Archive-only list for patches
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	patches@lists.linux.dev, Eric Biggers <ebiggers@kernel.org>
Subject: [PATCH 7.1 040/120] fscrypt: Fix key setup in edge case with multiple data unit sizes
Date: Thu,  2 Jul 2026 18:20:36 +0200	[thread overview]
Message-ID: <20260702155113.790525929@linuxfoundation.org> (raw)
In-Reply-To: <20260702155112.964534952@linuxfoundation.org>

7.1-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Biggers <ebiggers@kernel.org>

commit dd015b566d505d698386103e9c80b739c7336eb8 upstream.

The addition of support for customizable data unit sizes introduced an
edge case where a file's contents can be en/decrypted with the wrong
data unit size.  It occurs when there are multiple v2 policies that:

- Have *different* data unit sizes, via the log2_data_unit_size field

- Share the same master_key_identifier, contents_encryption_mode, and
  either FSCRYPT_POLICY_FLAG_DIRECT_KEY,
  FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32, or
  FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64

- Are being used on the same filesystem, which also must be mounted with
  the "inlinecrypt" mount option.

Fortunately this edge case doesn't actually occur in practice.  I just
found it via code review.  But it needs to be fixed regardless.

The bug is caused by the data unit size not being fully considered when
blk_crypto_keys are cached in mk_direct_keys, mk_iv_ino_lblk_32_keys,
and mk_iv_ino_lblk_64_keys.  They're differentiated only by master key,
encryption mode, and flag.  However, each one actually has a data unit
size too.  Only the first data unit size that is cached is used.

To fix this, start using the data unit size to differentiate the cached
keys.  For several reasons, including avoiding increasing the size of
struct fscrypt_master_key, just replace all three arrays with a single
linked list instead of changing them into two-dimensional arrays.  This
works well when considering that in practice at most 2 entries are used
across all three arrays, so it was already mostly wasted space.

For simplicity, make the list also take over the publish/subscribe of
the prepared key itself.  That is, create separate list nodes for
blk_crypto_keys vs crypto_skciphers, and add nodes to the list only when
their key is actually prepared.  (Note that the legacy
fscrypt_direct_keys table in fs/crypto/keysetup_v1.c already works this
way.)  This eliminates the need for the additional memory barriers when
reading and writing the fields of struct fscrypt_prepared_key.

Note that I technically should have included the data unit size in the
HKDF info string as well.  But it's too late to change that.

Fixes: 5b1188847180 ("fscrypt: support crypto data unit size less than filesystem block size")
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260618180652.52742-1-ebiggers@kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/crypto/fscrypt_private.h |   52 +++++++++++-------
 fs/crypto/inline_crypt.c    |    8 --
 fs/crypto/keyring.c         |   23 +++++---
 fs/crypto/keysetup.c        |  122 +++++++++++++++++++++++++++-----------------
 4 files changed, 122 insertions(+), 83 deletions(-)

--- a/fs/crypto/fscrypt_private.h
+++ b/fs/crypto/fscrypt_private.h
@@ -236,7 +236,7 @@ struct fscrypt_symlink_data {
  * @tfm: crypto API transform object
  * @blk_key: key for blk-crypto
  *
- * Normally only one of the fields will be non-NULL.
+ * Only one of the fields is non-NULL.
  */
 struct fscrypt_prepared_key {
 	struct crypto_sync_skcipher *tfm;
@@ -245,6 +245,15 @@ struct fscrypt_prepared_key {
 #endif
 };
 
+/* An entry in the linked list ->mk_mode_keys */
+struct fscrypt_mode_key {
+	struct fscrypt_prepared_key key;
+	struct list_head link;
+	u8 hkdf_context;
+	u8 mode_num;
+	u8 data_unit_bits;
+};
+
 /*
  * fscrypt_inode_info - the "encryption key" for an inode
  *
@@ -430,20 +439,12 @@ int fscrypt_derive_sw_secret(struct supe
  * @prep_key, depending on which encryption implementation the file will use.
  */
 static inline bool
-fscrypt_is_key_prepared(struct fscrypt_prepared_key *prep_key,
+fscrypt_is_key_prepared(const struct fscrypt_prepared_key *prep_key,
 			const struct fscrypt_inode_info *ci)
 {
-	/*
-	 * The two smp_load_acquire()'s here pair with the smp_store_release()'s
-	 * in fscrypt_prepare_inline_crypt_key() and fscrypt_prepare_key().
-	 * I.e., in some cases (namely, if this prep_key is a per-mode
-	 * encryption key) another task can publish blk_key or tfm concurrently,
-	 * executing a RELEASE barrier.  We need to use smp_load_acquire() here
-	 * to safely ACQUIRE the memory the other task published.
-	 */
 	if (fscrypt_using_inline_encryption(ci))
-		return smp_load_acquire(&prep_key->blk_key) != NULL;
-	return smp_load_acquire(&prep_key->tfm) != NULL;
+		return prep_key->blk_key != NULL;
+	return prep_key->tfm != NULL;
 }
 
 #else /* CONFIG_FS_ENCRYPTION_INLINE_CRYPT */
@@ -486,10 +487,10 @@ fscrypt_derive_sw_secret(struct super_bl
 }
 
 static inline bool
-fscrypt_is_key_prepared(struct fscrypt_prepared_key *prep_key,
+fscrypt_is_key_prepared(const struct fscrypt_prepared_key *prep_key,
 			const struct fscrypt_inode_info *ci)
 {
-	return smp_load_acquire(&prep_key->tfm) != NULL;
+	return prep_key->tfm != NULL;
 }
 #endif /* !CONFIG_FS_ENCRYPTION_INLINE_CRYPT */
 
@@ -577,8 +578,8 @@ struct fscrypt_master_key {
 	/*
 	 * Active and structural reference counts.  An active ref guarantees
 	 * that the struct continues to exist, continues to be in the keyring
-	 * ->s_master_keys, and that any embedded subkeys (e.g.
-	 * ->mk_direct_keys) that have been prepared continue to exist.
+	 * ->s_master_keys, and that any non-file-scoped subkeys (e.g.
+	 * ->mk_mode_keys) that have been prepared continue to exist.
 	 * A structural ref only guarantees that the struct continues to exist.
 	 *
 	 * There is one active ref associated with ->mk_present being true, and
@@ -632,12 +633,21 @@ struct fscrypt_master_key {
 	spinlock_t		mk_decrypted_inodes_lock;
 
 	/*
-	 * Per-mode encryption keys for the various types of encryption policies
-	 * that use them.  Allocated and derived on-demand.
+	 * A list of 'struct fscrypt_mode_key' for the (hkdf_context, mode_num,
+	 * data_unit_bits, inlinecrypt) combinations that are in use for this
+	 * master key, for hkdf_context in [HKDF_CONTEXT_DIRECT_KEY,
+	 * HKDF_CONTEXT_IV_INO_LBLK_32_KEY, HKDF_CONTEXT_IV_INO_LBLK_64_KEY].
+	 *
+	 * This is a linked list and not a hash table because in practice
+	 * there's just a single encryption policy per master key, using
+	 * _at most_ 2 nodes in this list.  Per-file keys don't use this at all.
+	 *
+	 * This list is append-only until the master key is fully removed, at
+	 * which time the list is cleared.  Before then,
+	 * fscrypt_mode_key_setup_mutex synchronizes appends, and searches use
+	 * the RCU read lock together with ->mk_sem held for read.
 	 */
-	struct fscrypt_prepared_key mk_direct_keys[FSCRYPT_MODE_MAX + 1];
-	struct fscrypt_prepared_key mk_iv_ino_lblk_64_keys[FSCRYPT_MODE_MAX + 1];
-	struct fscrypt_prepared_key mk_iv_ino_lblk_32_keys[FSCRYPT_MODE_MAX + 1];
+	struct list_head	mk_mode_keys;
 
