe(struct platf + ret = devm_spi_register_controller(&pdev->dev, host); + if (ret < 0) { + dev_err(&pdev->dev, "spi_register_host failed\n"); +- goto disable_clk; ++ goto put_host; + } + + return 0; + +-disable_clk: +- clk_disable_unprepare(spi->clk); + put_host: + spi_controller_put(host); + +@@ -422,7 +414,6 @@ static void sifive_spi_remove(struct pla + + /* Disable all the interrupts just in case */ + sifive_spi_write(spi, SIFIVE_SPI_REG_IE, 0); +- clk_disable_unprepare(spi->clk); + } + + static int sifive_spi_suspend(struct device *dev)