Archive-only list for patches
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	patches@lists.linux.dev, Shaomin Chen <eeesssooo020@gmail.com>,
	Jarkko Sakkinen <jarkko@kernel.org>
Subject: [PATCH 6.18 049/108] keys: Pin request_key_auth payload in instantiate paths
Date: Thu,  2 Jul 2026 18:20:46 +0200	[thread overview]
Message-ID: <20260702155113.124995881@linuxfoundation.org> (raw)
In-Reply-To: <20260702155112.110058792@linuxfoundation.org>

6.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Shaomin Chen <eeesssooo020@gmail.com>

commit fd15b457a86939c38aa12116adabd8ff686c5e51 upstream.

A: request_key()       B: KEYCTL_INSTANTIATE_IOV
================       =========================

create auth key
store rka in auth key
wait for helper
                       get auth key
                       load rka from auth key
                       copy user payload
                       sleep on #PF

helper completed
detach and free rka
destroy auth key
                       wake up
                       use rka->target_key
                       **USE-AFTER-FREE**

Give request_key_auth payloads a refcount.  Take a payload reference while
authkey->sem stabilizes the payload and revocation state.  Hold that
reference across the instantiate and reject paths.  Drop the auth key
owning reference from revoke and destroy.

[jarkko: Replaced the first two paragraphs of text with an actual
 concurrency scenario.]
Cc: stable@vger.kernel.org # v5.10+
Fixes: b5f545c880a2 ("[PATCH] keys: Permit running process to instantiate keys")
Reported-by: Shaomin Chen <eeesssooo020@gmail.com>
Closes: https://lore.kernel.org/r/20260519144403.436694-1-eeesssooo020@gmail.com
Signed-off-by: Shaomin Chen <eeesssooo020@gmail.com>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/keys/request_key_auth-type.h |    2 ++
 security/keys/internal.h             |    2 ++
 security/keys/keyctl.c               |   24 ++++++++++++++++++------
 security/keys/request_key_auth.c     |   33 +++++++++++++++++++++++++++++++--
 4 files changed, 53 insertions(+), 8 deletions(-)

--- a/include/keys/request_key_auth-type.h
+++ b/include/keys/request_key_auth-type.h
@@ -9,12 +9,14 @@
 #define _KEYS_REQUEST_KEY_AUTH_TYPE_H
 
 #include <linux/key.h>
+#include <linux/refcount.h>
 
 /*
  * Authorisation record for request_key().
  */
 struct request_key_auth {
 	struct rcu_head		rcu;
+	refcount_t		usage;
 	struct key		*target_key;
 	struct key		*dest_keyring;
 	const struct cred	*cred;
--- a/security/keys/internal.h
+++ b/security/keys/internal.h
@@ -208,6 +208,8 @@ extern struct key *request_key_auth_new(
 					const void *callout_info,
 					size_t callout_len,
 					struct key *dest_keyring);
+struct request_key_auth *request_key_auth_get(struct key *authkey);
+void request_key_auth_put(struct request_key_auth *rka);
 
 extern struct key *key_get_instantiation_authkey(key_serial_t target_id);
 
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -1197,9 +1197,13 @@ static long keyctl_instantiate_key_commo
 	if (!instkey)
 		goto error;
 
-	rka = instkey->payload.data[0];
-	if (rka->target_key->serial != id)
+	rka = request_key_auth_get(instkey);
+	if (!rka) {
+		ret = -EKEYREVOKED;
 		goto error;
+	}
+	if (rka->target_key->serial != id)
+		goto error_put_rka;
 
 	/* pull the payload in if one was supplied */
 	payload = NULL;
@@ -1208,7 +1212,7 @@ static long keyctl_instantiate_key_commo
 		ret = -ENOMEM;
 		payload = kvmalloc(plen, GFP_KERNEL);
 		if (!payload)
-			goto error;
+			goto error_put_rka;
 
 		ret = -EFAULT;
 		if (!copy_from_iter_full(payload, plen, from))
@@ -1234,6 +1238,8 @@ static long keyctl_instantiate_key_commo
 
 error2:
 	kvfree_sensitive(payload, plen);
+error_put_rka:
+	request_key_auth_put(rka);
 error:
 	return ret;
 }
@@ -1358,15 +1364,19 @@ long keyctl_reject_key(key_serial_t id,
 	if (!instkey)
 		goto error;
 
-	rka = instkey->payload.data[0];
-	if (rka->target_key->serial != id)
+	rka = request_key_auth_get(instkey);
+	if (!rka) {
+		ret = -EKEYREVOKED;
 		goto error;
+	}
+	if (rka->target_key->serial != id)
+		goto error_put_rka;
 
 	/* find the destination keyring if present (which must also be
 	 * writable) */
 	ret = get_instantiation_keyring(ringid, rka, &dest_keyring);
 	if (ret < 0)
-		goto error;
+		goto error_put_rka;
 
 	/* instantiate the key and link it into a keyring */
 	ret = key_reject_and_link(rka->target_key, timeout, error,
@@ -1379,6 +1389,8 @@ long keyctl_reject_key(key_serial_t id,
 	if (ret == 0)
 		keyctl_change_reqkey_auth(NULL);
 
+error_put_rka:
+	request_key_auth_put(rka);
 error:
 	return ret;
 }
--- a/security/keys/request_key_auth.c
+++ b/security/keys/request_key_auth.c
@@ -23,6 +23,7 @@ static void request_key_auth_describe(co
 static void request_key_auth_revoke(struct key *);
 static void request_key_auth_destroy(struct key *);
 static long request_key_auth_read(const struct key *, char *, size_t);
+static void request_key_auth_rcu_disposal(struct rcu_head *);
 
 /*
  * The request-key authorisation key type definition.
@@ -116,6 +117,31 @@ static void free_request_key_auth(struct
 }
 
 /*
+ * Take a reference to the request-key authorisation payload so callers can
+ * drop authkey->sem before doing operations that may sleep.
+ */
+struct request_key_auth *request_key_auth_get(struct key *authkey)
+{
+	struct request_key_auth *rka;
+
+	down_read(&authkey->sem);
+	rka = dereference_key_locked(authkey);
+	if (rka && !test_bit(KEY_FLAG_REVOKED, &authkey->flags))
+		refcount_inc(&rka->usage);
+	else
+		rka = NULL;
+	up_read(&authkey->sem);
+
+	return rka;
+}
+
+void request_key_auth_put(struct request_key_auth *rka)
+{
+	if (rka && refcount_dec_and_test(&rka->usage))
+		call_rcu(&rka->rcu, request_key_auth_rcu_disposal);
+}
+
+/*
  * Dispose of the request_key_auth record under RCU conditions
  */
 static void request_key_auth_rcu_disposal(struct rcu_head *rcu)
@@ -136,8 +162,10 @@ static void request_key_auth_revoke(stru
 	struct request_key_auth *rka = dereference_key_locked(key);
 
 	kenter("{%d}", key->serial);
+	if (!rka)
+		return;
 	rcu_assign_keypointer(key, NULL);
-	call_rcu(&rka->rcu, request_key_auth_rcu_disposal);
+	request_key_auth_put(rka);
 }
 
 /*
@@ -150,7 +178,7 @@ static void request_key_auth_destroy(str
 	kenter("{%d}", key->serial);
 	if (rka) {
 		rcu_assign_keypointer(key, NULL);
-		call_rcu(&rka->rcu, request_key_auth_rcu_disposal);
+		request_key_auth_put(rka);
 	}
 }
 
@@ -174,6 +202,7 @@ struct key *request_key_auth_new(struct
 	rka = kzalloc(sizeof(*rka), GFP_KERNEL);
 	if (!rka)
 		goto error;
+	refcount_set(&rka->usage, 1);
 	rka->callout_info = kmemdup(callout_info, callout_len, GFP_KERNEL);
 	if (!rka->callout_info)
 		goto error_free_rka;



  parent reply	other threads:[~2026-07-02 16:55 UTC|newest]