 	/* Hash key for inode numbers.  Initialized only when needed. */
 	siphash_key_t		mk_ino_hash_key;
--- a/fs/crypto/inline_crypt.c
+++ b/fs/crypto/inline_crypt.c
@@ -198,13 +198,7 @@ int fscrypt_prepare_inline_crypt_key(str
 		goto fail;
 	}
 
-	/*
-	 * Pairs with the smp_load_acquire() in fscrypt_is_key_prepared().
-	 * I.e., here we publish ->blk_key with a RELEASE barrier so that
-	 * concurrent tasks can ACQUIRE it.  Note that this concurrency is only
-	 * possible for per-mode keys, not for per-file keys.
-	 */
-	smp_store_release(&prep_key->blk_key, blk_key);
+	prep_key->blk_key = blk_key;
 	return 0;
 
 fail:
--- a/fs/crypto/keyring.c
+++ b/fs/crypto/keyring.c
@@ -87,14 +87,14 @@ void fscrypt_put_master_key(struct fscry
 void fscrypt_put_master_key_activeref(struct super_block *sb,
 				      struct fscrypt_master_key *mk)
 {
-	size_t i;
+	struct fscrypt_mode_key *node, *tmp;
 
 	if (!refcount_dec_and_test(&mk->mk_active_refs))
 		return;
 	/*
 	 * No active references left, so complete the full removal of this
 	 * fscrypt_master_key struct by removing it from the keyring and
-	 * destroying any subkeys embedded in it.
+	 * destroying any non-file-scoped subkeys.
 	 */
 
 	if (WARN_ON_ONCE(!sb->s_master_keys))
@@ -110,13 +110,16 @@ void fscrypt_put_master_key_activeref(st
 	WARN_ON_ONCE(mk->mk_present);
 	WARN_ON_ONCE(!list_empty(&mk->mk_decrypted_inodes));
 
-	for (i = 0; i <= FSCRYPT_MODE_MAX; i++) {
-		fscrypt_destroy_prepared_key(
-				sb, &mk->mk_direct_keys[i]);
-		fscrypt_destroy_prepared_key(
-				sb, &mk->mk_iv_ino_lblk_64_keys[i]);
-		fscrypt_destroy_prepared_key(
-				sb, &mk->mk_iv_ino_lblk_32_keys[i]);
+	/*
+	 * Destroy any non-file-scoped subkeys.  Since ->mk_active_refs == 0,
+	 * they're no longer referenced by any inodes.  Nor can key setup run
+	 * and use them again.  So they're no longer needed.  (This implies no
+	 * concurrent readers, so we don't need list_del_rcu() for example.)
+	 */
+	list_for_each_entry_safe(node, tmp, &mk->mk_mode_keys, link) {
+		fscrypt_destroy_prepared_key(sb, &node->key);
+		list_del(&node->link);
+		kfree(node);
 	}
 	memzero_explicit(&mk->mk_ino_hash_key,
 			 sizeof(mk->mk_ino_hash_key));
@@ -445,6 +448,8 @@ static int add_new_master_key(struct sup
 	INIT_LIST_HEAD(&mk->mk_decrypted_inodes);
 	spin_lock_init(&mk->mk_decrypted_inodes_lock);
 
