From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, linux-fsdevel@vger.kernel.org,
linux-unionfs@vger.kernel.org, linux-erofs@lists.ozlabs.org,
Amir Goldstein <amir73il@gmail.com>,
Serge Hallyn <serge@hallyn.com>,
Christian Brauner <brauner@kernel.org>,
Paul Moore <paul@paul-moore.com>,
Cai Xinchen <caixinchen1@huawei.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 6.18 002/108] lsm: add backing_file LSM hooks
Date: Thu, 2 Jul 2026 18:19:59 +0200 [thread overview]
Message-ID: <20260702155112.164854396@linuxfoundation.org> (raw)
In-Reply-To: <20260702155112.110058792@linuxfoundation.org>
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul Moore <paul@paul-moore.com>
[ Upstream commit 6af36aeb147a06dea47c49859cd6ca5659aeb987 ]
Stacked filesystems such as overlayfs do not currently provide the
necessary mechanisms for LSMs to properly enforce access controls on the
mmap() and mprotect() operations. In order to resolve this gap, a LSM
security blob is being added to the backing_file struct and the following
new LSM hooks are being created:
security_backing_file_alloc()
security_backing_file_free()
security_mmap_backing_file()
The first two hooks are to manage the lifecycle of the LSM security blob
in the backing_file struct, while the third provides a new mmap() access
control point for the underlying backing file. It is also expected that
LSMs will likely want to update their security_file_mprotect() callback
to address issues with their mprotect() controls, but that does not
require a change to the security_file_mprotect() LSM hook.
There are a three other small changes to support these new LSM hooks:
* Pass the user file associated with a backing file down to
alloc_empty_backing_file() so it can be included in the
security_backing_file_alloc() hook.
* Add getter and setter functions for the backing_file struct LSM blob
as the backing_file struct remains private to fs/file_table.c.
* Constify the file struct field in the LSM common_audit_data struct to
better support LSMs that need to pass a const file struct pointer into
the common LSM audit code.
Thanks to Arnd Bergmann for identifying the missing EXPORT_SYMBOL_GPL()
and supplying a fixup.
Cc: stable@vger.kernel.org
Cc: linux-fsdevel@vger.kernel.org
Cc: linux-unionfs@vger.kernel.org
Cc: linux-erofs@lists.ozlabs.org
Reviewed-by: Amir Goldstein <amir73il@gmail.com>
Reviewed-by: Serge Hallyn <serge@hallyn.com>
Reviewed-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Paul Moore <paul@paul-moore.com>
[Mainline declares lsm_backing_file_cache in security/lsm.h. Linux 6.18.y
does not have security/lsm_init.c or security/lsm.h; the cache variable
is defined locally as static struct kmem_cache *lsm_backing_file_cache in
security/security.c.]
Signed-off-by: Cai Xinchen <caixinchen1@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/backing-file.c | 17 ++++--
fs/file_table.c | 27 +++++++--
fs/fuse/passthrough.c | 2 +-
fs/internal.h | 3 +-
fs/overlayfs/dir.c | 2 +-
fs/overlayfs/file.c | 2 +-
include/linux/backing-file.h | 4 +-
include/linux/fs.h | 13 ++++
include/linux/lsm_audit.h | 2 +-
include/linux/lsm_hook_defs.h | 5 ++
include/linux/lsm_hooks.h | 1 +
include/linux/security.h | 22 +++++++
security/security.c | 109 ++++++++++++++++++++++++++++++++++
13 files changed, 194 insertions(+), 15 deletions(-)
diff --git a/fs/backing-file.c b/fs/backing-file.c
index 15a7f80310848d..e049a627d78fb9 100644
--- a/fs/backing-file.c
+++ b/fs/backing-file.c
@@ -12,6 +12,7 @@
#include <linux/backing-file.h>
#include <linux/splice.h>
#include <linux/mm.h>
+#include <linux/security.h>
#include "internal.h"
@@ -29,14 +30,15 @@
* returned file into a container structure that also stores the stacked
* file's path, which can be retrieved using backing_file_user_path().