Thread overview: 123+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-02 16:19 [PATCH 6.18 000/108] 6.18.38-rc1 review Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.18 001/108] KVM: x86: Fix shadow paging use-after-free due to unexpected role Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 6.18 002/108] lsm: add backing_file LSM hooks Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 003/108] selinux: fix overlayfs mmap() and mprotect() access checks Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 004/108] Revert "PCI: qcom: Advertise Hotplug Slot Capability with no Command Completion support" Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 005/108] lockd: fix TEST handling when not all permissions are available Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 006/108] batman-adv: tp_meter: keep unacked list in ascending ordered Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 007/108] batman-adv: tp_meter: initialize dup_acks explicitly Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 008/108] batman-adv: tp_meter: initialize dec_cwnd explicitly Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 009/108] batman-adv: tp_meter: avoid window underflow Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 010/108] batman-adv: tp_meter: avoid divide-by-zero for dec_cwnd Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 011/108] batman-adv: tp_meter: fix fast recovery precondition Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 012/108] batman-adv: tp_meter: handle seqno wrap-around for fast recovery detection Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 013/108] batman-adv: tp_meter: add only finished tp_vars to lists Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 014/108] batman-adv: bla: annotate lasttime access with READ/WRITE_ONCE Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 015/108] batman-adv: prevent ELP transmission interval underflow Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 016/108] batman-adv: tp_meter: initialize last_recv_time during init Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 017/108] batman-adv: gw: dont deselect gateway with active hardif Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 018/108] batman-adv: ensure bcast is writable before modifying TTL Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 019/108] batman-adv: fix (m|b)cast csum after decrementing TTL Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 020/108] batman-adv: frag: ensure fragment is writable before modifying TTL Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 021/108] batman-adv: frag: avoid underflow of TTL Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 022/108] batman-adv: v: prevent OGM aggregation on disabled hardif Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 023/108] batman-adv: tp_meter: restrict number of unacked list entries Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 024/108] batman-adv: tp_meter: annotate last_recv_time access with READ/WRITE_ONCE Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 025/108] batman-adv: tp_meter: prevent parallel modifications of last_recv Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 026/108] batman-adv: tp_meter: handle overlapping packets Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 027/108] batman-adv: tt: dont merge change entries with different VIDs Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 028/108] batman-adv: tt: track roam count per VID Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 029/108] batman-adv: dat: prevent false sharing between VLANs Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 030/108] batman-adv: tvlv: enforce 2-byte alignment Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 031/108] batman-adv: tvlv: avoid race of cifsnotfound handler state Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 032/108] ipv6: account for fraggap on the paged allocation path Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 033/108] ipv4: " Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 034/108] ntfs3: reject direct userspace writes to reserved $LX* xattrs Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 035/108] wifi: mt76: add wcid publish check in mt76_sta_add Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 036/108] af_unix: Set gc_in_progress to true in unix_gc() Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 037/108] mac802154: llsec: add skb_cow_data() before in-place crypto Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 038/108] net: skmsg: preserve sg.copy across SG transforms Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 039/108] net: ip_gre: require CAP_NET_ADMIN in the device netns for changelink Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 040/108] apparmor: mediate the implicit connect of TCP fast open sendmsg Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 041/108] apparmor: fix use-after-free in rawdata dedup loop Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 042/108] NTB: epf: Avoid pci_iounmap() with offset when PEER_SPAD and CONFIG share BAR Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 043/108] fbdev: fix use-after-free in store_modes() Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 044/108] block: invalidate cached plug timestamp after task switch Greg Kroah-Hartman
2026-07-03 12:32   ` Usama Arif
2026-07-04  2:05     ` Sasha Levin
2026-07-04  2:35       ` Jens Axboe
2026-07-04  6:45         ` Greg Kroah-Hartman
2026-07-04 12:41           ` Jens Axboe
2026-07-05  9:03             ` Greg Kroah-Hartman
2026-07-05 23:05               ` Jens Axboe
2026-07-02 16:20 ` [PATCH 6.18 045/108] KVM: arm64: Omit tag sync on stage-2 mappings of the zero page Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 046/108] err.h: use __always_inline on all error pointer helpers Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 047/108] gcov: use atomic counter updates to fix concurrent access crashes Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 048/108] KEYS: fix overflow in keyctl_pkey_params_get_2() Greg Kroah-Hartman
2026-07-02 16:20 ` Greg Kroah-Hartman [this message]
2026-07-02 16:20 ` [PATCH 6.18 050/108] userfaultfd: ensure mremap_userfaultfd_fail() releases mmap_changing Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 051/108] wifi: mt76: mt76x2u: Add support for ELECOM WDC-867SU3S Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 052/108] wifi: mt76: mt7925: dont disable AP BSS when removing TDLS peer Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 053/108] wifi: ath11k: fix warning when unbinding Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 054/108] wifi: rtlwifi: rtl8821ae: Fix C2H bit location in RX descriptor Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 055/108] wifi: rtw88: increase TX report timeout to fix race condition Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 056/108] wifi: rtw88: usb: fix memory leaks on USB write failures Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 057/108] wifi: iwlwifi: mvm: fix race condition in PTP removal Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 058/108] wifi: iwlwifi: mld: " Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 059/108] wifi: iwlwifi: mld: validate sta_mask before ffs() in BA session handlers Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 060/108] f2fs: pass correct iostat type for single node writes Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 061/108] f2fs: validate orphan inode entry count Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 6.18 062/108] f2fs: validate compress cache inode only when enabled Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 063/108] f2fs: fix to round down start offset of fallocate for pin file Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 064/108] f2fs: validate ACL entry sizes in f2fs_acl_from_disk() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 065/108] f2fs: fix incorrect FI_NO_EXTENT handling in __destroy_extent_node() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 066/108] f2fs: keep atomic write retry from zeroing original data Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 067/108] block: Avoid mounting the bdev pseudo-filesystem in userspace Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 068/108] bpf: use kvfree() for replaced sysctl write buffer Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 069/108] MIPS: DEC: Prevent initial console buffer from landing in XKPHYS Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 070/108] exfat: fix potential use-after-free in exfat_find_dir_entry() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 071/108] KVM: x86/mmu: Ensure hugepage is in by slot before checking max mapping level Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 072/108] KVM: Replace guest-triggerable BUG_ON() in ioeventfd datamatch with get_unaligned() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 073/108] crypto: nx - fix nx_crypto_ctx_exit argument Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 074/108] gfs2: fix use-after-free in gfs2_qd_dealloc Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 075/108] pwrseq: core: fix use-after-free in pwrseq_debugfs_seq_next() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 076/108] hdlc_ppp: sync per-proto timers before freeing hdlc state Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 077/108] blk-cgroup: fix UAF in __blkcg_rstat_flush() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 078/108] tipc: fix slab-use-after-free Read in tipc_aead_decrypt_done Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 079/108] LoongArch: Report dying CPU to RCU in stop_this_cpu() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 080/108] pNFS: Fix use-after-free in pnfs_update_layout() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 081/108] irqchip/imgpdc: Fix resource leak, add missing chained handler cleanup on remove Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 082/108] fpga: region: fix use-after-free in child_regions_with_firmware() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 083/108] rpmsg: char: Fix use-after-free on probe error path Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 084/108] ocfs2: reject oversized group bitmap descriptors Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 085/108] 9p: avoid putting oldfid in p9_client_walk() error path Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 086/108] MIPS: smp: report dying CPU to RCU in stop_this_cpu() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 087/108] KVM: x86: hyper-v: Bound the bank index when querying sparse banks Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 088/108] KVM: SVM: Fix page overflow in sev_dbg_crypt() for ENCRYPT path Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 089/108] power: reset: linkstation-poweroff: fix use-after-free in the linkstation_poweroff_init() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 090/108] riscv: kfence: Call mark_new_valid_map() for kfence_unprotect() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 091/108] fbdev: Fix fb_new_modelist to prevent null-ptr-deref in fb_videomode_to_var Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 092/108] fbdev: modedb: fix a possible UAF in fb_find_mode() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 093/108] fbdev: modedb: Fix misaligned fields in the 1920x1080-60 mode Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 094/108] i2c: core: fix adapter registration race Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 095/108] NFSD: Fix SECINFO_NO_NAME decode error cleanup Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 096/108] nfsd: fix posix_acl leak on SETACL decode failure Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 097/108] nfsd: fix inverted cp_ttl check in async copy reaper Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 098/108] nfsd: check get_user() return when reading princhashlen Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 099/108] nfsd: avoid leaking pre-allocated openowner on unconfirmed retry race Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 100/108] nfsd: reset write verifier on deferred writeback errors Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 101/108] NFSv4/flexfiles: reject zero filehandle version count Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 102/108] NFSv4/pNFS: reject zero-length r_addr in nfs4_decode_mp_ds_addr Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 103/108] NFSv4: clear exception state on successful mkdir retry Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 104/108] NFS: Prevent resource leak in nfs_alloc_server() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 105/108] ksmbd: fix out-of-bounds read in smb_check_perm_dacl() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 106/108] serial: 8250_dw: unregister 8250 port if clk_notifier_register() fails Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 107/108] net/tcp-ao: fix use-after-free of key in del_async path Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 6.18 108/108] apparmor: advertise the tcp fast open fix is applied Greg Kroah-Hartman
2026-07-02 19:46 ` [PATCH 6.18 000/108] 6.18.38-rc1 review Brett A C Sheffield
2026-07-02 23:05 ` Peter Schneider
2026-07-03  0:08 ` Miguel Ojeda
2026-07-03  3:13 ` Wentao Guan
2026-07-03  7:27   ` Greg KH
2026-07-03  5:54 ` Ron Economos
2026-07-03  7:11 ` Shung-Hsi Yu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260702155113.124995881@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=eeesssooo020@gmail.com \
    --cc=jarkko@kernel.org \
    --cc=patches@lists.linux.dev \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox