diff --git a/COPYING-5.14.0-687.5.3.el9 b/COPYING-5.14.0-687.5.4.el9
similarity index 100%
rename from COPYING-5.14.0-687.5.3.el9
rename to COPYING-5.14.0-687.5.4.el9
diff --git a/configs/kernel-5.14.0-ppc64le-debug.config b/configs/kernel-5.14.0-ppc64le-debug.config
index 9f7f188211..698066bc5c 100644
--- a/configs/kernel-5.14.0-ppc64le-debug.config
+++ b/configs/kernel-5.14.0-ppc64le-debug.config
@@ -473,9 +473,6 @@ CONFIG_HZ=100
 CONFIG_SCHED_HRTICK=y
 CONFIG_PPC_TRANSACTIONAL_MEM=y
 CONFIG_MPROFILE_KERNEL=y
-CONFIG_ARCH_USING_PATCHABLE_FUNCTION_ENTRY=y
-CONFIG_PPC_FTRACE_OUT_OF_LINE=y
-CONFIG_PPC_FTRACE_OUT_OF_LINE_NUM_RESERVE=32768
 CONFIG_HOTPLUG_CPU=y
 CONFIG_PPC_QUEUED_SPINLOCKS=y
 CONFIG_ARCH_CPU_PROBE_RELEASE=y
@@ -666,7 +663,6 @@ CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y
 CONFIG_HAVE_GCC_PLUGINS=y
 # CONFIG_GCC_PLUGINS is not set
 CONFIG_FUNCTION_ALIGNMENT=0
-CONFIG_ARCH_WANTS_PRE_LINK_VMLINUX=y
 # end of General architecture-dependent options
 
 CONFIG_RT_MUTEXES=y
@@ -4864,7 +4860,6 @@ CONFIG_HID_KUNIT_TEST=m
 #
 # HID-BPF support
 #
-CONFIG_HID_BPF=y
 # end of HID-BPF support
 
 CONFIG_I2C_HID=y
@@ -6819,8 +6814,6 @@ CONFIG_HAVE_FUNCTION_TRACER=y
 CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y
 CONFIG_HAVE_DYNAMIC_FTRACE=y
 CONFIG_HAVE_DYNAMIC_FTRACE_WITH_REGS=y
-CONFIG_HAVE_DYNAMIC_FTRACE_WITH_DIRECT_CALLS=y
-CONFIG_HAVE_DYNAMIC_FTRACE_WITH_CALL_OPS=y
 CONFIG_HAVE_DYNAMIC_FTRACE_WITH_ARGS=y
 CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y
 CONFIG_HAVE_SYSCALL_TRACEPOINTS=y
@@ -6840,8 +6833,6 @@ CONFIG_FUNCTION_TRACER=y
 CONFIG_FUNCTION_GRAPH_TRACER=y
 CONFIG_DYNAMIC_FTRACE=y
 CONFIG_DYNAMIC_FTRACE_WITH_REGS=y
-CONFIG_DYNAMIC_FTRACE_WITH_DIRECT_CALLS=y
-CONFIG_DYNAMIC_FTRACE_WITH_CALL_OPS=y
 CONFIG_DYNAMIC_FTRACE_WITH_ARGS=y
 CONFIG_FPROBE=y
 CONFIG_FUNCTION_PROFILER=y
@@ -6865,7 +6856,7 @@ CONFIG_DYNAMIC_EVENTS=y
 CONFIG_PROBE_EVENTS=y
 # CONFIG_BPF_KPROBE_OVERRIDE is not set
 CONFIG_FTRACE_MCOUNT_RECORD=y
-CONFIG_FTRACE_MCOUNT_USE_PATCHABLE_FUNCTION_ENTRY=y
+CONFIG_FTRACE_MCOUNT_USE_CC=y
 CONFIG_TRACING_MAP=y
 CONFIG_SYNTH_EVENTS=y
 CONFIG_HIST_TRIGGERS=y
diff --git a/fs/smb/client/cifs_spnego.c b/fs/smb/client/cifs_spnego.c
index e1917ab4f5..c02d96c738 100644
--- a/fs/smb/client/cifs_spnego.c
+++ b/fs/smb/client/cifs_spnego.c
@@ -8,6 +8,7 @@
  */
 
 #include <linux/list.h>
+#include <linux/cred.h>
 #include <linux/slab.h>
 #include <linux/string.h>
 #include <keys/user-type.h>
@@ -40,12 +41,27 @@ cifs_spnego_key_destroy(struct key *key)
 	kfree(key->payload.data[0]);
 }
 
+static int
+cifs_spnego_key_vet_description(const char *description)
+{
+	/*
+	 * cifs.spnego descriptions are authority-bearing inputs to cifs.upcall.
+	 * They are only valid when produced by CIFS while using the private
+	 * spnego_cred installed below.  Do not let userspace create this type
+	 * of key through request_key(2)/add_key(2), since the helper treats
+	 * pid/uid/creduid/upcall_target as kernel-originating fields.
+	 */
+	if (current_cred() != spnego_cred)
+		return -EPERM;
+	return 0;
+}
 
 /*
  * keytype for CIFS spnego keys
  */
 struct key_type cifs_spnego_key_type = {
 	.name		= "cifs.spnego",
+	.vet_description = cifs_spnego_key_vet_description,
 	.instantiate	= cifs_spnego_key_instantiate,
 	.destroy	= cifs_spnego_key_destroy,
 	.describe	= user_describe,
diff --git a/kernel.sbat b/kernel.sbat
index 9c5027d283..c2c4d2c484 100644
--- a/kernel.sbat
+++ b/kernel.sbat
@@ -1,3 +1,3 @@
 sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
-kernel.rhel,1,Red Hat,kernel-core,5.14.0-687.5.3.el9.x86_64,mailto:secalert@redhat.com
-kernel.almalinux,1,AlmaLinux,kernel-core,5.14.0-687.5.3.el9.x86_64,mailto:security@almalinux.org
+kernel.rhel,1,Red Hat,kernel-core,5.14.0-687.5.4.el9.x86_64,mailto:secalert@redhat.com
+kernel.almalinux,1,AlmaLinux,kernel-core,5.14.0-687.5.4.el9.x86_64,mailto:security@almalinux.org
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index b4c9958c60..1206164fb3 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -4607,7 +4607,8 @@ normal:
 		skb_copy_from_linear_data_offset(head_skb, offset,
 						 skb_put(nskb, hsize), hsize);
 
-		skb_shinfo(nskb)->flags |= skb_shinfo(head_skb)->flags &
+		skb_shinfo(nskb)->flags |= (skb_shinfo(head_skb)->flags |
+					   skb_shinfo(frag_skb)->flags) &
 					   SKBFL_SHARED_FRAG;
 
 		if (skb_zerocopy_clone(nskb, frag_skb, GFP_ATOMIC))
@@ -4624,6 +4625,10 @@ normal:
 				nfrags = skb_shinfo(list_skb)->nr_frags;
 				frag = skb_shinfo(list_skb)->frags;
 				frag_skb = list_skb;
+
+				skb_shinfo(nskb)->flags |= skb_shinfo(frag_skb)->flags &
+							   SKBFL_SHARED_FRAG;
+
 				if (!skb_headlen(list_skb)) {
 					BUG_ON(!nfrags);
 				} else {