+	INIT_LIST_HEAD(&mk->mk_mode_keys);
+
 	if (mk_spec->type == FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER) {
 		err = allocate_master_key_users_keyring(mk);
 		if (err)
--- a/fs/crypto/keysetup.c
+++ b/fs/crypto/keysetup.c
@@ -163,13 +163,7 @@ int fscrypt_prepare_key(struct fscrypt_p
 	tfm = fscrypt_allocate_skcipher(ci->ci_mode, raw_key, ci->ci_inode);
 	if (IS_ERR(tfm))
 		return PTR_ERR(tfm);
-	/*
-	 * Pairs with the smp_load_acquire() in fscrypt_is_key_prepared().
-	 * I.e., here we publish ->tfm with a RELEASE barrier so that
-	 * concurrent tasks can ACQUIRE it.  Note that this concurrency is only
-	 * possible for per-mode keys, not for per-file keys.
-	 */
-	smp_store_release(&prep_key->tfm, tfm);
+	prep_key->tfm = tfm;
 	return 0;
 }
 
@@ -190,9 +184,37 @@ int fscrypt_set_per_file_enc_key(struct
 	return fscrypt_prepare_key(&ci->ci_enc_key, raw_key, ci);
 }
 
+/*
+ * Find the fscrypt_prepared_key (if any) for a particular (mk, hkdf_context,
+ * mode_num, data_unit_bits, inlinecrypt) combination.
+ *
+ * The caller must hold ->mk_sem for reading and ->mk_present must be true,
+ * ensuring that ->mk_mode_keys is still append-only.
+ */
+static struct fscrypt_prepared_key *
+fscrypt_find_mode_key(struct fscrypt_master_key *mk, u8 hkdf_context,
+		      u8 mode_num, const struct fscrypt_inode_info *ci)
+{
+	struct fscrypt_mode_key *node;
+
+	/*
+	 * The RCU read lock here is used only to synchronize with concurrent
+	 * list_add_tail_rcu().  Concurrent deletions are impossible here, so
+	 * returning a pointer to a node without taking any refcount is safe.
+	 */
+	guard(rcu)();
+	list_for_each_entry_rcu(node, &mk->mk_mode_keys, link) {
+		if (node->hkdf_context == hkdf_context &&
+		    node->mode_num == mode_num &&
+		    node->data_unit_bits == ci->ci_data_unit_bits &&
+		    fscrypt_is_key_prepared(&node->key, ci))
+			return &node->key;
+	}
+	return NULL;
+}
+
 static int setup_per_mode_enc_key(struct fscrypt_inode_info *ci,
 				  struct fscrypt_master_key *mk,
-				  struct fscrypt_prepared_key *keys,
 				  u8 hkdf_context, bool include_fs_uuid)
 {
 	const struct inode *inode = ci->ci_inode;
@@ -200,7 +222,8 @@ static int setup_per_mode_enc_key(struct
 	struct fscrypt_mode *mode = ci->ci_mode;
 	const u8 mode_num = mode - fscrypt_modes;
 	struct fscrypt_prepared_key *prep_key;
-	u8 mode_key[FSCRYPT_MAX_RAW_KEY_SIZE];
+	struct fscrypt_mode_key *new_node;
+	u8 raw_mode_key[FSCRYPT_MAX_RAW_KEY_SIZE];
 	u8 hkdf_info[sizeof(mode_num) + sizeof(sb->s_uuid)];
 	unsigned int hkdf_infolen = 0;
 	bool use_hw_wrapped_key = false;
@@ -223,48 +246,56 @@ static int setup_per_mode_enc_key(struct
 		use_hw_wrapped_key = true;
 	}
 
-	prep_key = &keys[mode_num];
-	if (fscrypt_is_key_prepared(prep_key, ci)) {
+	prep_key = fscrypt_find_mode_key(mk, hkdf_context, mode_num, ci);
+	if (prep_key) {
 		ci->ci_enc_key = *prep_key;
 		return 0;
 	}
 
-	mutex_lock(&fscrypt_mode_key_setup_mutex);
+	guard(mutex)(&fscrypt_mode_key_setup_mutex);
+
+	prep_key = fscrypt_find_mode_key(mk, hkdf_context, mode_num, ci);
+	if (prep_key) {
+		ci->ci_enc_key = *prep_key;
+		return 0;
+	}
 
-	if (fscrypt_is_key_prepared(prep_key, ci))
-		goto done_unlock;
+	new_node = kzalloc_obj(*new_node);
+	if (!new_node)
+		return -ENOMEM;
+	new_node->hkdf_context = hkdf_context;
+	new_node->mode_num = mode_num;
+	new_node->data_unit_bits = ci->ci_data_unit_bits;
+	prep_key = &new_node->key;
 
 	if (use_hw_wrapped_key) {
 		err = fscrypt_prepare_inline_crypt_key(prep_key,
 						       mk->mk_secret.bytes,
 						       mk->mk_secret.size, true,
 						       ci);
-		if (err)
-			goto out_unlock;
-		goto done_unlock;
-	}
-
-	BUILD_BUG_ON(sizeof(mode_num) != 1);
-	BUILD_BUG_ON(sizeof(sb->s_uuid) != 16);
-	BUILD_BUG_ON(sizeof(hkdf_info) != 17);
-	hkdf_info[hkdf_infolen++] = mode_num;
-	if (include_fs_uuid) {
-		memcpy(&hkdf_info[hkdf_infolen], &sb->s_uuid,
-		       sizeof(sb->s_uuid));
-		hkdf_infolen += sizeof(sb->s_uuid);
-	}
-	fscrypt_hkdf_expand(&mk->mk_secret.hkdf, hkdf_context, hkdf_info,
-			    hkdf_infolen, mode_key, mode->keysize);
-	err = fscrypt_prepare_key(prep_key, mode_key, ci);
-	memzero_explicit(mode_key, mode->keysize);
-	if (err)
-		goto out_unlock;
-done_unlock:
+	} else {
+		static_assert(sizeof(mode_num) == 1);
+		static_assert(sizeof(sb->s_uuid) == 16);
+		static_assert(sizeof(hkdf_info) == 17);
+		hkdf_info[hkdf_infolen++] = mode_num;
+		if (include_fs_uuid) {
+			memcpy(&hkdf_info[hkdf_infolen], &sb->s_uuid,
+			       sizeof(sb->s_uuid));
+			hkdf_infolen += sizeof(sb->s_uuid);
+		}
+		fscrypt_hkdf_expand(&mk->mk_secret.hkdf, hkdf_context,
+				    hkdf_info, hkdf_infolen, raw_mode_key,
+				    mode->keysize);
+		err = fscrypt_prepare_key(prep_key, raw_mode_key, ci);
+		memzero_explicit(raw_mode_key, mode->keysize);
+	}
+	if (err) {
+		kfree(new_node);
+		return err;
+	}
+	list_add_tail_rcu(&new_node->link, &mk->mk_mode_keys);
 	ci->ci_enc_key = *prep_key;
-	err = 0;
-out_unlock:
-	mutex_unlock(&fscrypt_mode_key_setup_mutex);
-	return err;
+	return 0;
 }
 
 /*
@@ -311,8 +342,8 @@ static int fscrypt_setup_iv_ino_lblk_32_
 {
 	int err;
 
-	err = setup_per_mode_enc_key(ci, mk, mk->mk_iv_ino_lblk_32_keys,
-				     HKDF_CONTEXT_IV_INO_LBLK_32_KEY, true);
+	err = setup_per_mode_enc_key(ci, mk, HKDF_CONTEXT_IV_INO_LBLK_32_KEY,
+				     true);
 	if (err)
 		return err;
 
@@ -364,8 +395,8 @@ static int fscrypt_setup_v2_file_key(str
 		 * encryption key.  This ensures that the master key is
 		 * consistently used only for HKDF, avoiding key reuse issues.
 		 */
-		err = setup_per_mode_enc_key(ci, mk, mk->mk_direct_keys,
-					     HKDF_CONTEXT_DIRECT_KEY, false);
+		err = setup_per_mode_enc_key(ci, mk, HKDF_CONTEXT_DIRECT_KEY,
+					     false);
 	} else if (ci->ci_policy.v2.flags &
 		   FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64) {
 		/*
@@ -374,9 +405,8 @@ static int fscrypt_setup_v2_file_key(str
 		 * the IVs.  This format is optimized for use with inline
 		 * encryption hardware compliant with the UFS standard.
 		 */
-		err = setup_per_mode_enc_key(ci, mk, mk->mk_iv_ino_lblk_64_keys,
-					     HKDF_CONTEXT_IV_INO_LBLK_64_KEY,
-					     true);
+		err = setup_per_mode_enc_key(
+			ci, mk, HKDF_CONTEXT_IV_INO_LBLK_64_KEY, true);
 	} else if (ci->ci_policy.v2.flags &
 		   FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32) {
 		err = fscrypt_setup_iv_ino_lblk_32_key(ci, mk);



  parent reply	other threads:[~2026-07-02 16:59 UTC|newest]

Thread overview: 134+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 7.1 001/120] KVM: x86: Fix shadow paging use-after-free due to unexpected role Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 7.1 002/120] batman-adv: tp_meter: keep unacked list in ascending ordered Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 7.1 003/120] batman-adv: tp_meter: initialize dup_acks explicitly Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 004/120] batman-adv: tp_meter: initialize dec_cwnd explicitly Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 005/120] batman-adv: tp_meter: avoid window underflow Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 006/120] batman-adv: tp_meter: avoid divide-by-zero for dec_cwnd Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 007/120] batman-adv: tp_meter: fix fast recovery precondition Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 008/120] batman-adv: tp_meter: handle seqno wrap-around for fast recovery detection Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 009/120] batman-adv: tp_meter: add only finished tp_vars to lists Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 010/120] batman-adv: bla: annotate lasttime access with READ/WRITE_ONCE Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 011/120] batman-adv: prevent ELP transmission interval underflow Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 012/120] batman-adv: tp_meter: initialize last_recv_time during init Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 013/120] batman-adv: gw: dont deselect gateway with active hardif Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 014/120] batman-adv: ensure bcast is writable before modifying TTL Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 015/120] batman-adv: fix (m|b)cast csum after decrementing TTL Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 016/120] batman-adv: frag: ensure fragment is writable before modifying TTL Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 017/120] batman-adv: frag: avoid underflow of TTL Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 018/120] batman-adv: v: prevent OGM aggregation on disabled hardif Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 019/120] batman-adv: tp_meter: restrict number of unacked list entries Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 020/120] batman-adv: tp_meter: annotate last_recv_time access with READ/WRITE_ONCE Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 021/120] batman-adv: tp_meter: prevent parallel modifications of last_recv Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 022/120] batman-adv: tp_meter: handle overlapping packets Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 023/120] batman-adv: tt: dont merge change entries with different VIDs Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 024/120] batman-adv: tt: track roam count per VID Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 025/120] batman-adv: dat: prevent false sharing between VLANs Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 026/120] batman-adv: tvlv: enforce 2-byte alignment Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 027/120] batman-adv: tvlv: avoid race of cifsnotfound handler state Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 028/120] ipv6: account for fraggap on the paged allocation path Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 029/120] ipv4: " Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 030/120] ntfs3: reject direct userspace writes to reserved $LX* xattrs Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 031/120] wifi: mt76: add wcid publish check in mt76_sta_add Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 032/120] mac802154: llsec: add skb_cow_data() before in-place crypto Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 033/120] net: skmsg: preserve sg.copy across SG transforms Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 034/120] net: ip_gre: require CAP_NET_ADMIN in the device netns for changelink Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 035/120] PCI/P2PDMA: Add Intel QAT, DSA, IAA devices to whitelist Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 036/120] apparmor: mediate the implicit connect of TCP fast open sendmsg Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 037/120] apparmor: fix use-after-free in rawdata dedup loop Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 038/120] NTB: epf: Avoid pci_iounmap() with offset when PEER_SPAD and CONFIG share BAR Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 039/120] fbdev: fix use-after-free in store_modes() Greg Kroah-Hartman
2026-07-02 16:20 ` Greg Kroah-Hartman [this message]
2026-07-02 16:20 ` [PATCH 7.1 041/120] block: invalidate cached plug timestamp after task switch Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 042/120] KVM: arm64: Omit tag sync on stage-2 mappings of the zero page Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 043/120] err.h: use __always_inline on all error pointer helpers Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 044/120] gcov: use atomic counter updates to fix concurrent access crashes Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 045/120] KEYS: fix overflow in keyctl_pkey_params_get_2() Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 046/120] keys: Pin request_key_auth payload in instantiate paths Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 047/120] userfaultfd: ensure mremap_userfaultfd_fail() releases mmap_changing Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 048/120] userfaultfd: build __VMA_UFFD_FLAGS from config-gated masks Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 049/120] wifi: mt76: mt76x2u: Add support for ELECOM WDC-867SU3S Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 050/120] wifi: mt76: mt7925: dont disable AP BSS when removing TDLS peer Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 051/120] wifi: ath11k: fix warning when unbinding Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 052/120] wifi: rtl8xxxu: Detect the maximum supported channel width Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 053/120] wifi: rtlwifi: rtl8821ae: Fix C2H bit location in RX descriptor Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 054/120] wifi: rtw88: increase TX report timeout to fix race condition Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 055/120] wifi: rtw88: usb: fix memory leaks on USB write failures Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 056/120] wifi: iwlwifi: mvm: fix race condition in PTP removal Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 057/120] wifi: iwlwifi: mld: " Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 058/120] wifi: iwlwifi: mld: validate sta_mask before ffs() in BA session handlers Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 059/120] f2fs: fix missing read bio submission on large folio error Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 060/120] f2fs: pass correct iostat type for single node writes Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 061/120] f2fs: reject setattr size changes on large folio files Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 062/120] f2fs: fix to do sanity check on f2fs_get_node_folio_ra() Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 063/120] f2fs: validate orphan inode entry count Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 064/120] f2fs: validate compress cache inode only when enabled Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 065/120] f2fs: atomic: fix UAF issue on f2fs_inode_info.atomic_inode Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 066/120] f2fs: fix to round down start offset of fallocate for pin file Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 067/120] f2fs: bound i_inline_xattr_size for non-inline-xattr inodes Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 068/120] f2fs: validate ACL entry sizes in f2fs_acl_from_disk() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 069/120] Revert "f2fs: remove non-uptodate folio from the page cache in move_data_block" Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 070/120] f2fs: fix incorrect FI_NO_EXTENT handling in __destroy_extent_node() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 071/120] f2fs: keep atomic write retry from zeroing original data Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 072/120] f2fs: read COW data with the original inode during atomic write Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 073/120] block: Avoid mounting the bdev pseudo-filesystem in userspace Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 074/120] bpf: use kvfree() for replaced sysctl write buffer Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 075/120] MIPS: DEC: Prevent initial console buffer from landing in XKPHYS Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 076/120] exfat: fix potential use-after-free in exfat_find_dir_entry() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 077/120] KVM: x86/mmu: Ensure hugepage is in by slot before checking max mapping level Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 078/120] KVM: Replace guest-triggerable BUG_ON() in ioeventfd datamatch with get_unaligned() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 079/120] crypto: nx - fix nx_crypto_ctx_exit argument Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 080/120] gfs2: fix use-after-free in gfs2_qd_dealloc Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 081/120] pwrseq: core: fix use-after-free in pwrseq_debugfs_seq_next() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 082/120] hdlc_ppp: sync per-proto timers before freeing hdlc state Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 083/120] blk-cgroup: fix UAF in __blkcg_rstat_flush() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 084/120] tipc: fix slab-use-after-free Read in tipc_aead_decrypt_done Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 085/120] LoongArch: Report dying CPU to RCU in stop_this_cpu() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 086/120] pNFS: Fix use-after-free in pnfs_update_layout() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 087/120] sched/mmcid: Fix OOB clear_bit when CID is MM_CID_UNSET in fixup path Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 088/120] irqchip/imgpdc: Fix resource leak, add missing chained handler cleanup on remove Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 089/120] fpga: region: fix use-after-free in child_regions_with_firmware() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 090/120] rpmsg: char: Fix use-after-free on probe error path Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 091/120] ocfs2: reject oversized group bitmap descriptors Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 092/120] 9p: avoid putting oldfid in p9_client_walk() error path Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 093/120] MIPS: smp: report dying CPU to RCU in stop_this_cpu() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 094/120] KVM: x86: hyper-v: Bound the bank index when querying sparse banks Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 095/120] KVM: SVM: Fix page overflow in sev_dbg_crypt() for ENCRYPT path Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 096/120] power: reset: linkstation-poweroff: fix use-after-free in the linkstation_poweroff_init() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 097/120] riscv: kfence: Call mark_new_valid_map() for kfence_unprotect() Greg Kroah-Hartman
2026-07-03  5:05   ` Vivian Wang
2026-07-03  7:26     ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 098/120] ntfs: serialize volume label accesses Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 099/120] fbdev: Fix fb_new_modelist to prevent null-ptr-deref in fb_videomode_to_var Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 100/120] fbdev: fbcon: fix out-of-bounds read in err_out of fbcon_do_set_font() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 101/120] fbdev: omap2: fix use-after-free in omapfb_mmap Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 102/120] fbdev: modedb: fix a possible UAF in fb_find_mode() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 103/120] fbdev: modedb: Fix misaligned fields in the 1920x1080-60 mode Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 104/120] i2c: core: fix adapter registration race Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 105/120] nfsd: release layout stid on setlease failure Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 106/120] NFSD: Fix SECINFO_NO_NAME decode error cleanup Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 107/120] nfsd: fix posix_acl leak on SETACL decode failure Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 108/120] nfsd: fix inverted cp_ttl check in async copy reaper Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 109/120] nfsd: fix posix_acl leak and ignored error in nfsd4_create_file Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 110/120] nfsd: check get_user() return when reading princhashlen Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 111/120] nfsd: fix dead ACL conflict guard in nfsd4_create Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 112/120] nfsd: avoid leaking pre-allocated openowner on unconfirmed retry race Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 113/120] nfsd: reset write verifier on deferred writeback errors Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 114/120] NFSv4/flexfiles: reject zero filehandle version count Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 115/120] NFSv4/pNFS: reject zero-length r_addr in nfs4_decode_mp_ds_addr Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 116/120] NFSv4: clear exception state on successful mkdir retry Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 117/120] NFS: Prevent resource leak in nfs_alloc_server() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 118/120] ksmbd: fix out-of-bounds read in smb_check_perm_dacl() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 119/120] net/tcp-ao: fix use-after-free of key in del_async path Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 120/120] apparmor: advertise the tcp fast open fix is applied Greg Kroah-Hartman
2026-07-02 17:44 ` [PATCH 7.1 000/120] 7.1.3-rc1 review Shuah Khan
2026-07-02 23:12   ` Peter Schneider
2026-07-02 17:46 ` Ronald Warsow
2026-07-02 19:46 ` Brett A C Sheffield
2026-07-03  0:09 ` Peter Schneider
2026-07-03  0:15 ` Miguel Ojeda
2026-07-03  5:38   ` Greg KH
2026-07-04  2:05   ` Sasha Levin
2026-07-04 12:24     ` Miguel Ojeda
2026-07-03  5:41 ` Ron Economos
2026-07-03  7:26   ` Greg Kroah-Hartman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260702155113.790525929@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=ebiggers@kernel.org \
    --cc=patches@lists.linux.dev \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox