Archive-only list for patches
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	patches@lists.linux.dev, Shaomin Chen <eeesssooo020@gmail.com>,
	Jarkko Sakkinen <jarkko@kernel.org>
Subject: [PATCH 7.1 046/120] keys: Pin request_key_auth payload in instantiate paths
Date: Thu,  2 Jul 2026 18:20:42 +0200	[thread overview]
Message-ID: <20260702155113.915523744@linuxfoundation.org> (raw)
In-Reply-To: <20260702155112.964534952@linuxfoundation.org>

7.1-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Shaomin Chen <eeesssooo020@gmail.com>

commit fd15b457a86939c38aa12116adabd8ff686c5e51 upstream.

A: request_key()       B: KEYCTL_INSTANTIATE_IOV
================       =========================

create auth key
store rka in auth key
wait for helper
                       get auth key
                       load rka from auth key
                       copy user payload
                       sleep on #PF

helper completed
detach and free rka
destroy auth key
                       wake up
                       use rka->target_key
                       **USE-AFTER-FREE**

Give request_key_auth payloads a refcount.  Take a payload reference while
authkey->sem stabilizes the payload and revocation state.  Hold that
reference across the instantiate and reject paths.  Drop the auth key
owning reference from revoke and destroy.

[jarkko: Replaced the first two paragraphs of text with an actual
 concurrency scenario.]
Cc: stable@vger.kernel.org # v5.10+
Fixes: b5f545c880a2 ("[PATCH] keys: Permit running process to instantiate keys")
Reported-by: Shaomin Chen <eeesssooo020@gmail.com>
Closes: https://lore.kernel.org/r/20260519144403.436694-1-eeesssooo020@gmail.com
Signed-off-by: Shaomin Chen <eeesssooo020@gmail.com>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/keys/request_key_auth-type.h |    2 ++
 security/keys/internal.h             |    2 ++
 security/keys/keyctl.c               |   24 ++++++++++++++++++------
 security/keys/request_key_auth.c     |   33 +++++++++++++++++++++++++++++++--
 4 files changed, 53 insertions(+), 8 deletions(-)

--- a/include/keys/request_key_auth-type.h
+++ b/include/keys/request_key_auth-type.h
@@ -9,12 +9,14 @@
 #define _KEYS_REQUEST_KEY_AUTH_TYPE_H
 
 #include <linux/key.h>
+#include <linux/refcount.h>
 
 /*
  * Authorisation record for request_key().
  */
 struct request_key_auth {
 	struct rcu_head		rcu;
+	refcount_t		usage;
 	struct key		*target_key;
 	struct key		*dest_keyring;
 	const struct cred	*cred;
--- a/security/keys/internal.h
+++ b/security/keys/internal.h
@@ -208,6 +208,8 @@ extern struct key *request_key_auth_new(
 					const void *callout_info,
 					size_t callout_len,
 					struct key *dest_keyring);
+struct request_key_auth *request_key_auth_get(struct key *authkey);
+void request_key_auth_put(struct request_key_auth *rka);
 
 extern struct key *key_get_instantiation_authkey(key_serial_t target_id);
 
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -1197,9 +1197,13 @@ static long keyctl_instantiate_key_commo
 	if (!instkey)
 		goto error;
 
-	rka = instkey->payload.data[0];
-	if (rka->target_key->serial != id)
+	rka = request_key_auth_get(instkey);
+	if (!rka) {
+		ret = -EKEYREVOKED;
 		goto error;
+	}
+	if (rka->target_key->serial != id)
+		goto error_put_rka;
 
 	/* pull the payload in if one was supplied */
 	payload = NULL;
@@ -1208,7 +1212,7 @@ static long keyctl_instantiate_key_commo
 		ret = -ENOMEM;
 		payload = kvmalloc(plen, GFP_KERNEL);
 		if (!payload)
-			goto error;
+			goto error_put_rka;
 
 		ret = -EFAULT;
 		if (!copy_from_iter_full(payload, plen, from))
@@ -1234,6 +1238,8 @@ static long keyctl_instantiate_key_commo
 
 error2:
 	kvfree_sensitive(payload, plen);
+error_put_rka:
+	request_key_auth_put(rka);
 error:
 	return ret;
 }
@@ -1358,15 +1364,19 @@ long keyctl_reject_key(key_serial_t id,
 	if (!instkey)
 		goto error;
 
-	rka = instkey->payload.data[0];
-	if (rka->target_key->serial != id)
+	rka = request_key_auth_get(instkey);
+	if (!rka) {
+		ret = -EKEYREVOKED;
 		goto error;
+	}
+	if (rka->target_key->serial != id)
+		goto error_put_rka;
 
 	/* find the destination keyring if present (which must also be
 	 * writable) */
 	ret = get_instantiation_keyring(ringid, rka, &dest_keyring);
 	if (ret < 0)
-		goto error;
+		goto error_put_rka;
 
 	/* instantiate the key and link it into a keyring */
 	ret = key_reject_and_link(rka->target_key, timeout, error,
@@ -1379,6 +1389,8 @@ long keyctl_reject_key(key_serial_t id,
 	if (ret == 0)
 		keyctl_change_reqkey_auth(NULL);
 
+error_put_rka:
+	request_key_auth_put(rka);
 error:
 	return ret;
 }
--- a/security/keys/request_key_auth.c
+++ b/security/keys/request_key_auth.c
@@ -23,6 +23,7 @@ static void request_key_auth_describe(co
 static void request_key_auth_revoke(struct key *);
 static void request_key_auth_destroy(struct key *);
 static long request_key_auth_read(const struct key *, char *, size_t);
+static void request_key_auth_rcu_disposal(struct rcu_head *);
 
 /*
  * The request-key authorisation key type definition.
@@ -116,6 +117,31 @@ static void free_request_key_auth(struct
 }
 
 /*
+ * Take a reference to the request-key authorisation payload so callers can
+ * drop authkey->sem before doing operations that may sleep.
+ */
+struct request_key_auth *request_key_auth_get(struct key *authkey)
+{
+	struct request_key_auth *rka;
+
+	down_read(&authkey->sem);
+	rka = dereference_key_locked(authkey);
+	if (rka && !test_bit(KEY_FLAG_REVOKED, &authkey->flags))
+		refcount_inc(&rka->usage);
+	else
+		rka = NULL;
+	up_read(&authkey->sem);
+
+	return rka;
+}
+
+void request_key_auth_put(struct request_key_auth *rka)
+{
+	if (rka && refcount_dec_and_test(&rka->usage))
+		call_rcu(&rka->rcu, request_key_auth_rcu_disposal);
+}
+
+/*
  * Dispose of the request_key_auth record under RCU conditions
  */
 static void request_key_auth_rcu_disposal(struct rcu_head *rcu)
@@ -136,8 +162,10 @@ static void request_key_auth_revoke(stru
 	struct request_key_auth *rka = dereference_key_locked(key);
 
 	kenter("{%d}", key->serial);
+	if (!rka)
+		return;
 	rcu_assign_keypointer(key, NULL);
-	call_rcu(&rka->rcu, request_key_auth_rcu_disposal);
+	request_key_auth_put(rka);
 }
 
 /*
@@ -150,7 +178,7 @@ static void request_key_auth_destroy(str
 	kenter("{%d}", key->serial);
 	if (rka) {
 		rcu_assign_keypointer(key, NULL);
-		call_rcu(&rka->rcu, request_key_auth_rcu_disposal);
+		request_key_auth_put(rka);
 	}
 }
 
@@ -174,6 +202,7 @@ struct key *request_key_auth_new(struct
 	rka = kzalloc_obj(*rka);
 	if (!rka)
 		goto error;
+	refcount_set(&rka->usage, 1);
 	rka->callout_info = kmemdup(callout_info, callout_len, GFP_KERNEL);
 	if (!rka->callout_info)
 		goto error_free_rka;



  parent reply	other threads:[~2026-07-02 16:59 UTC|newest]

Thread overview: 134+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 7.1 001/120] KVM: x86: Fix shadow paging use-after-free due to unexpected role Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 7.1 002/120] batman-adv: tp_meter: keep unacked list in ascending ordered Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 7.1 003/120] batman-adv: tp_meter: initialize dup_acks explicitly Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 004/120] batman-adv: tp_meter: initialize dec_cwnd explicitly Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 005/120] batman-adv: tp_meter: avoid window underflow Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 006/120] batman-adv: tp_meter: avoid divide-by-zero for dec_cwnd Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 007/120] batman-adv: tp_meter: fix fast recovery precondition Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 008/120] batman-adv: tp_meter: handle seqno wrap-around for fast recovery detection Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 009/120] batman-adv: tp_meter: add only finished tp_vars to lists Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 010/120] batman-adv: bla: annotate lasttime access with READ/WRITE_ONCE Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 011/120] batman-adv: prevent ELP transmission interval underflow Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 012/120] batman-adv: tp_meter: initialize last_recv_time during init Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 013/120] batman-adv: gw: dont deselect gateway with active hardif Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 014/120] batman-adv: ensure bcast is writable before modifying TTL Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 015/120] batman-adv: fix (m|b)cast csum after decrementing TTL Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 016/120] batman-adv: frag: ensure fragment is writable before modifying TTL Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 017/120] batman-adv: frag: avoid underflow of TTL Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 018/120] batman-adv: v: prevent OGM aggregation on disabled hardif Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 019/120] batman-adv: tp_meter: restrict number of unacked list entries Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 020/120] batman-adv: tp_meter: annotate last_recv_time access with READ/WRITE_ONCE Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 021/120] batman-adv: tp_meter: prevent parallel modifications of last_recv Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 022/120] batman-adv: tp_meter: handle overlapping packets Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 023/120] batman-adv: tt: dont merge change entries with different VIDs Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 024/120] batman-adv: tt: track roam count per VID Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 025/120] batman-adv: dat: prevent false sharing between VLANs Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 026/120] batman-adv: tvlv: enforce 2-byte alignment Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 027/120] batman-adv: tvlv: avoid race of cifsnotfound handler state Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 028/120] ipv6: account for fraggap on the paged allocation path Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 029/120] ipv4: " Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 030/120] ntfs3: reject direct userspace writes to reserved $LX* xattrs Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 031/120] wifi: mt76: add wcid publish check in mt76_sta_add Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 032/120] mac802154: llsec: add skb_cow_data() before in-place crypto Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 033/120] net: skmsg: preserve sg.copy across SG transforms Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 034/120] net: ip_gre: require CAP_NET_ADMIN in the device netns for changelink Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 035/120] PCI/P2PDMA: Add Intel QAT, DSA, IAA devices to whitelist Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 036/120] apparmor: mediate the implicit connect of TCP fast open sendmsg Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 037/120] apparmor: fix use-after-free in rawdata dedup loop Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 038/120] NTB: epf: Avoid pci_iounmap() with offset when PEER_SPAD and CONFIG share BAR Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 039/120] fbdev: fix use-after-free in store_modes() Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 040/120] fscrypt: Fix key setup in edge case with multiple data unit sizes Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 041/120] block: invalidate cached plug timestamp after task switch Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 042/120] KVM: arm64: Omit tag sync on stage-2 mappings of the zero page Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 043/120] err.h: use __always_inline on all error pointer helpers Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 044/120] gcov: use atomic counter updates to fix concurrent access crashes Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 045/120] KEYS: fix overflow in keyctl_pkey_params_get_2() Greg Kroah-Hartman
2026-07-02 16:20 ` Greg Kroah-Hartman [this message]
2026-07-02 16:20 ` [PATCH 7.1 047/120] userfaultfd: ensure mremap_userfaultfd_fail() releases mmap_changing Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 048/120] userfaultfd: build __VMA_UFFD_FLAGS from config-gated masks Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 049/120] wifi: mt76: mt76x2u: Add support for ELECOM WDC-867SU3S Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 050/120] wifi: mt76: mt7925: dont disable AP BSS when removing TDLS peer Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 051/120] wifi: ath11k: fix warning when unbinding Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 052/120] wifi: rtl8xxxu: Detect the maximum supported channel width Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 053/120] wifi: rtlwifi: rtl8821ae: Fix C2H bit location in RX descriptor Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 054/120] wifi: rtw88: increase TX report timeout to fix race condition Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 055/120] wifi: rtw88: usb: fix memory leaks on USB write failures Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 056/120] wifi: iwlwifi: mvm: fix race condition in PTP removal Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 057/120] wifi: iwlwifi: mld: " Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 058/120] wifi: iwlwifi: mld: validate sta_mask before ffs() in BA session handlers Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 059/120] f2fs: fix missing read bio submission on large folio error Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 060/120] f2fs: pass correct iostat type for single node writes Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 061/120] f2fs: reject setattr size changes on large folio files Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 062/120] f2fs: fix to do sanity check on f2fs_get_node_folio_ra() Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 063/120] f2fs: validate orphan inode entry count Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 064/120] f2fs: validate compress cache inode only when enabled Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 065/120] f2fs: atomic: fix UAF issue on f2fs_inode_info.atomic_inode Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 066/120] f2fs: fix to round down start offset of fallocate for pin file Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 067/120] f2fs: bound i_inline_xattr_size for non-inline-xattr inodes Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 068/120] f2fs: validate ACL entry sizes in f2fs_acl_from_disk() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 069/120] Revert "f2fs: remove non-uptodate folio from the page cache in move_data_block" Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 070/120] f2fs: fix incorrect FI_NO_EXTENT handling in __destroy_extent_node() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 071/120] f2fs: keep atomic write retry from zeroing original data Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 072/120] f2fs: read COW data with the original inode during atomic write Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 073/120] block: Avoid mounting the bdev pseudo-filesystem in userspace Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 074/120] bpf: use kvfree() for replaced sysctl write buffer Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 075/120] MIPS: DEC: Prevent initial console buffer from landing in XKPHYS Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 076/120] exfat: fix potential use-after-free in exfat_find_dir_entry() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 077/120] KVM: x86/mmu: Ensure hugepage is in by slot before checking max mapping level Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 078/120] KVM: Replace guest-triggerable BUG_ON() in ioeventfd datamatch with get_unaligned() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 079/120] crypto: nx - fix nx_crypto_ctx_exit argument Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 080/120] gfs2: fix use-after-free in gfs2_qd_dealloc Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 081/120] pwrseq: core: fix use-after-free in pwrseq_debugfs_seq_next() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 082/120] hdlc_ppp: sync per-proto timers before freeing hdlc state Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 083/120] blk-cgroup: fix UAF in __blkcg_rstat_flush() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 084/120] tipc: fix slab-use-after-free Read in tipc_aead_decrypt_done Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 085/120] LoongArch: Report dying CPU to RCU in stop_this_cpu() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 086/120] pNFS: Fix use-after-free in pnfs_update_layout() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 087/120] sched/mmcid: Fix OOB clear_bit when CID is MM_CID_UNSET in fixup path Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 088/120] irqchip/imgpdc: Fix resource leak, add missing chained handler cleanup on remove Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 089/120] fpga: region: fix use-after-free in child_regions_with_firmware() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 090/120] rpmsg: char: Fix use-after-free on probe error path Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 091/120] ocfs2: reject oversized group bitmap descriptors Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 092/120] 9p: avoid putting oldfid in p9_client_walk() error path Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 093/120] MIPS: smp: report dying CPU to RCU in stop_this_cpu() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 094/120] KVM: x86: hyper-v: Bound the bank index when querying sparse banks Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 095/120] KVM: SVM: Fix page overflow in sev_dbg_crypt() for ENCRYPT path Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 096/120] power: reset: linkstation-poweroff: fix use-after-free in the linkstation_poweroff_init() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 097/120] riscv: kfence: Call mark_new_valid_map() for kfence_unprotect() Greg Kroah-Hartman
2026-07-03  5:05   ` Vivian Wang
2026-07-03  7:26     ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 098/120] ntfs: serialize volume label accesses Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 099/120] fbdev: Fix fb_new_modelist to prevent null-ptr-deref in fb_videomode_to_var Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 100/120] fbdev: fbcon: fix out-of-bounds read in err_out of fbcon_do_set_font() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 101/120] fbdev: omap2: fix use-after-free in omapfb_mmap Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 102/120] fbdev: modedb: fix a possible UAF in fb_find_mode() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 103/120] fbdev: modedb: Fix misaligned fields in the 1920x1080-60 mode Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 104/120] i2c: core: fix adapter registration race Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 105/120] nfsd: release layout stid on setlease failure Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 106/120] NFSD: Fix SECINFO_NO_NAME decode error cleanup Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 107/120] nfsd: fix posix_acl leak on SETACL decode failure Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 108/120] nfsd: fix inverted cp_ttl check in async copy reaper Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 109/120] nfsd: fix posix_acl leak and ignored error in nfsd4_create_file Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 110/120] nfsd: check get_user() return when reading princhashlen Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 111/120] nfsd: fix dead ACL conflict guard in nfsd4_create Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 112/120] nfsd: avoid leaking pre-allocated openowner on unconfirmed retry race Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 113/120] nfsd: reset write verifier on deferred writeback errors Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 114/120] NFSv4/flexfiles: reject zero filehandle version count Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 115/120] NFSv4/pNFS: reject zero-length r_addr in nfs4_decode_mp_ds_addr Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 116/120] NFSv4: clear exception state on successful mkdir retry Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 117/120] NFS: Prevent resource leak in nfs_alloc_server() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 118/120] ksmbd: fix out-of-bounds read in smb_check_perm_dacl() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 119/120] net/tcp-ao: fix use-after-free of key in del_async path Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 120/120] apparmor: advertise the tcp fast open fix is applied Greg Kroah-Hartman
2026-07-02 17:44 ` [PATCH 7.1 000/120] 7.1.3-rc1 review Shuah Khan
2026-07-02 23:12   ` Peter Schneider
2026-07-02 17:46 ` Ronald Warsow
2026-07-02 19:46 ` Brett A C Sheffield
2026-07-03  0:09 ` Peter Schneider
2026-07-03  0:15 ` Miguel Ojeda
2026-07-03  5:38   ` Greg KH
2026-07-04  2:05   ` Sasha Levin
2026-07-04 12:24     ` Miguel Ojeda
2026-07-03  5:41 ` Ron Economos
2026-07-03  7:26   ` Greg Kroah-Hartman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260702155113.915523744@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=eeesssooo020@gmail.com \
    --cc=jarkko@kernel.org \
    --cc=patches@lists.linux.dev \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox