Archive-only list for patches
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	patches@lists.linux.dev,
	Michael Bommarito <michael.bommarito@gmail.com>,
	Steve French <stfrench@microsoft.com>
Subject: [PATCH 6.12 140/206] smb: client: validate dacloffset before building DACL pointers
Date: Tue, 12 May 2026 19:39:52 +0200	[thread overview]
Message-ID: <20260512173935.825957132@linuxfoundation.org> (raw)
In-Reply-To: <20260512173932.810559588@linuxfoundation.org>

6.12-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Michael Bommarito <michael.bommarito@gmail.com>

commit f98b48151cc502ada59d9778f0112d21f2586ca3 upstream.

parse_sec_desc(), build_sec_desc(), and the chown path in
id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd
before proving a DACL header fits inside the returned security
descriptor.

On 32-bit builds a malicious server can return dacloffset near
U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip
past the later pointer-based bounds checks. build_sec_desc() and
id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped
pointer in the chmod/chown rewrite paths.

Validate dacloffset numerically before building any DACL pointer and
reuse the same helper at the three DACL entry points.

Fixes: bc3e9dd9d104 ("cifs: Change SIDs in ACEs while transferring file ownership.")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-6
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/smb/client/cifsacl.c |   35 ++++++++++++++++++++++++++++++++---
 1 file changed, 32 insertions(+), 3 deletions(-)

--- a/fs/smb/client/cifsacl.c
+++ b/fs/smb/client/cifsacl.c
@@ -1265,6 +1265,17 @@ static int parse_sid(struct smb_sid *psi
 	return 0;
 }
 
+static bool dacl_offset_valid(unsigned int acl_len, __u32 dacloffset)
+{
+	if (acl_len < sizeof(struct smb_acl))
+		return false;
+
+	if (dacloffset < sizeof(struct smb_ntsd))
+		return false;
+
+	return dacloffset <= acl_len - sizeof(struct smb_acl);
+}
+
 
 /* Convert CIFS ACL to POSIX form */
 static int parse_sec_desc(struct cifs_sb_info *cifs_sb,
@@ -1285,7 +1296,6 @@ static int parse_sec_desc(struct cifs_sb
 	group_sid_ptr = (struct smb_sid *)((char *)pntsd +
 				le32_to_cpu(pntsd->gsidoffset));
 	dacloffset = le32_to_cpu(pntsd->dacloffset);
-	dacl_ptr = (struct smb_acl *)((char *)pntsd + dacloffset);
 	cifs_dbg(NOISY, "revision %d type 0x%x ooffset 0x%x goffset 0x%x sacloffset 0x%x dacloffset 0x%x\n",
 		 pntsd->revision, pntsd->type, le32_to_cpu(pntsd->osidoffset),
 		 le32_to_cpu(pntsd->gsidoffset),
@@ -1316,11 +1326,18 @@ static int parse_sec_desc(struct cifs_sb
 		return rc;
 	}
 
-	if (dacloffset)
+	if (dacloffset) {
+		if (!dacl_offset_valid(acl_len, dacloffset)) {
+			cifs_dbg(VFS, "Server returned illegal DACL offset\n");
+			return -EINVAL;
+		}
+
+		dacl_ptr = (struct smb_acl *)((char *)pntsd + dacloffset);
 		parse_dacl(dacl_ptr, end_of_acl, owner_sid_ptr,
 			   group_sid_ptr, fattr, get_mode_from_special_sid);
-	else
+	} else {
 		cifs_dbg(FYI, "no ACL\n"); /* BB grant all or default perms? */
+	}
 
 	return rc;
 }
@@ -1343,6 +1360,11 @@ static int build_sec_desc(struct smb_nts
 
 	dacloffset = le32_to_cpu(pntsd->dacloffset);
 	if (dacloffset) {
+		if (!dacl_offset_valid(secdesclen, dacloffset)) {
+			cifs_dbg(VFS, "Server returned illegal DACL offset\n");
+			return -EINVAL;
+		}
+
 		dacl_ptr = (struct smb_acl *)((char *)pntsd + dacloffset);
 		rc = validate_dacl(dacl_ptr, end_of_acl);
 		if (rc)
@@ -1716,6 +1738,12 @@ id_mode_to_cifs_acl(struct inode *inode,
 		nsecdesclen = sizeof(struct smb_ntsd) + (sizeof(struct smb_sid) * 2);
 		dacloffset = le32_to_cpu(pntsd->dacloffset);
 		if (dacloffset) {
+			if (!dacl_offset_valid(secdesclen, dacloffset)) {
+				cifs_dbg(VFS, "Server returned illegal DACL offset\n");
+				rc = -EINVAL;
+				goto id_mode_to_cifs_acl_exit;
+			}
+
 			dacl_ptr = (struct smb_acl *)((char *)pntsd + dacloffset);
 			rc = validate_dacl(dacl_ptr, (char *)pntsd + secdesclen);
 			if (rc) {
@@ -1758,6 +1786,7 @@ id_mode_to_cifs_acl(struct inode *inode,
 		rc = ops->set_acl(pnntsd, nsecdesclen, inode, path, aclflag);
 		cifs_dbg(NOISY, "set_cifs_acl rc: %d\n", rc);
 	}
+id_mode_to_cifs_acl_exit:
 	cifs_put_tlink(tlink);
 
 	kfree(pnntsd);



  parent reply	other threads:[~2026-05-12 17:47 UTC|newest]

Thread overview: 222+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-12 17:37 [PATCH 6.12 000/206] 6.12.88-rc1 review Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.12 001/206] scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show() Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.12 002/206] ipmi: Add limits to event and receive message requests Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.12 003/206] ipmi: Check event message buffer response for bad data Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.12 004/206] ipmi:si: Return state to normal if message allocation fails Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.12 005/206] fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.12 006/206] ACPI: scan: Use acpi_dev_put() in object add error paths Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.12 007/206] ACPI: video: Add backlight=native quirk for Dell OptiPlex 7770 AIO Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.12 008/206] ACPI: CPPC: Fix related_cpus inconsistency during CPU hotplug Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.12 009/206] ACPI: video: force native backlight on HP OMEN 16 (8A44) Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.12 010/206] iommufd: Fix a race with concurrent allocation and unmap Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.12 011/206] ASoC: SOF: Dont allow pointer operations on unconfigured streams Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.12 012/206] spi: rockchip: fix controller deregistration Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.12 013/206] ksmbd: rewrite stop_sessions() with restartable iteration Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.12 014/206] mm: convert mm_lock_seq to a proper seqcount Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.12 015/206] x86: shadow stacks: proper error handling for mmap lock Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.12 016/206] x86/shstk: Prevent deadlock during shstk sigreturn Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.12 017/206] KVM: x86: Fix shadow paging use-after-free due to unexpected GFN Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.12 018/206] iommu/amd: Use atomic64_inc_return() in iommu.c Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.12 019/206] iommu/amd: serialize sequence allocation under concurrent TLB invalidations Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.12 020/206] flow_dissector: do not dissect PPPoE PFC frames Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.12 021/206] net: txgbe: fix RTNL assertion warning when remove module Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.12 022/206] net: af_key: zero aligned sockaddr tail in PF_KEY exports Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.12 023/206] KVM: SVM: check validity of VMCB controls when returning from SMM Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.12 024/206] net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.12 025/206] Bluetooth: L2CAP: Fix deadlock in l2cap_conn_del() Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.12 026/206] rxrpc: Fix conn-level packet handling to unshare RESPONSE packets Greg Kroah-Hartman
2026-05-12 17:37 ` [PATCH 6.12 027/206] rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 028/206] exit: prevent preemption of oopsing TASK_DEAD task Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 029/206] wifi: mt76: mt7925: fix AMPDU state handling in mt7925_tx_check_aggr Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 030/206] wifi: mt76: mt7925: fix incorrect length field in txpower command Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 031/206] wifi: mt76: mt7921: fix a potential clc buffer length underflow Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 032/206] wifi: mt76: mt7921: fix ROC abort flow interruption in mt7921_roc_work Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 033/206] wifi: b43legacy: enforce bounds check on firmware key index in RX path Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 034/206] wifi: mac80211: drop stray static from fast-RX rx_result Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 035/206] wifi: rsi: fix kthread lifetime race between self-exit and external-stop Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 036/206] wifi: mac80211: use safe list iteration in radar detect work Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 037/206] wifi: ath5k: do not access array OOB Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 038/206] wifi: mac80211: remove station if connection prep fails Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 039/206] wifi: b43: enforce bounds check on firmware key index in b43_rx() Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 040/206] wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 041/206] usb: usblp: fix heap leak in IEEE 1284 device ID via short response Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 042/206] usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 043/206] ALSA: usb-audio: midi2: Restart output URBs on resume Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 044/206] ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3() Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 045/206] ALSA: usb-audio: Fix UAC3 cluster descriptor size check Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 046/206] usb: typec: tcpm: reset internal port states on soft reset AMS Greg Kroah-Hartman
2026-05-12 20:41   ` Amit Sunil Dhamne
2026-05-13 11:35   ` Harshit Mogalapalli
2026-05-13 12:00     ` Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 047/206] USB: omap_udc: DMA: Dont enable burst 4 mode Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 048/206] USB: serial: option: add Telit Cinterion LE910Cx compositions Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 049/206] usb: ulpi: fix memory leak on ulpi_register() error paths Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 050/206] ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 051/206] ALSA: firewire-tascam: Do not drop unread control events Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 052/206] powerpc/kdump: fix KASAN sanitization flag for core_$(BITS).o Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 053/206] xfrm: provide message size for XFRM_MSG_MAPPING Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 054/206] xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 055/206] ipv6: xfrm6: release dst on error in xfrm6_rcv_encap() Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 056/206] xfrm: ah: account for ESN high bits in async callbacks Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 057/206] selinux: dont reserve xattr slot when we wont fill it Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 058/206] selinux: shrink critical section in sel_write_load() Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 059/206] selinux: prune /sys/fs/selinux/disable Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 060/206] LoongArch: KVM: Fix missing EMULATE_FAIL in kvm_emu_mmio_read() Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 061/206] Bluetooth: virtio_bt: clamp rx length before skb_put Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 062/206] Bluetooth: virtio_bt: validate rx pkt_type header length Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 063/206] Bluetooth: btmtk: validate WMT event SKB length before struct access Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 064/206] Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 065/206] Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb() Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 066/206] Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb() Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 067/206] spi: syncuacer: fix controller deregistration Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 068/206] spi: sun4i: " Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 069/206] spi: ti-qspi: " Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 070/206] spi: sun6i: " Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 071/206] spi: zynqmp-gqspi: " Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 072/206] spi: s3c64xx: fix NULL-deref on driver unbind Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 073/206] staging: vme_user: fix root device leak on init failure Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 074/206] fanotify: fix false positive on permission events Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 075/206] KVM: arm64: Fix kvm_vcpu_initialized() macro parameter Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 076/206] mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show() Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 077/206] LoongArch: Fix SYM_SIGFUNC_START definition for 32BIT Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 078/206] net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 079/206] sound: ua101: fix division by zero at probe Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 080/206] net: libwx: fix VF illegal register access Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 081/206] ip6_gre: Use cached t->net in ip6erspan_changelink() Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 082/206] net/rds: handle zerocopy send cleanup before the message is queued Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 083/206] net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 084/206] parisc: Fix IRQ leak in LASI driver Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 085/206] hwmon: (ltc2992) Clamp threshold writes to hardware range Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 086/206] hwmon: (ltc2992) Fix u32 overflow in power read path Greg Kroah-Hartman
2026-05-12 17:38 ` [PATCH 6.12 087/206] clk: rk808: fix OF node reference imbalance Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.12 088/206] hwmon: (corsair-psu) Close HID device on probe errors Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.12 089/206] af_unix: Reject SIOCATMARK on non-stream sockets Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.12 090/206] block: add pgmap check to biovec_phys_mergeable Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.12 091/206] cifs: abort open_cached_dir if we dont request leases Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.12 092/206] cifs: change_conf needs to be called for session setup Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.12 093/206] extcon: ptn5150: handle pending IRQ events during system resume Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.12 094/206] gpio: of: clear OF_POPULATED on hog nodes in remove path Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.12 095/206] hv_sock: fix ARM64 support Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.12 096/206] ibmveth: Disable GSO for packets with small MSS Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.12 097/206] ice: fix double free in ice_sf_eth_activate() error path Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.12 098/206] spi: microchip-core-qspi: fix controller deregistration Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.12 099/206] udf: reject descriptors with oversized CRC length Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.12 100/206] thermal: core: Free thermal zone ID later during removal Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.12 101/206] thermal/drivers/sprd: Fix temperature clamping in sprd_thm_temp_to_rawdata Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.12 102/206] thermal/drivers/sprd: Fix raw temperature clamping in sprd_thm_rawdata_to_temp Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.12 103/206] spi: topcliff-pch: fix controller deregistration Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.12 104/206] spi: topcliff-pch: fix use-after-free on unbind Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.12 105/206] clk: imx: imx8-acm: fix flags for acm clocks Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.12 106/206] clk: microchip: mpfs-ccc: fix out of bounds access during output registration Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.12 107/206] cpuidle: powerpc: avoid double clear when breaking snooze Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.12 108/206] ASoC: amd: yc: Add HP OMEN Gaming Laptop 16-ap0xxx product line in quirk table Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.12 109/206] ASoC: fsl_easrc: fix comment typo Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.12 110/206] ASoC: Intel: bytcr_wm5102: Fix MCLK leak on platform_clock_control error Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.12 111/206] ASoC: qcom: q6apm-dai: reset queue ptr on trigger stop Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.12 112/206] ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.12 113/206] ASoC: qcom: q6apm: remove child devices when apm is removed Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.12 114/206] btrfs: fix double free in create_space_info() error path Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.12 115/206] dm-thin: fix metadata refcount underflow Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.12 116/206] dm: dont report warning when doing deferred remove Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.12 117/206] dm: fix a buffer overflow in ioctl processing Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.12 118/206] eventfs: Hold eventfs_mutex and SRCU when remount walks events Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.12 119/206] dm-verity-fec: correctly reject too-small FEC devices Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.12 120/206] dm-verity-fec: correctly reject too-small hash devices Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.12 121/206] isofs: validate Rock Ridge CE continuation extent against volume size Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.12 122/206] isofs: validate block number from NFS file handle in isofs_export_iget Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.12 123/206] iommu/arm-smmu-v3: Add a missing dma_wmb() for hitless STE update Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.12 124/206] lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl() Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.12 125/206] lib/scatterlist: fix length calculations in extract_kvec_to_sg Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.12 126/206] lib/scatterlist: fix temp buffer in extract_user_to_sg() Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.12 127/206] libceph: Fix slab-out-of-bounds access in auth message processing Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.12 128/206] md/raid10: fix divide-by-zero in setup_geo() with zero far_copies Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.12 129/206] nvme-apple: drop invalid put of admin queue reference count Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.12 130/206] nvmet-tcp: fix race between ICReq handling and queue teardown Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.12 131/206] nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.12 132/206] openvswitch: vport: fix self-deadlock on release of tunnel ports Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.12 133/206] pmdomain: core: Fix detach procedure for virtual devices in genpd Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.12 134/206] RDMA/hns: Fix unlocked call to hns_roce_qp_remove() Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.12 135/206] riscv: kvm: fix vector context allocation leak Greg Kroah-Hartman
2026-05-13 11:49   ` Harshit Mogalapalli
2026-05-13 12:03     ` Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.12 136/206] s390/debug: Reject zero-length input in debug_input_flush_fn() Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.12 137/206] smb/client: fix out-of-bounds read in smb2_compound_op() Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.12 138/206] smb/client: fix out-of-bounds read in symlink_data() Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.12 139/206] smb: client: use kzalloc to zero-initialize security descriptor buffer Greg Kroah-Hartman
2026-05-12 17:39 ` Greg Kroah-Hartman [this message]
2026-05-12 17:39 ` [PATCH 6.12 141/206] KVM: x86: check for nEPT/nNPT in slow flush hypercalls Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.12 142/206] mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.12 143/206] PCI: Update saved_config_space upon resource assignment Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.12 144/206] PCI/AER: Clear only error bits in PCIe Device Status Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.12 145/206] PCI/AER: Stop ruling out unbound devices as error source Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.12 146/206] PCI/ASPM: Fix pci_clear_and_set_config_dword() usage Greg Kroah-Hartman
2026-05-12 17:39 ` [PATCH 6.12 147/206] power: supply: max17042: avoid overflow when determining health Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.12 148/206] RDMA/mana: Fix error unwind in mana_ib_create_qp_rss() Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.12 149/206] RDMA/mana: Fix mana_destroy_wq_obj() cleanup " Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.12 150/206] RDMA/mana: Validate rx_hash_key_len Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.12 151/206] RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq() Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.12 152/206] RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init() Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.12 153/206] RDMA/ocrdma: Dont NULL deref uctx on errors in ocrdma_copy_pd_uresp() Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.12 154/206] RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.12 155/206] RDMA/rxe: Reject unknown opcodes before ICRC processing Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.12 156/206] RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.12 157/206] selftests: mptcp: check output: catch cmd errors Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.12 158/206] selftests: mptcp: pm: restrict unknown check to pm_nl_ctl Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.12 159/206] mptcp: fastclose msk when linger time is 0 Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.12 160/206] mptcp: use MPJoinSynAckHMacFailure for SynAck HMAC failure Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.12 161/206] mptcp: use MPTCP_RST_EMPTCP for ACK HMAC validation failure Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.12 162/206] mptcp: sockopt: set timestamp flags on subflow socket, not msk Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.12 163/206] mptcp: fix scheduling with atomic in timestamp sockopt Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.12 164/206] f2fs: add READ_ONCE() for i_blocks in f2fs_update_inode() Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.12 165/206] f2fs: fix fiemap boundary handling when read extent cache is incomplete Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.12 166/206] f2fs: fix incorrect multidevice info in trace_f2fs_map_blocks() Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.12 167/206] f2fs: fix node_cnt race between extent node destroy and writeback Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.12 168/206] f2fs: fix uninitialized kobject put in f2fs_init_sysfs() Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.12 169/206] KVM: arm64: vgic: Fix IIDR revision field extracted from wrong value Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.12 170/206] KVM: arm64: Fix initialisation order in __pkvm_init_finalise() Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.12 171/206] LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang() Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.12 172/206] LoongArch: KVM: Cap KVM_CAP_NR_VCPUS by KVM_CAP_MAX_VCPUS Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.12 173/206] LoongArch: KVM: Fix "unreliable stack" for kvm_exc_entry Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.12 174/206] LoongArch: KVM: Fix HW timer interrupt lost when inject interrupt by software Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.12 175/206] LoongArch: KVM: Move unconditional delay into timer clear scenery Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.12 176/206] LoongArch: KVM: Use kvm_set_pte() in kvm_flush_pte() Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.12 177/206] LoongArch: Use per-root-bridge PCIH flag to skip mem resource fixup Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.12 178/206] bpf: Fix use-after-free in arena_vm_close on fork Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.12 179/206] fbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.12 180/206] fs: prepare for adding LSM blob to backing_file Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.12 181/206] dma-mapping: drop unneeded includes from dma-mapping.h Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.12 182/206] dma-mapping: add __dma_from_device_group_begin()/end() Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.12 183/206] hwmon: (powerz) Avoid cacheline sharing for DMA buffer Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.12 184/206] octeon_ep_vf: add NULL check for napi_build_skb() Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.12 185/206] mmc: core: Optimize time for secure erase/trim for some Kingston eMMCs Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.12 186/206] udf: fix partition descriptor append bookkeeping Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.12 187/206] mtd: spinand: winbond: Declare the QE bit on W25NxxJW Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.12 188/206] hfsplus: fix uninit-value by validating catalog record size Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.12 189/206] hfsplus: fix held lock freed on hfsplus_fill_super() Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.12 190/206] crypto: nx - Migrate to scomp API Greg Kroah-Hartman
2026-05-13 12:12   ` Harshit Mogalapalli
2026-05-12 17:40 ` [PATCH 6.12 191/206] crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.12 192/206] erofs: move {in,out}pages into struct z_erofs_decompress_req Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.12 193/206] erofs: tidy up z_erofs_lz4_handle_overlap() Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.12 194/206] erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap() Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.12 195/206] gtp: disable BH before calling udp_tunnel_xmit_skb() Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.12 196/206] printk: add print_hex_dump_devel() Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.12 197/206] crypto: caam - guard HMAC key hex dumps in hash_digest_key Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.12 198/206] ALSA: aloop: Fix peer runtime UAF during format-change stop Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.12 199/206] net: stmmac: avoid shadowing global buf_sz Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.12 200/206] net: stmmac: rename STMMAC_GET_ENTRY() -> STMMAC_NEXT_ENTRY() Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.12 201/206] net: stmmac: Prevent NULL deref when RX memory exhausted Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.12 202/206] wifi: mt76: mt7925: fix incorrect TLV length in CLC command Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.12 203/206] tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func() Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.12 204/206] rust: pin-init: fix incorrect accessor reference lifetime Greg Kroah-Hartman
2026-05-12 21:13   ` Miguel Ojeda
2026-05-12 21:35     ` Gary Guo
2026-05-13 12:05       ` Greg KH
2026-05-12 17:40 ` [PATCH 6.12 205/206] KVM: arm64: Wake-up from WFI when iqrchip is in userspace Greg Kroah-Hartman
2026-05-12 17:40 ` [PATCH 6.12 206/206] x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2s op cache Greg Kroah-Hartman
2026-05-12 21:03 ` [PATCH 6.12 000/206] 6.12.88-rc1 review Pavel Machek
2026-05-12 22:16 ` Peter Schneider
2026-05-13  3:30 ` Dominique Martinet
2026-05-13  7:15 ` Brett A C Sheffield
2026-05-13  8:29 ` Francesco Dolcini
2026-05-13 11:12 ` Barry K. Nathan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260512173935.825957132@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=michael.bommarito@gmail.com \
    --cc=patches@lists.linux.dev \
    --cc=stable@vger.kernel.org \
    --cc=stfrench@microsoft.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox