From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Amir Goldstein <amir73il@gmail.com>,
Paul Moore <paul@paul-moore.com>,
Cai Xinchen <caixinchen1@huawei.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 6.18 003/108] selinux: fix overlayfs mmap() and mprotect() access checks
Date: Thu, 2 Jul 2026 18:20:00 +0200 [thread overview]
Message-ID: <20260702155112.184964151@linuxfoundation.org> (raw)
In-Reply-To: <20260702155112.110058792@linuxfoundation.org>
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul Moore <paul@paul-moore.com>
[ Upstream commit 82544d36b1729153c8aeb179e84750f0c085d3b1 ]
The existing SELinux security model for overlayfs is to allow access if
the current task is able to access the top level file (the "user" file)
and the mounter's credentials are sufficient to access the lower
level file (the "backing" file). Unfortunately, the current code does
not properly enforce these access controls for both mmap() and mprotect()
operations on overlayfs filesystems.
This patch makes use of the newly created security_mmap_backing_file()
LSM hook to provide the missing backing file enforcement for mmap()
operations, and leverages the backing file API and new LSM blob to
provide the necessary information to properly enforce the mprotect()
access controls.
Cc: stable@vger.kernel.org
Acked-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Cai Xinchen <caixinchen1@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
security/selinux/hooks.c | 242 ++++++++++++++++++++++--------
security/selinux/include/objsec.h | 11 ++
2 files changed, 189 insertions(+), 64 deletions(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 3da3017ad2ca06..f96ee8f372e3b2 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1739,49 +1739,72 @@ static inline int file_path_has_perm(const struct cred *cred,
static int bpf_fd_pass(const struct file *file, u32 sid);
#endif
-/* Check whether a task can use an open file descriptor to
- access an inode in a given way. Check access to the
- descriptor itself, and then use dentry_has_perm to
- check a particular permission to the file.
- Access to the descriptor is implicitly granted if it
- has the same SID as the process. If av is zero, then
- access to the file is not checked, e.g. for cases
- where only the descriptor is affected like seek. */
-static int file_has_perm(const struct cred *cred,
- struct file *file,
- u32 av)
+static int __file_has_perm(const struct cred *cred, const struct file *file,
+ u32 av, bool bf_user_file)
+
{
- struct file_security_struct *fsec = selinux_file(file);
- struct inode *inode = file_inode(file);
struct common_audit_data ad;
- u32 sid = cred_sid(cred);
+ struct inode *inode;
+ u32 ssid = cred_sid(cred);
+ u32 tsid_fd;
int rc;
- ad.type = LSM_AUDIT_DATA_FILE;
- ad.u.file = file;
+ if (bf_user_file) {
+ struct backing_file_security_struct *bfsec;
+ const struct path *path;
- if (sid != fsec->sid) {
- rc = avc_has_perm(sid, fsec->sid,
- SECCLASS_FD,
- FD__USE,
- &ad);
+ if (WARN_ON(!(file->f_mode & FMODE_BACKING)))
+ return -EIO;
+
+ bfsec = selinux_backing_file(file);
+ path = backing_file_user_path(file);
+ tsid_fd = bfsec->uf_sid;
+ inode = d_inode(path->dentry);
+
+ ad.type = LSM_AUDIT_DATA_PATH;
+ ad.u.path = *path;
+ } else {
+ struct file_security_struct *fsec = selinux_file(file);
+
+ tsid_fd = fsec->sid;
+ inode = file_inode(file);
+
+ ad.type = LSM_AUDIT_DATA_FILE;
+ ad.u.file = file;
+ }
+
+ if (ssid != tsid_fd) {
+ rc = avc_has_perm(ssid, tsid_fd, SECCLASS_FD, FD__USE, &ad);
if (rc)
- goto out;
+ return rc;
}
#ifdef CONFIG_BPF_SYSCALL
- rc = bpf_fd_pass(file, cred_sid(cred));
+ /* regardless of backing vs user file, use the underlying file here */
+ rc = bpf_fd_pass(file, ssid);
if (rc)
return rc;
#endif
/* av is zero if only checking access to the descriptor. */
- rc = 0;
if (av)
- rc = inode_has_perm(cred, inode, av, &ad);
+ return inode_has_perm(cred, inode, av, &ad);
-out:
- return rc;
+ return 0;
+}
+
+/* Check whether a task can use an open file descriptor to
+ access an inode in a given way. Check access to the
+ descriptor itself, and then use dentry_has_perm to
+ check a particular permission to the file.
+ Access to the descriptor is implicitly granted if it
+ has the same SID as the process. If av is zero, then
+ access to the file is not checked, e.g. for cases
+ where only the descriptor is affected like seek. */
+static inline int file_has_perm(const struct cred *cred,
+ const struct file *file, u32 av)
+{
+ return __file_has_perm(cred, file, av, false);
}
/*
@@ -3799,6 +3822,17 @@ static int selinux_file_alloc_security(struct file *file)
return 0;
}
+static int selinux_backing_file_alloc(struct file *backing_file,
+ const struct file *user_file)
+{
+ struct backing_file_security_struct *bfsec;
+
+ bfsec = selinux_backing_file(backing_file);
+ bfsec->uf_sid = selinux_file(user_file)->sid;
+
+ return 0;
+}
+
/*
* Check whether a task has the ioctl permission and cmd
* operation to an inode.
@@ -3916,42 +3950,55 @@ static int selinux_file_ioctl_compat(struct file *file, unsigned int cmd,
static int default_noexec __ro_after_init;
-static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
+static int __file_map_prot_check(const struct cred *cred,
+ const struct file *file, unsigned long prot,
+ bool shared, bool bf_user_file)
{
- const struct cred *cred = current_cred();
- u32 sid = cred_sid(cred);
- int rc = 0;
+ struct inode *inode = NULL;
+ bool prot_exec = prot & PROT_EXEC;
+ bool prot_write = prot & PROT_WRITE;
+
+ if (file) {
+ if (bf_user_file)
+ inode = d_inode(backing_file_user_path(file)->dentry);
+ else
+ inode = file_inode(file);
+ }
+
+ if (default_noexec && prot_exec &&
+ (!file || IS_PRIVATE(inode) || (!shared && prot_write))) {
+ int rc;
+ u32 sid = cred_sid(cred);
- if (default_noexec &&
- (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
- (!shared && (prot & PROT_WRITE)))) {
/*
- * We are making executable an anonymous mapping or a
- * private file mapping that will also be writable.
- * This has an additional check.
+ * We are making executable an anonymous mapping or a private
+ * file mapping that will also be writable.
*/
- rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
- PROCESS__EXECMEM, NULL);
+ rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__EXECMEM,
+ NULL);
if (rc)
- goto error;
+ return rc;
}
if (file) {
- /* read access is always possible with a mapping */
+ /* "read" always possible, "write" only if shared */
u32 av = FILE__READ;
-
- /* write access only matters if the mapping is shared */
- if (shared && (prot & PROT_WRITE))
+ if (shared && prot_write)
av |= FILE__WRITE;
-
- if (prot & PROT_EXEC)
+ if (prot_exec)
av |= FILE__EXECUTE;
- return file_has_perm(cred, file, av);
+ return __file_has_perm(cred, file, av, bf_user_file);
}
-error:
- return rc;
+ return 0;
+}
+
+static inline int file_map_prot_check(const struct cred *cred,
+ const struct file *file,
+ unsigned long prot, bool shared)
+{
+ return __file_map_prot_check(cred, file, prot, shared, false);
}
static int selinux_mmap_addr(unsigned long addr)
@@ -3967,36 +4014,80 @@ static int selinux_mmap_addr(unsigned long addr)
return rc;
}
-static int selinux_mmap_file(struct file *file,
- unsigned long reqprot __always_unused,
- unsigned long prot, unsigned long flags)
+static int selinux_mmap_file_common(const struct cred *cred, struct file *file,
+ unsigned long prot, bool shared)
{
- struct common_audit_data ad;
- int rc;
-
if (file) {
+ int rc;
+ struct common_audit_data ad;
+
ad.type = LSM_AUDIT_DATA_FILE;
ad.u.file = file;
- rc = inode_has_perm(current_cred(), file_inode(file),
- FILE__MAP, &ad);
+ rc = inode_has_perm(cred, file_inode(file), FILE__MAP, &ad);
if (rc)
return rc;
}
- return file_map_prot_check(file, prot,
- (flags & MAP_TYPE) == MAP_SHARED);
+ return file_map_prot_check(cred, file, prot, shared);
+}
+
+static int selinux_mmap_file(struct file *file,
+ unsigned long reqprot __always_unused,
+ unsigned long prot, unsigned long flags)
+{
+ return selinux_mmap_file_common(current_cred(), file, prot,
+ (flags & MAP_TYPE) == MAP_SHARED);
+}
+
+/**
+ * selinux_mmap_backing_file - Check mmap permissions on a backing file
+ * @vma: memory region
+ * @backing_file: stacked filesystem backing file
+ * @user_file: user visible file
+ *
+ * This is called after selinux_mmap_file() on stacked filesystems, and it
+ * is this function's responsibility to verify access to @backing_file and
+ * setup the SELinux state for possible later use in the mprotect() code path.
+ *
+ * By the time this function is called, mmap() access to @user_file has already
+ * been authorized and @vma->vm_file has been set to point to @backing_file.
+ *
+ * Return zero on success, negative values otherwise.
+ */
+static int selinux_mmap_backing_file(struct vm_area_struct *vma,
+ struct file *backing_file,
+ struct file *user_file __always_unused)
+{
+ unsigned long prot = 0;
+
+ /* translate vma->vm_flags perms into PROT perms */
+ if (vma->vm_flags & VM_READ)
+ prot |= PROT_READ;
+ if (vma->vm_flags & VM_WRITE)
+ prot |= PROT_WRITE;
+ if (vma->vm_flags & VM_EXEC)
+ prot |= PROT_EXEC;
+
+ return selinux_mmap_file_common(backing_file->f_cred, backing_file,
+ prot, vma->vm_flags & VM_SHARED);
}
static int selinux_file_mprotect(struct vm_area_struct *vma,
unsigned long reqprot __always_unused,
unsigned long prot)
{
+ int rc;
const struct cred *cred = current_cred();
u32 sid = cred_sid(cred);
+ const struct file *file = vma->vm_file;
+ bool backing_file;
+ bool shared = vma->vm_flags & VM_SHARED;
+
+ /* check if we need to trigger the "backing files are awful" mode */
+ backing_file = file && (file->f_mode & FMODE_BACKING);
if (default_noexec &&
(prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
- int rc = 0;
/*
* We don't use the vma_is_initial_heap() helper as it has
* a history of problems and is currently broken on systems
@@ -4010,11 +4101,15 @@ static int selinux_file_mprotect(struct vm_area_struct *vma,
vma->vm_end <= vma->vm_mm->brk) {
rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
PROCESS__EXECHEAP, NULL);
- } else if (!vma->vm_file && (vma_is_initial_stack(vma) ||
+ if (rc)
+ return rc;
+ } else if (!file && (vma_is_initial_stack(vma) ||
vma_is_stack_for_current(vma))) {
rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
PROCESS__EXECSTACK, NULL);
- } else if (vma->vm_file && vma->anon_vma) {
+ if (rc)
+ return rc;
+ } else if (file && vma->anon_vma) {
/*
* We are making executable a file mapping that has
* had some COW done. Since pages might have been
@@ -4022,13 +4117,29 @@ static int selinux_file_mprotect(struct vm_area_struct *vma,
* modified content. This typically should only
* occur for text relocations.
*/
- rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
+ rc = __file_has_perm(cred, file, FILE__EXECMOD,
+ backing_file);
+ if (rc)
+ return rc;
+ if (backing_file) {
+ rc = file_has_perm(file->f_cred, file,
+ FILE__EXECMOD);
+ if (rc)
+ return rc;
+ }
}
+ }
+
+ rc = __file_map_prot_check(cred, file, prot, shared, backing_file);
+ if (rc)
+ return rc;
+ if (backing_file) {
+ rc = file_map_prot_check(file->f_cred, file, prot, shared);
if (rc)
return rc;
}
- return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
+ return 0;
}
static int selinux_file_lock(struct file *file, unsigned int cmd)
@@ -7140,6 +7251,7 @@ struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = {
.lbs_cred = sizeof(struct cred_security_struct),
.lbs_task = sizeof(struct task_security_struct),
.lbs_file = sizeof(struct file_security_struct),
+ .lbs_backing_file = sizeof(struct backing_file_security_struct),
.lbs_inode = sizeof(struct inode_security_struct),
.lbs_ipc = sizeof(struct ipc_security_struct),
.lbs_key = sizeof(struct key_security_struct),
@@ -7363,9 +7475,11 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = {
LSM_HOOK_INIT(file_permission, selinux_file_permission),
LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
+ LSM_HOOK_INIT(backing_file_alloc, selinux_backing_file_alloc),
LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
LSM_HOOK_INIT(file_ioctl_compat, selinux_file_ioctl_compat),
LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
+ LSM_HOOK_INIT(mmap_backing_file, selinux_mmap_backing_file),
LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
LSM_HOOK_INIT(file_lock, selinux_file_lock),
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index 816fde5a5896c1..fcb46793898f5e 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -86,6 +86,10 @@ struct file_security_struct {
u32 pseqno; /* Policy seqno at the time of file open */
};
+struct backing_file_security_struct {
+ u32 uf_sid; /* associated user file fsec->sid */
+};
+
struct superblock_security_struct {
u32 sid; /* SID of file system superblock */
u32 def_sid; /* default SID for labeling */
@@ -190,6 +194,13 @@ static inline struct file_security_struct *selinux_file(const struct file *file)
return file->f_security + selinux_blob_sizes.lbs_file;
}
+static inline struct backing_file_security_struct *
+selinux_backing_file(const struct file *backing_file)
+{
+ void *blob = backing_file_security(backing_file);
+ return blob + selinux_blob_sizes.lbs_backing_file;
+}
+
static inline struct inode_security_struct *
selinux_inode(const struct inode *inode)
{
--
2.53.0
next prev parent reply other threads:[~2026-07-02 16:53 UTC|newest]
Thread overview: 123+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-02 16:19 [PATCH 6.18 000/108] 6.18.38-rc1 review Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.18 001/108] KVM: x86: Fix shadow paging use-after-free due to unexpected role Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.18 002/108] lsm: add backing_file LSM hooks Greg Kroah-Hartman
2026-07-02 16:20 ` Greg Kroah-Hartman [this message]
2026-07-02 16:20 ` [PATCH 6.18 004/108] Revert "PCI: qcom: Advertise Hotplug Slot Capability with no Command Completion support" Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 005/108] lockd: fix TEST handling when not all permissions are available Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 006/108] batman-adv: tp_meter: keep unacked list in ascending ordered Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 007/108] batman-adv: tp_meter: initialize dup_acks explicitly Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 008/108] batman-adv: tp_meter: initialize dec_cwnd explicitly Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 009/108] batman-adv: tp_meter: avoid window underflow Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 010/108] batman-adv: tp_meter: avoid divide-by-zero for dec_cwnd Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 011/108] batman-adv: tp_meter: fix fast recovery precondition Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 012/108] batman-adv: tp_meter: handle seqno wrap-around for fast recovery detection Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 013/108] batman-adv: tp_meter: add only finished tp_vars to lists Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 014/108] batman-adv: bla: annotate lasttime access with READ/WRITE_ONCE Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 015/108] batman-adv: prevent ELP transmission interval underflow Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 016/108] batman-adv: tp_meter: initialize last_recv_time during init Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 017/108] batman-adv: gw: dont deselect gateway with active hardif Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 018/108] batman-adv: ensure bcast is writable before modifying TTL Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 019/108] batman-adv: fix (m|b)cast csum after decrementing TTL Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 020/108] batman-adv: frag: ensure fragment is writable before modifying TTL Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 021/108] batman-adv: frag: avoid underflow of TTL Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 022/108] batman-adv: v: prevent OGM aggregation on disabled hardif Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 023/108] batman-adv: tp_meter: restrict number of unacked list entries Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 024/108] batman-adv: tp_meter: annotate last_recv_time access with READ/WRITE_ONCE Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 025/108] batman-adv: tp_meter: prevent parallel modifications of last_recv Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 026/108] batman-adv: tp_meter: handle overlapping packets Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 027/108] batman-adv: tt: dont merge change entries with different VIDs Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 028/108] batman-adv: tt: track roam count per VID Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 029/108] batman-adv: dat: prevent false sharing between VLANs Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 030/108] batman-adv: tvlv: enforce 2-byte alignment Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 031/108] batman-adv: tvlv: avoid race of cifsnotfound handler state Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 032/108] ipv6: account for fraggap on the paged allocation path Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 033/108] ipv4: " Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 034/108] ntfs3: reject direct userspace writes to reserved $LX* xattrs Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 035/108] wifi: mt76: add wcid publish check in mt76_sta_add Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 036/108] af_unix: Set gc_in_progress to true in unix_gc() Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 037/108] mac802154: llsec: add skb_cow_data() before in-place crypto Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 038/108] net: skmsg: preserve sg.copy across SG transforms Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 039/108] net: ip_gre: require CAP_NET_ADMIN in the device netns for changelink Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 040/108] apparmor: mediate the implicit connect of TCP fast open sendmsg Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 041/108] apparmor: fix use-after-free in rawdata dedup loop Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 042/108] NTB: epf: Avoid pci_iounmap() with offset when PEER_SPAD and CONFIG share BAR Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 043/108] fbdev: fix use-after-free in store_modes() Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 044/108] block: invalidate cached plug timestamp after task switch Greg Kroah-Hartman
2026-07-03 12:32 ` Usama Arif
2026-07-04 2:05 ` Sasha Levin
2026-07-04 2:35 ` Jens Axboe
2026-07-04 6:45 ` Greg Kroah-Hartman
2026-07-04 12:41 ` Jens Axboe
2026-07-05 9:03 ` Greg Kroah-Hartman
2026-07-05 23:05 ` Jens Axboe
2026-07-02 16:20 ` [PATCH 6.18 045/108] KVM: arm64: Omit tag sync on stage-2 mappings of the zero page Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 046/108] err.h: use __always_inline on all error pointer helpers Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 047/108] gcov: use atomic counter updates to fix concurrent access crashes Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 048/108] KEYS: fix overflow in keyctl_pkey_params_get_2() Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 049/108] keys: Pin request_key_auth payload in instantiate paths Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 050/108] userfaultfd: ensure mremap_userfaultfd_fail() releases mmap_changing Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 051/108] wifi: mt76: mt76x2u: Add support for ELECOM WDC-867SU3S Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 052/108] wifi: mt76: mt7925: dont disable AP BSS when removing TDLS peer Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 053/108] wifi: ath11k: fix warning when unbinding Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 054/108] wifi: rtlwifi: rtl8821ae: Fix C2H bit location in RX descriptor Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 055/108] wifi: rtw88: increase TX report timeout to fix race condition Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 056/108] wifi: rtw88: usb: fix memory leaks on USB write failures Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 057/108] wifi: iwlwifi: mvm: fix race condition in PTP removal Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 058/108] wifi: iwlwifi: mld: " Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 059/108] wifi: iwlwifi: mld: validate sta_mask before ffs() in BA session handlers Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 060/108] f2fs: pass correct iostat type for single node writes Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 061/108] f2fs: validate orphan inode entry count Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 062/108] f2fs: validate compress cache inode only when enabled Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 063/108] f2fs: fix to round down start offset of fallocate for pin file Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 064/108] f2fs: validate ACL entry sizes in f2fs_acl_from_disk() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 065/108] f2fs: fix incorrect FI_NO_EXTENT handling in __destroy_extent_node() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 066/108] f2fs: keep atomic write retry from zeroing original data Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 067/108] block: Avoid mounting the bdev pseudo-filesystem in userspace Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 068/108] bpf: use kvfree() for replaced sysctl write buffer Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 069/108] MIPS: DEC: Prevent initial console buffer from landing in XKPHYS Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 070/108] exfat: fix potential use-after-free in exfat_find_dir_entry() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 071/108] KVM: x86/mmu: Ensure hugepage is in by slot before checking max mapping level Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 072/108] KVM: Replace guest-triggerable BUG_ON() in ioeventfd datamatch with get_unaligned() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 073/108] crypto: nx - fix nx_crypto_ctx_exit argument Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 074/108] gfs2: fix use-after-free in gfs2_qd_dealloc Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 075/108] pwrseq: core: fix use-after-free in pwrseq_debugfs_seq_next() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 076/108] hdlc_ppp: sync per-proto timers before freeing hdlc state Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 077/108] blk-cgroup: fix UAF in __blkcg_rstat_flush() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 078/108] tipc: fix slab-use-after-free Read in tipc_aead_decrypt_done Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 079/108] LoongArch: Report dying CPU to RCU in stop_this_cpu() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 080/108] pNFS: Fix use-after-free in pnfs_update_layout() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 081/108] irqchip/imgpdc: Fix resource leak, add missing chained handler cleanup on remove Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 082/108] fpga: region: fix use-after-free in child_regions_with_firmware() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 083/108] rpmsg: char: Fix use-after-free on probe error path Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 084/108] ocfs2: reject oversized group bitmap descriptors Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 085/108] 9p: avoid putting oldfid in p9_client_walk() error path Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 086/108] MIPS: smp: report dying CPU to RCU in stop_this_cpu() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 087/108] KVM: x86: hyper-v: Bound the bank index when querying sparse banks Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 088/108] KVM: SVM: Fix page overflow in sev_dbg_crypt() for ENCRYPT path Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 089/108] power: reset: linkstation-poweroff: fix use-after-free in the linkstation_poweroff_init() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 090/108] riscv: kfence: Call mark_new_valid_map() for kfence_unprotect() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 091/108] fbdev: Fix fb_new_modelist to prevent null-ptr-deref in fb_videomode_to_var Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 092/108] fbdev: modedb: fix a possible UAF in fb_find_mode() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 093/108] fbdev: modedb: Fix misaligned fields in the 1920x1080-60 mode Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 094/108] i2c: core: fix adapter registration race Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 095/108] NFSD: Fix SECINFO_NO_NAME decode error cleanup Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 096/108] nfsd: fix posix_acl leak on SETACL decode failure Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 097/108] nfsd: fix inverted cp_ttl check in async copy reaper Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 098/108] nfsd: check get_user() return when reading princhashlen Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 099/108] nfsd: avoid leaking pre-allocated openowner on unconfirmed retry race Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 100/108] nfsd: reset write verifier on deferred writeback errors Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 101/108] NFSv4/flexfiles: reject zero filehandle version count Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 102/108] NFSv4/pNFS: reject zero-length r_addr in nfs4_decode_mp_ds_addr Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 103/108] NFSv4: clear exception state on successful mkdir retry Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 104/108] NFS: Prevent resource leak in nfs_alloc_server() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 105/108] ksmbd: fix out-of-bounds read in smb_check_perm_dacl() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 106/108] serial: 8250_dw: unregister 8250 port if clk_notifier_register() fails Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 107/108] net/tcp-ao: fix use-after-free of key in del_async path Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 108/108] apparmor: advertise the tcp fast open fix is applied Greg Kroah-Hartman
2026-07-02 19:46 ` [PATCH 6.18 000/108] 6.18.38-rc1 review Brett A C Sheffield
2026-07-02 23:05 ` Peter Schneider
2026-07-03 0:08 ` Miguel Ojeda
2026-07-03 3:13 ` Wentao Guan
2026-07-03 7:27 ` Greg KH
2026-07-03 5:54 ` Ron Economos
2026-07-03 7:11 ` Shung-Hsi Yu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260702155112.184964151@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=amir73il@gmail.com \
--cc=caixinchen1@huawei.com \
--cc=patches@lists.linux.dev \
--cc=paul@paul-moore.com \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox