From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
syzbot+e5e64cdf8e92046dd3e1@syzkaller.appspotmail.com,
Kuniyuki Iwashima <kuniyu@google.com>,
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 6.12 043/175] Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen()
Date: Sun, 7 Sep 2025 21:57:18 +0200 [thread overview]
Message-ID: <20250907195615.873298583@linuxfoundation.org> (raw)
In-Reply-To: <20250907195614.892725141@linuxfoundation.org>
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@google.com>
[ Upstream commit 862c628108562d8c7a516a900034823b381d3cba ]
syzbot reported the splat below without a repro.
In the splat, a single thread calling bt_accept_dequeue() freed sk
and touched it after that.
The root cause would be the racy l2cap_sock_cleanup_listen() call
added by the cited commit.
bt_accept_dequeue() is called under lock_sock() except for
l2cap_sock_release().
Two threads could see the same socket during the list iteration
in bt_accept_dequeue():
CPU1 CPU2 (close())
---- ----
sock_hold(sk) sock_hold(sk);
lock_sock(sk) <-- block close()
sock_put(sk)
bt_accept_unlink(sk)
sock_put(sk) <-- refcnt by bt_accept_enqueue()
release_sock(sk)
lock_sock(sk)
sock_put(sk)
bt_accept_unlink(sk)
sock_put(sk) <-- last refcnt
bt_accept_unlink(sk) <-- UAF
Depending on the timing, the other thread could show up in the
"Freed by task" part.
Let's call l2cap_sock_cleanup_listen() under lock_sock() in
l2cap_sock_release().
[0]:
BUG: KASAN: slab-use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline]
BUG: KASAN: slab-use-after-free in do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115
Read of size 4 at addr ffff88803b7eb1c4 by task syz.5.3276/16995
CPU: 3 UID: 0 PID: 16995 Comm: syz.5.3276 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xcd/0x630 mm/kasan/report.c:482
kasan_report+0xe0/0x110 mm/kasan/report.c:595
debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline]
do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115
spin_lock_bh include/linux/spinlock.h:356 [inline]
release_sock+0x21/0x220 net/core/sock.c:3746
bt_accept_dequeue+0x505/0x600 net/bluetooth/af_bluetooth.c:312
l2cap_sock_cleanup_listen+0x5c/0x2a0 net/bluetooth/l2cap_sock.c:1451
l2cap_sock_release+0x5c/0x210 net/bluetooth/l2cap_sock.c:1425
__sock_release+0xb3/0x270 net/socket.c:649
sock_close+0x1c/0x30 net/socket.c:1439
__fput+0x3ff/0xb70 fs/file_table.c:468
task_work_run+0x14d/0x240 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f2accf8ebe9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffdb6cb1378 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 00000000000426fb RCX: 00007f2accf8ebe9
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
RBP: 00007f2acd1b7da0 R08: 0000000000000001 R09: 00000012b6cb166f
R10: 0000001b30e20000 R11: 0000000000000246 R12: 00007f2acd1b609c
R13: 00007f2acd1b6090 R14: ffffffffffffffff R15: 00007ffdb6cb1490
</TASK>
Allocated by task 5326:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:388 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:405
kasan_kmalloc include/linux/kasan.h:260 [inline]
__do_kmalloc_node mm/slub.c:4365 [inline]
__kmalloc_noprof+0x223/0x510 mm/slub.c:4377
kmalloc_noprof include/linux/slab.h:909 [inline]
sk_prot_alloc+0x1a8/0x2a0 net/core/sock.c:2239
sk_alloc+0x36/0xc20 net/core/sock.c:2295
bt_sock_alloc+0x3b/0x3a0 net/bluetooth/af_bluetooth.c:151
l2cap_sock_alloc.constprop.0+0x33/0x1d0 net/bluetooth/l2cap_sock.c:1894
l2cap_sock_new_connection_cb+0x101/0x240 net/bluetooth/l2cap_sock.c:1482
l2cap_connect_cfm+0x4c4/0xf80 net/bluetooth/l2cap_core.c:7287
hci_connect_cfm include/net/bluetooth/hci_core.h:2050 [inline]
hci_remote_features_evt+0x4dd/0x970 net/bluetooth/hci_event.c:3712
hci_event_func net/bluetooth/hci_event.c:7519 [inline]
hci_event_packet+0xa0d/0x11c0 net/bluetooth/hci_event.c:7573
hci_rx_work+0x2c5/0x16b0 net/bluetooth/hci_core.c:4071
process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3236
process_scheduled_works kernel/workqueue.c:3319 [inline]
worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
kthread+0x3c2/0x780 kernel/kthread.c:463
ret_from_fork+0x5d7/0x6f0 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Freed by task 16995:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:243 [inline]
__kasan_slab_free+0x60/0x70 mm/kasan/common.c:275
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2417 [inline]
slab_free mm/slub.c:4680 [inline]
kfree+0x2b4/0x4d0 mm/slub.c:4879
sk_prot_free net/core/sock.c:2278 [inline]
__sk_destruct+0x75f/0x9a0 net/core/sock.c:2373
sk_destruct+0xc2/0xf0 net/core/sock.c:2401
__sk_free+0xf4/0x3e0 net/core/sock.c:2412
sk_free+0x6a/0x90 net/core/sock.c:2423
sock_put include/net/sock.h:1960 [inline]
bt_accept_unlink+0x245/0x2e0 net/bluetooth/af_bluetooth.c:262
bt_accept_dequeue+0x517/0x600 net/bluetooth/af_bluetooth.c:308
l2cap_sock_cleanup_listen+0x5c/0x2a0 net/bluetooth/l2cap_sock.c:1451
l2cap_sock_release+0x5c/0x210 net/bluetooth/l2cap_sock.c:1425
__sock_release+0xb3/0x270 net/socket.c:649
sock_close+0x1c/0x30 net/socket.c:1439
__fput+0x3ff/0xb70 fs/file_table.c:468
task_work_run+0x14d/0x240 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Fixes: 1728137b33c0 ("Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_ready_cb")
Reported-by: syzbot+e5e64cdf8e92046dd3e1@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-bluetooth/68af6b9d.a70a0220.3cafd4.0032.GAE@google.com/
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/l2cap_sock.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index 615c18e290ab9..b35f1551b9be7 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -1409,7 +1409,10 @@ static int l2cap_sock_release(struct socket *sock)
if (!sk)
return 0;
+ lock_sock_nested(sk, L2CAP_NESTING_PARENT);
l2cap_sock_cleanup_listen(sk);
+ release_sock(sk);
+
bt_sock_unlink(&l2cap_sk_list, sk);
err = l2cap_sock_shutdown(sock, SHUT_RDWR);
--
2.50.1
next prev parent reply other threads:[~2025-09-07 20:29 UTC|newest]
Thread overview: 190+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-07 19:56 [PATCH 6.12 000/175] 6.12.46-rc1 review Greg Kroah-Hartman
2025-09-07 19:56 ` [PATCH 6.12 001/175] bpf: Add cookie object to bpf maps Greg Kroah-Hartman
2025-09-07 19:56 ` [PATCH 6.12 002/175] bpf: Move bpf map owner out of common struct Greg Kroah-Hartman
2025-09-07 19:56 ` [PATCH 6.12 003/175] bpf: Move cgroup iterator helpers to bpf.h Greg Kroah-Hartman
2025-09-07 19:56 ` [PATCH 6.12 004/175] bpf: Fix oob access in cgroup local storage Greg Kroah-Hartman
2025-09-07 19:56 ` [PATCH 6.12 005/175] btrfs: fix race between logging inode and checking if it was logged before Greg Kroah-Hartman
2025-09-07 19:56 ` [PATCH 6.12 006/175] btrfs: fix race between setting last_dir_index_offset and inode logging Greg Kroah-Hartman
2025-09-07 19:56 ` [PATCH 6.12 007/175] btrfs: avoid load/store tearing races when checking if an inode was logged Greg Kroah-Hartman
2025-09-07 19:56 ` [PATCH 6.12 008/175] LoongArch: Save LBT before FPU in setup_sigcontext() Greg Kroah-Hartman
2025-09-07 19:56 ` [PATCH 6.12 009/175] cdc_ncm: Flag Intel OEM version of Fibocom L850-GL as WWAN Greg Kroah-Hartman
2025-09-07 19:56 ` [PATCH 6.12 010/175] drm/amd/display: Dont warn when missing DCE encoder caps Greg Kroah-Hartman
2025-09-07 19:56 ` [PATCH 6.12 011/175] cpupower: Fix a bug where the -t option of the set subcommand was not working Greg Kroah-Hartman
2025-09-07 19:56 ` [PATCH 6.12 012/175] Bluetooth: hci_sync: Avoid adding default advertising on startup Greg Kroah-Hartman
2025-09-07 19:56 ` [PATCH 6.12 013/175] drm/rockchip: vop2: make vp registers nonvolatile Greg Kroah-Hartman
2025-09-07 21:33 ` Piotr Zalewski
2025-09-08 9:10 ` Greg Kroah-Hartman
2025-09-07 19:56 ` [PATCH 6.12 014/175] btrfs: zoned: skip ZONE FINISH of conventional zones Greg Kroah-Hartman
2025-09-07 19:56 ` [PATCH 6.12 015/175] fs: writeback: fix use-after-free in __mark_inode_dirty() Greg Kroah-Hartman
2025-09-07 19:56 ` [PATCH 6.12 016/175] tee: fix NULL pointer dereference in tee_shm_put Greg Kroah-Hartman
2025-09-07 19:56 ` [PATCH 6.12 017/175] tee: fix memory leak in tee_dyn_shm_alloc_helper Greg Kroah-Hartman
2025-09-07 19:56 ` [PATCH 6.12 018/175] arm64: dts: rockchip: Add vcc-supply to SPI flash on rk3399-pinebook-pro Greg Kroah-Hartman
2025-09-07 19:56 ` [PATCH 6.12 019/175] tee: optee: ffa: fix a typo of "optee_ffa_api_is_compatible" Greg Kroah-Hartman
2025-09-07 19:56 ` [PATCH 6.12 020/175] arm64: dts: imx8mp-tqma8mpql: fix LDO5 power off Greg Kroah-Hartman
2025-09-07 19:56 ` [PATCH 6.12 021/175] arm64: dts: imx8mp: Fix missing microSD slot vqmmc on DH electronics i.MX8M Plus DHCOM Greg Kroah-Hartman
2025-09-07 19:56 ` [PATCH 6.12 022/175] arm64: dts: imx8mp: Fix missing microSD slot vqmmc on Data Modul i.MX8M Plus eDM SBC Greg Kroah-Hartman
2025-09-07 19:56 ` [PATCH 6.12 023/175] HID: simplify snto32() Greg Kroah-Hartman
2025-09-07 19:56 ` [PATCH 6.12 024/175] HID: stop exporting hid_snto32() Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.12 025/175] HID: core: Harden s32ton() against conversion to 0 bits Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.12 026/175] net: usb: qmi_wwan: fix Telit Cinterion FN990A name Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.12 027/175] net: usb: qmi_wwan: fix Telit Cinterion FE990A name Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.12 028/175] net: usb: qmi_wwan: add Telit Cinterion FN990A w/audio composition Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.12 029/175] LoongArch: vDSO: Remove --hash-style=sysv Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.12 030/175] LoongArch: vDSO: Remove -nostdlib complier flag Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.12 031/175] mmc: sdhci-of-arasan: Support for emmc hardware reset Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.12 032/175] mmc: sdhci-of-arasan: Ensure CD logic stabilization before power-up Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.12 033/175] wifi: cfg80211: fix use-after-free in cmp_bss() Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.12 034/175] wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.12 035/175] wifi: mt76: mt7925: fix locking in mt7925_change_vif_links() Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.12 036/175] wifi: mt76: prevent non-offchannel mgmt tx during scan/roc Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.12 037/175] wifi: mt76: free pending offchannel tx frames on wcid cleanup Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.12 038/175] wifi: mt76: fix linked list corruption Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.12 039/175] netfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.12 040/175] netfilter: conntrack: helper: Replace -EEXIST by -EBUSY Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.12 041/175] wifi: iwlwifi: uefi: check DSM item validity Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.12 042/175] Bluetooth: vhci: Prevent use-after-free by removing debugfs files early Greg Kroah-Hartman
2025-09-07 19:57 ` Greg Kroah-Hartman [this message]
2025-09-07 19:57 ` [PATCH 6.12 044/175] netfilter: nft_flowtable.sh: re-run with random mtu sizes Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.12 045/175] net_sched: gen_estimator: fix est_timer() vs CONFIG_PREEMPT_RT=y Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.12 046/175] xirc2ps_cs: fix register access when enabling FullDuplex Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.12 047/175] mISDN: Fix memory leak in dsp_hwec_enable() Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.12 048/175] selftests: drv-net: csum: fix interface name for remote host Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.12 049/175] bnxt_en: fix incorrect page count in RX aggr ring log Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.12 050/175] icmp: fix icmp_ndo_send address translation for reply direction Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.12 051/175] net: macb: Fix tx_ptr_lock locking Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.12 052/175] macsec: read MACSEC_SA_ATTR_PN with nla_get_uint Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.12 053/175] net/smc: fix one NULL pointer dereference in smc_ib_is_sg_need_sync() Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.12 054/175] net: mctp: mctp_fraq_queue should take ownership of passed skb Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.12 055/175] ice: fix NULL access of tx->in_use in ice_ll_ts_intr Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.12 056/175] idpf: set mac type when adding and removing MAC filters Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.12 057/175] i40e: remove read access to debugfs files Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.12 058/175] i40e: Fix potential invalid access when MAC list is empty Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.12 059/175] ixgbe: fix incorrect map used in eee linkmode Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.12 060/175] wifi: ath11k: fix group data packet drops during rekey Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.12 061/175] net/tcp: Fix socket memory leak in TCP-AO failure handling for IPv6 Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.12 062/175] net: ethernet: mtk_eth_soc: fix tx vlan tag for llc packets Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.12 063/175] net: skb: add pskb_network_may_pull_reason() helper Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.12 064/175] net: tunnel: add pskb_inet_may_pull_reason() helper Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.12 065/175] net: vxlan: add skb drop reasons to vxlan_rcv() Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.12 066/175] net: vxlan: make vxlan_snoop() return drop reasons Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.12 067/175] vxlan: Fix NPD when refreshing an FDB entry with a nexthop object Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.12 068/175] net: vxlan: make vxlan_set_mac() return drop reasons Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.12 069/175] net: vxlan: use kfree_skb_reason() in vxlan_xmit() Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.12 070/175] net: vxlan: use kfree_skb_reason() in vxlan_mdb_xmit() Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.12 071/175] net: vxlan: rename SKB_DROP_REASON_VXLAN_NO_REMOTE Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.12 072/175] vxlan: Refresh FDB updated time upon NTF_USE Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.12 073/175] vxlan: Avoid unnecessary updates to FDB used time Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.12 074/175] vxlan: Add RCU read-side critical sections in the Tx path Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.12 075/175] vxlan: Rename FDB Tx lookup function Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.12 076/175] vxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.12 077/175] wifi: cw1200: cap SSID length in cw1200_do_join() Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.12 078/175] wifi: libertas: cap SSID len in lbs_associate() Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.12 079/175] wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result() Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.12 080/175] net: thunder_bgx: add a missing of_node_put Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.12 081/175] net: thunder_bgx: decrement cleanup index before use Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.12 082/175] ipv4: Fix NULL vs error pointer check in inet_blackhole_dev_init() Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.12 083/175] net/smc: Remove validation of reserved bits in CLC Decline message Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 6.12 084/175] mctp: return -ENOPROTOOPT for unknown getsockopt options Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 085/175] ax25: properly unshare skbs in ax25_kiss_rcv() Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 086/175] net: atm: fix memory leak in atm_register_sysfs when device_register fail Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 087/175] net: xilinx: axienet: Add error handling for RX metadata pointer retrieval Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 088/175] ppp: fix memory leak in pad_compress_skb Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 089/175] selftest: net: Fix weird setsockopt() in bind_bhash.c Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 090/175] phy: mscc: Stop taking ts_lock for tx_queue and use its own lock Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 091/175] ALSA: usb-audio: Add mute TLV for playback volumes on some devices Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 092/175] accel/ivpu: Prevent recovery work from being queued during device removal Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 093/175] ACPI/IORT: Fix memory leak in iort_rmr_alloc_sids() Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 094/175] arm64: ftrace: fix unreachable PLT for ftrace_caller in init_module with CONFIG_DYNAMIC_FTRACE Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 095/175] pcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region() Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 096/175] io_uring/msg_ring: ensure io_kiocb freeing is deferred for RCU Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 097/175] x86/mm/64: define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 098/175] mm/userfaultfd: fix kmap_local LIFO ordering for CONFIG_HIGHPTE Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 099/175] mm: move page table sync declarations to linux/pgtable.h Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 100/175] mm: fix possible deadlock in kmemleak Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 101/175] mm: slub: avoid wake up kswapd in set_track_prepare Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 102/175] sched: Fix sched_numa_find_nth_cpu() if mask offline Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 103/175] kasan: fix GCC mem-intrinsic prefix with sw tags Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 104/175] ocfs2: prevent release journal inode after journal shutdown Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 105/175] proc: fix missing pde_set_flags() for net proc files Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 106/175] of_numa: fix uninitialized memory nodes causing kernel panic Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 107/175] soc: qcom: mdt_loader: Deal with zero e_shentsize Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 108/175] wifi: mwifiex: Initialize the chan_stats array to zero Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 109/175] wifi: mt76: mt7925u: use connac3 tx aggr check in tx complete Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 110/175] wifi: mt76: mt7996: Initialize hdr before passing to skb_put_data() Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 111/175] wifi: mt76: mt7925: fix the wrong bss cleanup for SAP Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 112/175] net: ethernet: oa_tc6: Handle failure of spi_setup Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 113/175] drm/amdgpu: drop hw access in non-DC audio fini Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 114/175] drm/amd/display: Clear the CUR_ENABLE register on DCN314 w/out DPP PG Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 115/175] platform/x86/amd/pmc: Add TUXEDO IB Pro Gen10 AMD to spurious 8042 quirks list Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 116/175] scsi: lpfc: Fix buffer free/clear order in deferred receive path Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 117/175] batman-adv: fix OOB read/write in network-coding decode Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 118/175] cifs: prevent NULL pointer dereference in UTF16 conversion Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 119/175] e1000e: fix heap overflow in e1000_set_eeprom Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 120/175] net: pcs: rzn1-miic: Correct MODCTRL register offset Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 121/175] microchip: lan865x: Fix module autoloading Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 122/175] microchip: lan865x: Fix LAN8651 autoloading Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 123/175] fs/fhandle.c: fix a race in call of has_locked_children() Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 124/175] net: dsa: add hook to determine whether EEE is supported Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 125/175] net: dsa: provide implementation of .support_eee() Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 126/175] net: dsa: b53/bcm_sf2: implement .support_eee() method Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 127/175] net: dsa: b53: do not enable EEE on bcm63xx Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 128/175] md/raid1,raid10: dont ignore IO flags Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 129/175] md/raid1,raid10: dont handle IO error for REQ_RAHEAD and REQ_NOWAIT Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 130/175] md/raid1,raid10: strip REQ_NOWAIT from member bios Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 131/175] ext4: define ext4_journal_destroy wrapper Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 132/175] ext4: avoid journaling sb update on error if journal is destroying Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 133/175] wifi: ath11k: update channel list in reg notifier instead reg worker Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 134/175] wifi: ath11k: update channel list in worker when wait flag is set Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 135/175] net: fix NULL pointer dereference in l3mdev_l3_rcv Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 136/175] md/md-bitmap: fix wrong bitmap_limit for clustermd when write sb Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 137/175] mm: slub: Print the broken data before restoring them Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 138/175] mm: slub: call WARN() when detecting a slab corruption Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 139/175] mm, slab: cleanup slab_bug() parameters Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 140/175] mm/slub: avoid accessing metadata when pointer is invalid in object_err() Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 141/175] nouveau: fix disabling the nonstall irq due to storm code Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 142/175] kunit: kasan_test: disable fortify string checker on kasan_strings() test Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 143/175] mm: fix accounting of memmap pages Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 6.12 144/175] thermal/drivers/mediatek/lvts: Disable low offset IRQ for minimum threshold Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.12 145/175] dmaengine: mediatek: Fix a possible deadlock error in mtk_cqdma_tx_status() Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.12 146/175] rust: support Rust >= 1.91.0 target spec Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.12 147/175] ALSA: hda/hdmi: Add pin fix for another HP EliteDesk 800 G4 model Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.12 148/175] ALSA: hda/realtek: Fix headset mic for TongFang X6[AF]R5xxY Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.12 149/175] Revert "drm/amdgpu: Avoid extra evict-restore process." Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.12 150/175] pcmcia: omap: Add missing check for platform_get_resource Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.12 151/175] pcmcia: Add error handling for add_interval() in do_validate_mem() Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.12 152/175] platform/x86: asus-wmi: Remove extra keys from ignore_key_wlan quirk Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.12 153/175] platform/x86/intel: power-domains: Use topology_logical_package_id() for package ID Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.12 154/175] hwmon: mlxreg-fan: Prevent fans from getting stuck at 0 RPM Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.12 155/175] block: add a queue_limits_commit_update_frozen helper Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.12 156/175] scsi: sr: Reinstate rotational media flag Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.12 157/175] spi: spi-fsl-lpspi: Fix transmissions when using CONT Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.12 158/175] spi: spi-fsl-lpspi: Set correct chip-select polarity bit Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.12 159/175] spi: spi-fsl-lpspi: Reset FIFO and disable module on transfer abort Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.12 160/175] spi: spi-fsl-lpspi: Clear status register after disabling the module Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.12 161/175] drm/bridge: ti-sn65dsi86: fix REFCLK setting Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.12 162/175] perf bpf-event: Fix use-after-free in synthesis Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.12 163/175] perf bpf-utils: Constify bpil_array_desc Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.12 164/175] perf bpf-utils: Harden get_bpf_prog_info_linear Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.12 165/175] drm/amd/amdgpu: Fix missing error return on kzalloc failure Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.12 166/175] tools: gpio: remove the include directory on make clean Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.12 167/175] md: prevent incorrect update of resync/recovery offset Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.12 168/175] ACPI: RISC-V: Fix FFH_CPPC_CSR error handling Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.12 169/175] riscv: Only allow LTO with CMODEL_MEDANY Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.12 170/175] riscv: use lw when reading int cpu in new_vmalloc_check Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.12 171/175] riscv: use lw when reading int cpu in asm_per_cpu Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.12 172/175] riscv, bpf: use lw when reading int cpu in BPF_MOV64_PERCPU_REG Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.12 173/175] riscv, bpf: use lw when reading int cpu in bpf_get_smp_processor_id Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.12 174/175] md/raid1: fix data lost for writemostly rdev Greg Kroah-Hartman
2025-09-07 19:59 ` [PATCH 6.12 175/175] dmaengine: mediatek: Fix a flag reuse error in mtk_cqdma_tx_status() Greg Kroah-Hartman
2025-09-08 3:42 ` [PATCH 6.12 000/175] 6.12.46-rc1 review Florian Fainelli
2025-09-08 9:25 ` Brett A C Sheffield
2025-09-08 11:29 ` Miguel Ojeda
2025-09-08 12:55 ` Peter Schneider
2025-09-08 15:01 ` Jon Hunter
2025-09-08 17:05 ` Brett Mastbergen
2025-09-08 22:36 ` Shuah Khan
2025-09-09 5:25 ` Harshit Mogalapalli
2025-09-09 5:53 ` Ron Economos
2025-09-09 11:21 ` Mark Brown
2025-09-09 11:33 ` Naresh Kamboju
2025-09-09 17:43 ` Hardik Garg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250907195615.873298583@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=kuniyu@google.com \
--cc=luiz.von.dentz@intel.com \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+e5e64cdf8e92046dd3e1@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).