*/
-struct file *backing_file_open(const struct path *user_path, int flags,
+struct file *backing_file_open(const struct file *user_file, int flags,
const struct path *real_path,
const struct cred *cred)
{
+ const struct path *user_path = &user_file->f_path;
struct file *f;
int error;
- f = alloc_empty_backing_file(flags, cred);
+ f = alloc_empty_backing_file(flags, cred, user_file);
if (IS_ERR(f))
return f;
@@ -52,15 +54,16 @@ struct file *backing_file_open(const struct path *user_path, int flags,
}
EXPORT_SYMBOL_GPL(backing_file_open);
-struct file *backing_tmpfile_open(const struct path *user_path, int flags,
+struct file *backing_tmpfile_open(const struct file *user_file, int flags,
const struct path *real_parentpath,
umode_t mode, const struct cred *cred)
{
struct mnt_idmap *real_idmap = mnt_idmap(real_parentpath->mnt);
+ const struct path *user_path = &user_file->f_path;
struct file *f;
int error;
- f = alloc_empty_backing_file(flags, cred);
+ f = alloc_empty_backing_file(flags, cred, user_file);
if (IS_ERR(f))
return f;
@@ -339,6 +342,12 @@ int backing_file_mmap(struct file *file, struct vm_area_struct *vma,
vma_set_file(vma, file);
old_cred = override_creds(ctx->cred);
+ ret = security_mmap_backing_file(vma, file, user_file);
+ if (ret) {
+ revert_creds(old_cred);
+ return ret;
+ }
+
ret = vfs_mmap(vma->vm_file, vma);
revert_creds(old_cred);
diff --git a/fs/file_table.c b/fs/file_table.c
index 762f03dcbcd778..987e01da993894 100644
--- a/fs/file_table.c
+++ b/fs/file_table.c
@@ -50,6 +50,9 @@ struct backing_file {
struct path user_path;
freeptr_t bf_freeptr;
};
+#ifdef CONFIG_SECURITY
+ void *security;
+#endif
};
#define backing_file(f) container_of(f, struct backing_file, file)
@@ -66,8 +69,21 @@ void backing_file_set_user_path(struct file *f, const struct path *path)
}
EXPORT_SYMBOL_GPL(backing_file_set_user_path);
+#ifdef CONFIG_SECURITY
+void *backing_file_security(const struct file *f)
+{
+ return backing_file(f)->security;
+}
+
+void backing_file_set_security(struct file *f, void *security)
+{
+ backing_file(f)->security = security;
+}
+#endif /* CONFIG_SECURITY */
+
static inline void backing_file_free(struct backing_file *ff)
{
+ security_backing_file_free(&ff->file);
path_put(&ff->user_path);
kmem_cache_free(bfilp_cachep, ff);
}
@@ -288,10 +304,12 @@ struct file *alloc_empty_file_noaccount(int flags, const struct cred *cred)
return f;
}
-static int init_backing_file(struct backing_file *ff)
+static int init_backing_file(struct backing_file *ff,
+ const struct file *user_file)
{
memset(&ff->user_path, 0, sizeof(ff->user_path));
- return 0;
+ backing_file_set_security(&ff->file, NULL);
+ return security_backing_file_alloc(&ff->file, user_file);
}
/*
@@ -301,7 +319,8 @@ static int init_backing_file(struct backing_file *ff)
* This is only for kernel internal use, and the allocate file must not be
* installed into file tables or such.
*/
-struct file *alloc_empty_backing_file(int flags, const struct cred *cred)
+struct file *alloc_empty_backing_file(int flags, const struct cred *cred,
+ const struct file *user_file)
{
struct backing_file *ff;
int error;
@@ -318,7 +337,7 @@ struct file *alloc_empty_backing_file(int flags, const struct cred *cred)
/* The f_mode flags must be set before fput(). */
ff->file.f_mode |= FMODE_BACKING | FMODE_NOACCOUNT;
- error = init_backing_file(ff);
+ error = init_backing_file(ff, user_file);
if (unlikely(error)) {
fput(&ff->file);
return ERR_PTR(error);
diff --git a/fs/fuse/passthrough.c b/fs/fuse/passthrough.c
index 72de97c03d0eeb..f2d08ac2459b7e 100644
--- a/fs/fuse/passthrough.c
+++ b/fs/fuse/passthrough.c
@@ -167,7 +167,7 @@ struct fuse_backing *fuse_passthrough_open(struct file *file, int backing_id)
goto out;
/* Allocate backing file per fuse file to store fuse path */
- backing_file = backing_file_open(&file->f_path, file->f_flags,
+ backing_file = backing_file_open(file, file->f_flags,
&fb->file->f_path, fb->cred);
err = PTR_ERR(backing_file);
if (IS_ERR(backing_file)) {
diff --git a/fs/internal.h b/fs/internal.h
index 9b2b4d11688023..51107fd515145b 100644
--- a/fs/internal.h
+++ b/fs/internal.h
@@ -100,7 +100,8 @@ extern void chroot_fs_refs(const struct path *, const struct path *);
*/
struct file *alloc_empty_file(int flags, const struct cred *cred);
struct file *alloc_empty_file_noaccount(int flags, const struct cred *cred);
-struct file *alloc_empty_backing_file(int flags, const struct cred *cred);
+struct file *alloc_empty_backing_file(int flags, const struct cred *cred,
+ const struct file *user_file);
void backing_file_set_user_path(struct file *f, const struct path *path);
static inline void file_put_write_access(struct file *file)
diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c
index a5e9ddf3023b39..e924321b64025e 100644
--- a/fs/overlayfs/dir.c
+++ b/fs/overlayfs/dir.c
@@ -1355,7 +1355,7 @@ static int ovl_create_tmpfile(struct file *file, struct dentry *dentry,
}
ovl_path_upper(dentry->d_parent, &realparentpath);
- realfile = backing_tmpfile_open(&file->f_path, flags, &realparentpath,
+ realfile = backing_tmpfile_open(file, flags, &realparentpath,
mode, current_cred());
err = PTR_ERR_OR_ZERO(realfile);
pr_debug("tmpfile/open(%pd2, 0%o) = %i\n", realparentpath.dentry, mode, err);
diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
index 7ab2c9daffd017..3fedfdddfa7584 100644
--- a/fs/overlayfs/file.c
+++ b/fs/overlayfs/file.c
@@ -48,7 +48,7 @@ static struct file *ovl_open_realfile(const struct file *file,
if (!inode_owner_or_capable(real_idmap, realinode))
flags &= ~O_NOATIME;
- realfile = backing_file_open(file_user_path(file),
+ realfile = backing_file_open(file,
flags, realpath, current_cred());
}
ovl_revert_creds(old_cred);
diff --git a/include/linux/backing-file.h b/include/linux/backing-file.h
index 1476a6ed1bfd77..c939cd222730c4 100644
--- a/include/linux/backing-file.h
+++ b/include/linux/backing-file.h
@@ -18,10 +18,10 @@ struct backing_file_ctx {
void (*end_write)(struct kiocb *iocb, ssize_t);
};
-struct file *backing_file_open(const struct path *user_path, int flags,
+struct file *backing_file_open(const struct file *user_file, int flags,
const struct path *real_path,
const struct cred *cred);
-struct file *backing_tmpfile_open(const struct path *user_path, int flags,
+struct file *backing_tmpfile_open(const struct file *user_file, int flags,
const struct path *real_parentpath,
umode_t mode, const struct cred *cred);
ssize_t backing_file_read_iter(struct file *file, struct iov_iter *iter,
diff --git a/include/linux/fs.h b/include/linux/fs.h
index 014cb04eefbe6c..f3e798184a58e8 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -2890,6 +2890,19 @@ struct file *dentry_create(const struct path *path, int flags, umode_t mode,
const struct cred *cred);
const struct path *backing_file_user_path(const struct file *f);
+#ifdef CONFIG_SECURITY
+void *backing_file_security(const struct file *f);
+void backing_file_set_security(struct file *f, void *security);
+#else
+static inline void *backing_file_security(const struct file *f)
+{
+ return NULL;
+}
+static inline void backing_file_set_security(struct file *f, void *security)
+{
+}
+#endif /* CONFIG_SECURITY */
+
/*
* When mmapping a file on a stackable filesystem (e.g., overlayfs), the file
* stored in ->vm_file is a backing file whose f_inode is on the underlying
diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
index 382c56a97bba1d..584db296e43b20 100644
--- a/include/linux/lsm_audit.h
+++ b/include/linux/lsm_audit.h
@@ -94,7 +94,7 @@ struct common_audit_data {
#endif
char *kmod_name;
struct lsm_ioctlop_audit *op;
- struct file *file;
+ const struct file *file;
struct lsm_ibpkey_audit *ibpkey;
struct lsm_ibendport_audit *ibendport;
int reason;
diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index 8c42b4bde09c07..b4958167e38196 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -191,6 +191,9 @@ LSM_HOOK(int, 0, file_permission, struct file *file, int mask)
LSM_HOOK(int, 0, file_alloc_security, struct file *file)
LSM_HOOK(void, LSM_RET_VOID, file_release, struct file *file)
LSM_HOOK(void, LSM_RET_VOID, file_free_security, struct file *file)
+LSM_HOOK(int, 0, backing_file_alloc, struct file *backing_file,
+ const struct file *user_file)
+LSM_HOOK(void, LSM_RET_VOID, backing_file_free, struct file *backing_file)
LSM_HOOK(int, 0, file_ioctl, struct file *file, unsigned int cmd,
unsigned long arg)
LSM_HOOK(int, 0, file_ioctl_compat, struct file *file, unsigned int cmd,
@@ -198,6 +201,8 @@ LSM_HOOK(int, 0, file_ioctl_compat, struct file *file, unsigned int cmd,
LSM_HOOK(int, 0, mmap_addr, unsigned long addr)
LSM_HOOK(int, 0, mmap_file, struct file *file, unsigned long reqprot,
unsigned long prot, unsigned long flags)
+LSM_HOOK(int, 0, mmap_backing_file, struct vm_area_struct *vma,
+ struct file *backing_file, struct file *user_file)
LSM_HOOK(int, 0, file_mprotect, struct vm_area_struct *vma,
unsigned long reqprot, unsigned long prot)
LSM_HOOK(int, 0, file_lock, struct file *file, unsigned int cmd)
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 79ec5a2bdcca7a..ea4b0f5ca7f0ff 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -104,6 +104,7 @@ struct security_hook_list {
struct lsm_blob_sizes {
int lbs_cred;
int lbs_file;
+ int lbs_backing_file;
int lbs_ib;
int lbs_inode;
int lbs_sock;
diff --git a/include/linux/security.h b/include/linux/security.h
index b64598e5d65d75..e540253624268d 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -473,11 +473,17 @@ int security_file_permission(struct file *file, int mask);
int security_file_alloc(struct file *file);
void security_file_release(struct file *file);
void security_file_free(struct file *file);
+int security_backing_file_alloc(struct file *backing_file,
+ const struct file *user_file);
+void security_backing_file_free(struct file *backing_file);
int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg);
int security_file_ioctl_compat(struct file *file, unsigned int cmd,
unsigned long arg);
int security_mmap_file(struct file *file, unsigned long prot,
unsigned long flags);
+int security_mmap_backing_file(struct vm_area_struct *vma,
+ struct file *backing_file,
+ struct file *user_file);
int security_mmap_addr(unsigned long addr);
int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
unsigned long prot);
@@ -1142,6 +1148,15 @@ static inline void security_file_release(struct file *file)
static inline void security_file_free(struct file *file)
{ }
+static inline int security_backing_file_alloc(struct file *backing_file,
+ const struct file *user_file)
+{
+ return 0;
+}
+
+static inline void security_backing_file_free(struct file *backing_file)
+{ }
+
static inline int security_file_ioctl(struct file *file, unsigned int cmd,
unsigned long arg)
{
@@ -1161,6 +1176,13 @@ static inline int security_mmap_file(struct file *file, unsigned long prot,
return 0;
}
+static inline int security_mmap_backing_file(struct vm_area_struct *vma,
+ struct file *backing_file,
+ struct file *user_file)
+{
+ return 0;
+}
+
static inline int security_mmap_addr(unsigned long addr)
{
return cap_mmap_addr(addr);
diff --git a/security/security.c b/security/security.c
index 603c3c6d5635d8..9285909908ab8a 100644
--- a/security/security.c
+++ b/security/security.c
@@ -94,6 +94,7 @@ const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX + 1] = {
static BLOCKING_NOTIFIER_HEAD(blocking_lsm_notifier_chain);
static struct kmem_cache *lsm_file_cache;
+static struct kmem_cache *lsm_backing_file_cache;
static struct kmem_cache *lsm_inode_cache;
char *lsm_names;
@@ -265,6 +266,7 @@ static void __init lsm_set_blob_sizes(struct lsm_blob_sizes *needed)
lsm_set_blob_size(&needed->lbs_cred, &blob_sizes.lbs_cred);
lsm_set_blob_size(&needed->lbs_file, &blob_sizes.lbs_file);
+ lsm_set_blob_size(&needed->lbs_backing_file, &blob_sizes.lbs_backing_file);
lsm_set_blob_size(&needed->lbs_ib, &blob_sizes.lbs_ib);
/*
* The inode blob gets an rcu_head in addition to
@@ -470,6 +472,7 @@ static void __init ordered_lsm_init(void)
init_debug("cred blob size = %d\n", blob_sizes.lbs_cred);
init_debug("file blob size = %d\n", blob_sizes.lbs_file);
+ init_debug("lsm_backing_file_cache = %d\n", blob_sizes.lbs_backing_file);
init_debug("ib blob size = %d\n", blob_sizes.lbs_ib);
init_debug("inode blob size = %d\n", blob_sizes.lbs_inode);
init_debug("ipc blob size = %d\n", blob_sizes.lbs_ipc);
@@ -495,6 +498,11 @@ static void __init ordered_lsm_init(void)
lsm_file_cache = kmem_cache_create("lsm_file_cache",
blob_sizes.lbs_file, 0,
SLAB_PANIC, NULL);
+ if (blob_sizes.lbs_backing_file)
+ lsm_backing_file_cache = kmem_cache_create(
+ "lsm_backing_file_cache",
+ blob_sizes.lbs_backing_file,
+ 0, SLAB_PANIC, NULL);
if (blob_sizes.lbs_inode)
lsm_inode_cache = kmem_cache_create("lsm_inode_cache",
blob_sizes.lbs_inode, 0,
@@ -671,6 +679,30 @@ int unregister_blocking_lsm_notifier(struct notifier_block *nb)
}
EXPORT_SYMBOL(unregister_blocking_lsm_notifier);
+/**
+ * lsm_backing_file_alloc - allocate a composite backing file blob
+ * @backing_file: the backing file
+ *
+ * Allocate the backing file blob for all the modules.
+ *
+ * Returns 0, or -ENOMEM if memory can't be allocated.
+ */
+static int lsm_backing_file_alloc(struct file *backing_file)
+{
+ void *blob;
+
+ if (!lsm_backing_file_cache) {
+ backing_file_set_security(backing_file, NULL);
+ return 0;
+ }
+
+ blob = kmem_cache_zalloc(lsm_backing_file_cache, GFP_KERNEL);
+ backing_file_set_security(backing_file, blob);
+ if (!blob)
+ return -ENOMEM;
+ return 0;
+}
+
/**
* lsm_blob_alloc - allocate a composite blob
* @dest: the destination for the blob
@@ -2965,6 +2997,57 @@ void security_file_free(struct file *file)
}
}
+/**
+ * security_backing_file_alloc() - Allocate and setup a backing file blob
+ * @backing_file: the backing file
+ * @user_file: the associated user visible file
+ *
+ * Allocate a backing file LSM blob and perform any necessary initialization of
+ * the LSM blob. There will be some operations where the LSM will not have
+ * access to @user_file after this point, so any important state associated
+ * with @user_file that is important to the LSM should be captured in the
+ * backing file's LSM blob.
+ *
+ * LSM's should avoid taking a reference to @user_file in this hook as it will
+ * result in problems later when the system attempts to drop/put the file
+ * references due to a circular dependency.
+ *
+ * Return: Return 0 if the hook is successful, negative values otherwise.
+ */
+int security_backing_file_alloc(struct file *backing_file,
+ const struct file *user_file)
+{
+ int rc;
+
+ rc = lsm_backing_file_alloc(backing_file);
+ if (rc)
+ return rc;
+ rc = call_int_hook(backing_file_alloc, backing_file, user_file);
+ if (unlikely(rc))
+ security_backing_file_free(backing_file);
+
+ return rc;
+}
+
+/**
+ * security_backing_file_free() - Free a backing file blob
+ * @backing_file: the backing file
+ *
+ * Free any LSM state associate with a backing file's LSM blob, including the
+ * blob itself.
+ */
+void security_backing_file_free(struct file *backing_file)
+{
+ void *blob = backing_file_security(backing_file);
+
+ call_void_hook(backing_file_free, backing_file);
+
+ if (blob) {
+ backing_file_set_security(backing_file, NULL);
+ kmem_cache_free(lsm_backing_file_cache, blob);
+ }
+}
+
/**
* security_file_ioctl() - Check if an ioctl is allowed
* @file: associated file
@@ -3053,6 +3136,32 @@ int security_mmap_file(struct file *file, unsigned long prot,
flags);
}
+/**
+ * security_mmap_backing_file - Check if mmap'ing a backing file is allowed
+ * @vma: the vm_area_struct for the mmap'd region
+ * @backing_file: the backing file being mmap'd
+ * @user_file: the user file being mmap'd
+ *
+ * Check permissions for a mmap operation on a stacked filesystem. This hook
+ * is called after the security_mmap_file() and is responsible for authorizing
+ * the mmap on @backing_file. It is important to note that the mmap operation
+ * on @user_file has already been authorized and the @vma->vm_file has been
+ * set to @backing_file.
+ *
+ * Return: Returns 0 if permission is granted.
+ */
+int security_mmap_backing_file(struct vm_area_struct *vma,
+ struct file *backing_file,
+ struct file *user_file)
+{
+ /* recommended by the stackable filesystem devs */
+ if (WARN_ON_ONCE(!(backing_file->f_mode & FMODE_BACKING)))
+ return -EIO;
+
+ return call_int_hook(mmap_backing_file, vma, backing_file, user_file);
+}
+EXPORT_SYMBOL_GPL(security_mmap_backing_file);
+
/**
* security_mmap_addr() - Check if mmap'ing an address is allowed
* @addr: address
--
2.53.0
next prev parent reply other threads:[~2026-07-02 16:53 UTC|newest]
Thread overview: 124+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-02 16:19 [PATCH 6.18 000/108] 6.18.38-rc1 review Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.18 001/108] KVM: x86: Fix shadow paging use-after-free due to unexpected role Greg Kroah-Hartman
2026-07-02 16:19 ` Greg Kroah-Hartman [this message]
2026-07-02 16:20 ` [PATCH 6.18 003/108] selinux: fix overlayfs mmap() and mprotect() access checks Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 004/108] Revert "PCI: qcom: Advertise Hotplug Slot Capability with no Command Completion support" Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 005/108] lockd: fix TEST handling when not all permissions are available Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 006/108] batman-adv: tp_meter: keep unacked list in ascending ordered Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 007/108] batman-adv: tp_meter: initialize dup_acks explicitly Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 008/108] batman-adv: tp_meter: initialize dec_cwnd explicitly Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 009/108] batman-adv: tp_meter: avoid window underflow Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 010/108] batman-adv: tp_meter: avoid divide-by-zero for dec_cwnd Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 011/108] batman-adv: tp_meter: fix fast recovery precondition Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 012/108] batman-adv: tp_meter: handle seqno wrap-around for fast recovery detection Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 013/108] batman-adv: tp_meter: add only finished tp_vars to lists Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 014/108] batman-adv: bla: annotate lasttime access with READ/WRITE_ONCE Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 015/108] batman-adv: prevent ELP transmission interval underflow Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 016/108] batman-adv: tp_meter: initialize last_recv_time during init Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 017/108] batman-adv: gw: dont deselect gateway with active hardif Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 018/108] batman-adv: ensure bcast is writable before modifying TTL Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 019/108] batman-adv: fix (m|b)cast csum after decrementing TTL Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 020/108] batman-adv: frag: ensure fragment is writable before modifying TTL Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 021/108] batman-adv: frag: avoid underflow of TTL Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 022/108] batman-adv: v: prevent OGM aggregation on disabled hardif Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 023/108] batman-adv: tp_meter: restrict number of unacked list entries Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 024/108] batman-adv: tp_meter: annotate last_recv_time access with READ/WRITE_ONCE Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 025/108] batman-adv: tp_meter: prevent parallel modifications of last_recv Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 026/108] batman-adv: tp_meter: handle overlapping packets Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 027/108] batman-adv: tt: dont merge change entries with different VIDs Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 028/108] batman-adv: tt: track roam count per VID Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 029/108] batman-adv: dat: prevent false sharing between VLANs Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 030/108] batman-adv: tvlv: enforce 2-byte alignment Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 031/108] batman-adv: tvlv: avoid race of cifsnotfound handler state Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 032/108] ipv6: account for fraggap on the paged allocation path Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 033/108] ipv4: " Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 034/108] ntfs3: reject direct userspace writes to reserved $LX* xattrs Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 035/108] wifi: mt76: add wcid publish check in mt76_sta_add Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 036/108] af_unix: Set gc_in_progress to true in unix_gc() Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 037/108] mac802154: llsec: add skb_cow_data() before in-place crypto Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 038/108] net: skmsg: preserve sg.copy across SG transforms Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 039/108] net: ip_gre: require CAP_NET_ADMIN in the device netns for changelink Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 040/108] apparmor: mediate the implicit connect of TCP fast open sendmsg Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 041/108] apparmor: fix use-after-free in rawdata dedup loop Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 042/108] NTB: epf: Avoid pci_iounmap() with offset when PEER_SPAD and CONFIG share BAR Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 043/108] fbdev: fix use-after-free in store_modes() Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 044/108] block: invalidate cached plug timestamp after task switch Greg Kroah-Hartman
2026-07-03 12:32 ` Usama Arif
2026-07-04 2:05 ` Sasha Levin
2026-07-04 2:35 ` Jens Axboe
2026-07-04 6:45 ` Greg Kroah-Hartman
2026-07-04 12:41 ` Jens Axboe
2026-07-05 9:03 ` Greg Kroah-Hartman
2026-07-05 23:05 ` Jens Axboe
2026-07-06 9:55 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 045/108] KVM: arm64: Omit tag sync on stage-2 mappings of the zero page Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 046/108] err.h: use __always_inline on all error pointer helpers Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 047/108] gcov: use atomic counter updates to fix concurrent access crashes Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 048/108] KEYS: fix overflow in keyctl_pkey_params_get_2() Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 049/108] keys: Pin request_key_auth payload in instantiate paths Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 050/108] userfaultfd: ensure mremap_userfaultfd_fail() releases mmap_changing Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 051/108] wifi: mt76: mt76x2u: Add support for ELECOM WDC-867SU3S Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 052/108] wifi: mt76: mt7925: dont disable AP BSS when removing TDLS peer Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 053/108] wifi: ath11k: fix warning when unbinding Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 054/108] wifi: rtlwifi: rtl8821ae: Fix C2H bit location in RX descriptor Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 055/108] wifi: rtw88: increase TX report timeout to fix race condition Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 056/108] wifi: rtw88: usb: fix memory leaks on USB write failures Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 057/108] wifi: iwlwifi: mvm: fix race condition in PTP removal Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 058/108] wifi: iwlwifi: mld: " Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 059/108] wifi: iwlwifi: mld: validate sta_mask before ffs() in BA session handlers Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 060/108] f2fs: pass correct iostat type for single node writes Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 061/108] f2fs: validate orphan inode entry count Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 062/108] f2fs: validate compress cache inode only when enabled Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 063/108] f2fs: fix to round down start offset of fallocate for pin file Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 064/108] f2fs: validate ACL entry sizes in f2fs_acl_from_disk() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 065/108] f2fs: fix incorrect FI_NO_EXTENT handling in __destroy_extent_node() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 066/108] f2fs: keep atomic write retry from zeroing original data Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 067/108] block: Avoid mounting the bdev pseudo-filesystem in userspace Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 068/108] bpf: use kvfree() for replaced sysctl write buffer Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 069/108] MIPS: DEC: Prevent initial console buffer from landing in XKPHYS Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 070/108] exfat: fix potential use-after-free in exfat_find_dir_entry() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 071/108] KVM: x86/mmu: Ensure hugepage is in by slot before checking max mapping level Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 072/108] KVM: Replace guest-triggerable BUG_ON() in ioeventfd datamatch with get_unaligned() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 073/108] crypto: nx - fix nx_crypto_ctx_exit argument Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 074/108] gfs2: fix use-after-free in gfs2_qd_dealloc Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 075/108] pwrseq: core: fix use-after-free in pwrseq_debugfs_seq_next() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 076/108] hdlc_ppp: sync per-proto timers before freeing hdlc state Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 077/108] blk-cgroup: fix UAF in __blkcg_rstat_flush() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 078/108] tipc: fix slab-use-after-free Read in tipc_aead_decrypt_done Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 079/108] LoongArch: Report dying CPU to RCU in stop_this_cpu() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 080/108] pNFS: Fix use-after-free in pnfs_update_layout() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 081/108] irqchip/imgpdc: Fix resource leak, add missing chained handler cleanup on remove Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 082/108] fpga: region: fix use-after-free in child_regions_with_firmware() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 083/108] rpmsg: char: Fix use-after-free on probe error path Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 084/108] ocfs2: reject oversized group bitmap descriptors Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 085/108] 9p: avoid putting oldfid in p9_client_walk() error path Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 086/108] MIPS: smp: report dying CPU to RCU in stop_this_cpu() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 087/108] KVM: x86: hyper-v: Bound the bank index when querying sparse banks Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 088/108] KVM: SVM: Fix page overflow in sev_dbg_crypt() for ENCRYPT path Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 089/108] power: reset: linkstation-poweroff: fix use-after-free in the linkstation_poweroff_init() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 090/108] riscv: kfence: Call mark_new_valid_map() for kfence_unprotect() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 091/108] fbdev: Fix fb_new_modelist to prevent null-ptr-deref in fb_videomode_to_var Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 092/108] fbdev: modedb: fix a possible UAF in fb_find_mode() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 093/108] fbdev: modedb: Fix misaligned fields in the 1920x1080-60 mode Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 094/108] i2c: core: fix adapter registration race Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 095/108] NFSD: Fix SECINFO_NO_NAME decode error cleanup Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 096/108] nfsd: fix posix_acl leak on SETACL decode failure Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 097/108] nfsd: fix inverted cp_ttl check in async copy reaper Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 098/108] nfsd: check get_user() return when reading princhashlen Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 099/108] nfsd: avoid leaking pre-allocated openowner on unconfirmed retry race Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 100/108] nfsd: reset write verifier on deferred writeback errors Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 101/108] NFSv4/flexfiles: reject zero filehandle version count Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 102/108] NFSv4/pNFS: reject zero-length r_addr in nfs4_decode_mp_ds_addr Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 103/108] NFSv4: clear exception state on successful mkdir retry Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 104/108] NFS: Prevent resource leak in nfs_alloc_server() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 105/108] ksmbd: fix out-of-bounds read in smb_check_perm_dacl() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 106/108] serial: 8250_dw: unregister 8250 port if clk_notifier_register() fails Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 107/108] net/tcp-ao: fix use-after-free of key in del_async path Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 108/108] apparmor: advertise the tcp fast open fix is applied Greg Kroah-Hartman
2026-07-02 19:46 ` [PATCH 6.18 000/108] 6.18.38-rc1 review Brett A C Sheffield
2026-07-02 23:05 ` Peter Schneider
2026-07-03 0:08 ` Miguel Ojeda
2026-07-03 3:13 ` Wentao Guan
2026-07-03 7:27 ` Greg KH
2026-07-03 5:54 ` Ron Economos
2026-07-03 7:11 ` Shung-Hsi Yu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260702155112.164854396@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=amir73il@gmail.com \
--cc=brauner@kernel.org \
--cc=caixinchen1@huawei.com \
--cc=linux-erofs@lists.ozlabs.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-unionfs@vger.kernel.org \
--cc=patches@lists.linux.dev \
--cc=paul@paul-moore.com \
--cc=sashal@kernel.org \
--cc=serge@hallyn.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox