From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Hyunwoo Kim <imv4bel@gmail.com>,
Namjae Jeon <linkinjeon@kernel.org>,
Steve French <stfrench@microsoft.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 6.18 205/212] ksmbd: fix use-after-free of share_conf in compound request
Date: Mon, 23 Mar 2026 14:47:06 +0100 [thread overview]
Message-ID: <20260323134510.268059351@linuxfoundation.org> (raw)
In-Reply-To: <20260323134503.770111826@linuxfoundation.org>
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hyunwoo Kim <imv4bel@gmail.com>
[ Upstream commit c33615f995aee80657b9fdfbc4ee7f49c2bd733d ]
smb2_get_ksmbd_tcon() reuses work->tcon in compound requests without
validating tcon->t_state. ksmbd_tree_conn_lookup() checks t_state ==
TREE_CONNECTED on the initial lookup path, but the compound reuse path
bypasses this check entirely.
If a prior command in the compound (SMB2_TREE_DISCONNECT) sets t_state
to TREE_DISCONNECTED and frees share_conf via ksmbd_share_config_put(),
subsequent commands dereference the freed share_conf through
work->tcon->share_conf.
KASAN report:
[ 4.144653] ==================================================================
[ 4.145059] BUG: KASAN: slab-use-after-free in smb2_write+0xc74/0xe70
[ 4.145415] Read of size 4 at addr ffff88810430c194 by task kworker/1:1/44
[ 4.145772]
[ 4.145867] CPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted 7.0.0-rc3+ #60 PREEMPTLAZY
[ 4.145871] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 4.145875] Workqueue: ksmbd-io handle_ksmbd_work
[ 4.145888] Call Trace:
[ 4.145892] <TASK>
[ 4.145894] dump_stack_lvl+0x64/0x80
[ 4.145910] print_report+0xce/0x660
[ 4.145919] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
[ 4.145928] ? smb2_write+0xc74/0xe70
[ 4.145931] kasan_report+0xce/0x100
[ 4.145934] ? smb2_write+0xc74/0xe70
[ 4.145937] smb2_write+0xc74/0xe70
[ 4.145939] ? __pfx_smb2_write+0x10/0x10
[ 4.145942] ? _raw_spin_unlock+0xe/0x30
[ 4.145945] ? ksmbd_smb2_check_message+0xeb2/0x24c0
[ 4.145948] ? smb2_tree_disconnect+0x31c/0x480
[ 4.145951] handle_ksmbd_work+0x40f/0x1080
[ 4.145953] process_one_work+0x5fa/0xef0
[ 4.145962] ? assign_work+0x122/0x3e0
[ 4.145964] worker_thread+0x54b/0xf70
[ 4.145967] ? __pfx_worker_thread+0x10/0x10
[ 4.145970] kthread+0x346/0x470
[ 4.145976] ? recalc_sigpending+0x19b/0x230
[ 4.145980] ? __pfx_kthread+0x10/0x10
[ 4.145984] ret_from_fork+0x4fb/0x6c0
[ 4.145992] ? __pfx_ret_from_fork+0x10/0x10
[ 4.145995] ? __switch_to+0x36c/0xbe0
[ 4.145999] ? __pfx_kthread+0x10/0x10
[ 4.146003] ret_from_fork_asm+0x1a/0x30
[ 4.146013] </TASK>
[ 4.146014]
[ 4.149858] Allocated by task 44:
[ 4.149953] kasan_save_stack+0x33/0x60
[ 4.150061] kasan_save_track+0x14/0x30
[ 4.150169] __kasan_kmalloc+0x8f/0xa0
[ 4.150274] ksmbd_share_config_get+0x1dd/0xdd0
[ 4.150401] ksmbd_tree_conn_connect+0x7e/0x600
[ 4.150529] smb2_tree_connect+0x2e6/0x1000
[ 4.150645] handle_ksmbd_work+0x40f/0x1080
[ 4.150761] process_one_work+0x5fa/0xef0
[ 4.150873] worker_thread+0x54b/0xf70
[ 4.150978] kthread+0x346/0x470
[ 4.151071] ret_from_fork+0x4fb/0x6c0
[ 4.151176] ret_from_fork_asm+0x1a/0x30
[ 4.151286]
[ 4.151332] Freed by task 44:
[ 4.151418] kasan_save_stack+0x33/0x60
[ 4.151526] kasan_save_track+0x14/0x30
[ 4.151634] kasan_save_free_info+0x3b/0x60
[ 4.151751] __kasan_slab_free+0x43/0x70
[ 4.151861] kfree+0x1ca/0x430
[ 4.151952] __ksmbd_tree_conn_disconnect+0xc8/0x190
[ 4.152088] smb2_tree_disconnect+0x1cd/0x480
[ 4.152211] handle_ksmbd_work+0x40f/0x1080
[ 4.152326] process_one_work+0x5fa/0xef0
[ 4.152438] worker_thread+0x54b/0xf70
[ 4.152545] kthread+0x346/0x470
[ 4.152638] ret_from_fork+0x4fb/0x6c0
[ 4.152743] ret_from_fork_asm+0x1a/0x30
[ 4.152853]
[ 4.152900] The buggy address belongs to the object at ffff88810430c180
[ 4.152900] which belongs to the cache kmalloc-96 of size 96
[ 4.153226] The buggy address is located 20 bytes inside of
[ 4.153226] freed 96-byte region [ffff88810430c180, ffff88810430c1e0)
[ 4.153549]
[ 4.153596] The buggy address belongs to the physical page:
[ 4.153750] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88810430ce80 pfn:0x10430c
[ 4.154000] flags: 0x100000000000200(workingset|node=0|zone=2)
[ 4.154160] page_type: f5(slab)
[ 4.154251] raw: 0100000000000200 ffff888100041280 ffff888100040110 ffff888100040110
[ 4.154461] raw: ffff88810430ce80 0000000800200009 00000000f5000000 0000000000000000
[ 4.154668] page dumped because: kasan: bad access detected
[ 4.154820]
[ 4.154866] Memory state around the buggy address:
[ 4.155002] ffff88810430c080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 4.155196] ffff88810430c100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 4.155391] >ffff88810430c180: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[ 4.155587] ^
[ 4.155693] ffff88810430c200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 4.155891] ffff88810430c280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 4.156087] ==================================================================
Add the same t_state validation to the compound reuse path, consistent
with ksmbd_tree_conn_lookup().
Fixes: 5005bcb42191 ("ksmbd: validate session id and tree id in the compound request")
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/server/smb2pdu.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
index 1f04b761a8cf8..6796bc919d580 100644
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -125,6 +125,8 @@ int smb2_get_ksmbd_tcon(struct ksmbd_work *work)
pr_err("The first operation in the compound does not have tcon\n");
return -EINVAL;
}
+ if (work->tcon->t_state != TREE_CONNECTED)
+ return -ENOENT;
if (tree_id != UINT_MAX && work->tcon->id != tree_id) {
pr_err("tree id(%u) is different with id(%u) in first operation\n",
tree_id, work->tcon->id);
--
2.51.0
next prev parent reply other threads:[~2026-03-23 14:10 UTC|newest]
Thread overview: 226+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-23 13:43 [PATCH 6.18 000/212] 6.18.20-rc1 review Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.18 001/212] NFSD: Defer sub-object cleanup in export put callbacks Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.18 002/212] NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.18 003/212] nfsd: fix heap overflow in NFSv4.0 LOCK replay cache Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.18 004/212] selftests/hid: fix compilation when bpf_wq and hid_device are not exported Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.18 005/212] HID: bpf: prevent buffer overflow in hid_hw_request Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.18 006/212] sunrpc: fix cache_request leak in cache_release Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.18 007/212] nvdimm/bus: Fix potential use after free in asynchronous initialization Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.18 008/212] crash_dump: dont log dm-crypt key bytes in read_key_from_user_keying Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.18 009/212] mm/rmap: fix incorrect pte restoration for lazyfree folios Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.18 010/212] mm/huge_memory: fix use of NULL folio in move_pages_huge_pmd() Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.18 011/212] mm/huge_memory: fix early failure try_to_migrate() when split huge pmd for shared THP Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.18 012/212] LoongArch: Give more information if kmem access failed Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.18 013/212] LoongArch: No need to flush icache if text copy failed Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.18 014/212] NFC: nxp-nci: allow GPIOs to sleep Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.18 015/212] net: macb: fix use-after-free access to PTP clock Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.18 016/212] bnxt_en: fix OOB access in DBG_BUF_PRODUCER async event handler Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.18 017/212] parisc: Flush correct cache in cacheflush() syscall Greg Kroah-Hartman
2026-03-23 13:43 ` [PATCH 6.18 018/212] batman-adv: avoid OGM aggregation when skb tailroom is insufficient Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 019/212] mac80211: fix crash in ieee80211_chan_bw_change for AP_VLAN stations Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 020/212] crypto: padlock-sha - Disable for Zhaoxin processor Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 021/212] Bluetooth: L2CAP: Fix type confusion in l2cap_ecred_reconf_rsp() Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 022/212] Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 023/212] smb: client: fix krb5 mount with username option Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 024/212] ksmbd: unset conn->binding on failed binding request Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 025/212] ksmbd: use volume UUID in FS_OBJECT_ID_INFORMATION Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 026/212] drm/i915/dsc: Add Selective Update register definitions Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 027/212] drm/i915/dsc: Add helper for writing DSC Selective Update ET parameters Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 028/212] drm/i915/psr: Write DSC parameters on Selective Update in ET mode Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 029/212] net: macb: Introduce gem_init_rx_ring() Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 030/212] net: macb: Reinitialize tx/rx queue pointer registers and rx ring during resume Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 031/212] LoongArch: Check return values for set_memory_{rw,rox} Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 032/212] ublk: fix NULL pointer dereference in ublk_ctrl_set_size() Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 033/212] netconsole: fix sysdata_release_enabled_show checking wrong flag Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 034/212] crypto: atmel-sha204a - Fix OOM ->tfm_count leak Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 035/212] cifs: open files should not hold ref on superblock Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 036/212] drm/xe: Fix memory leak in xe_vm_madvise_ioctl Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 037/212] drm/i915/vrr: Move HAS_VRR() check into intel_vrr_set_transcoder_timings() Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 038/212] drm/i915/vrr: Configure VRR timings after enabling TRANS_DDI_FUNC_CTL Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 039/212] net: macb: sort #includes Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 040/212] net: macb: Shuffle the tx ring before enabling tx Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 041/212] ksmbd: Dont log keys in SMB3 signing and encryption key generation Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 042/212] fgraph: Fix thresh_return nosleeptime double-adjust Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 043/212] drm/xe/sync: Fix user fence leak on alloc failure Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 044/212] nsfs: tighten permission checks for ns iteration ioctls Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 045/212] sched_ext: Fix starvation of scx_enable() under fair-class saturation Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 046/212] sched_ext: Simplify breather mechanism with scx_aborting flag Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 047/212] sched_ext: Disable preemption between scx_claim_exit() and kicking helper work Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 048/212] ipmi: Consolidate the run to completion checking for xmit msgs lock Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 049/212] ipmi:msghandler: Handle error returns from the SMI sender Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 050/212] mm/huge_memory: fix a folio_split() race condition with folio_try_get() Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 051/212] ata: libata-core: disable LPM on ADATA SU680 SSD Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 052/212] ata: libata-scsi: report correct sense field pointer in ata_scsiop_maint_in() Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 053/212] mmc: sdhci-pci-gli: fix GL9750 DMA write corruption Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 054/212] mmc: sdhci: fix timing selection for 1-bit bus width Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 055/212] pmdomain: bcm: bcm2835-power: Increase ASB control timeout Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 056/212] spi: fix use-after-free on controller registration failure Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 057/212] spi: fix statistics allocation Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 058/212] mtd: rawnand: pl353: make sure optimal timings are applied Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 059/212] mtd: rawnand: cadence: Fix error check for dma_alloc_coherent() in cadence_nand_init() Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 060/212] mtd: Avoid boot crash in RedBoot partition table parser Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 061/212] iommu/vt-d: Fix intel iommu iotlb sync hardlockup and retry Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 062/212] iommu/vt-d: Only handle IOPF for SVA when PRI is supported Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 063/212] io_uring/poll: fix multishot recv missing EOF on wakeup race Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 064/212] io_uring/kbuf: fix missing BUF_MORE for incremental buffers at EOF Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 065/212] io_uring/kbuf: propagate BUF_MORE through early buffer commit path Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 066/212] vt: save/restore unicode screen buffer for alternate screen Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 067/212] serial: 8250_pci: add support for the AX99100 Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 068/212] serial: 8250: Fix TX deadlock when using DMA Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 069/212] serial: 8250: always disable IRQ during THRE test Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 070/212] serial: 8250: Protect LCR write in shutdown Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 071/212] serial: 8250_dw: Avoid unnecessary LCR writes Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 072/212] serial: 8250: Add serial8250_handle_irq_locked() Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 073/212] serial: 8250_dw: Rework dw8250_handle_irq() locking and IIR handling Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 074/212] serial: 8250_dw: Rework IIR_NO_INT handling to stop interrupt storm Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 075/212] serial: 8250: Add late synchronize_irq() to shutdown to handle DW UART BUSY Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 076/212] serial: 8250_dw: Ensure BUSY is deasserted Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 077/212] serial: core: fix infinite loop in handle_tx() for PORT_UNKNOWN Greg Kroah-Hartman
2026-03-23 13:44 ` [PATCH 6.18 078/212] serial: uartlite: fix PM runtime usage count underflow on probe Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 079/212] drm: Fix use-after-free on framebuffers and property blobs when calling drm_dev_unplug Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 080/212] drm/amd/display: Wrap dcn32_override_min_req_memclk() in DC_FP_{START, END} Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 081/212] drm/amdgpu/gmc9.0: add bounds checking for cid Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 082/212] drm/amdgpu/mmhub2.0: " Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 083/212] drm/amdgpu/mmhub2.3: " Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 084/212] drm/amdgpu/mmhub3.0.1: " Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 085/212] drm/amdgpu/mmhub3.0.2: " Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 086/212] drm/amdgpu/mmhub3.0: " Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 087/212] drm/amdgpu/mmhub4.1.0: " Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 088/212] drm/imagination: Fix deadlock in soft reset sequence Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 089/212] drm/imagination: Synchronize interrupts before suspending the GPU Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 090/212] drm/radeon: apply state adjust rules to some additional HAINAN vairants Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 091/212] drm/amdgpu: " Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 092/212] drm/amdgpu: Limit BO list entry count to prevent resource exhaustion Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 093/212] drm/i915/dmc: Fix an unlikely NULL pointer deference at probe Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 094/212] drm/xe/guc: Ensure CT state transitions via STOP before DISABLED Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 095/212] drm/xe/oa: Allow reading after disabling OA stream Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 096/212] drm/xe: Open-code GGTT MMIO access protection Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 097/212] Bluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 098/212] drm/i915/psr: Compute PSR entry_setup_frames into intel_crtc_state Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 099/212] btrfs: log new dentries when logging parent dir of a conflicting inode Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 100/212] btrfs: tree-checker: fix misleading root drop_level error message Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 101/212] soc: microchip: mpfs: Fix memory leak in mpfs_sys_controller_probe() Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 102/212] cache: starfive: fix device node leak in starlink_cache_init() Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 103/212] cache: ax45mp: Fix device node reference leak in ax45mp_cache_init() Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 104/212] soc: rockchip: grf: Add missing of_node_put() when returning Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 105/212] soc: fsl: qbman: fix race condition in qman_destroy_fq Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 106/212] soc: fsl: cpm1: qmc: Fix error check for devm_ioremap_resource() in qmc_qe_init_resources() Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 107/212] tee: shm: Remove refcounting of kernel pages Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 108/212] wifi: mac80211: remove keys after disabling beaconing Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 109/212] wifi: mac80211: use jiffies_delta_to_msecs() for sta_info inactive times Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 110/212] wifi: mac80211: Fix static_branch_dec() underflow for aql_disable Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 111/212] wifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 112/212] arm64: dts: renesas: rzt2h-n2h-evk: Add ramp delay for SD0 card regulator Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 113/212] arm64: dts: renesas: rzv2-evk-cn15-sd: Add ramp delay for SD0 regulator Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 114/212] arm64: dts: renesas: r9a09g057: Add RTC node Greg Kroah-Hartman
2026-03-23 14:13 ` Ovidiu Panait
2026-03-23 13:45 ` [PATCH 6.18 115/212] arm64: dts: renesas: r9a09g057: Remove wdt{0,2,3} nodes Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 116/212] arm64: dts: renesas: r9a09g077: Fix CPG register region sizes Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 117/212] arm64: dts: renesas: r9a09g087: " Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 118/212] arm64: dts: renesas: rzg3s-smarc-som: Set bypass for Versa3 PLL2 Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 119/212] firmware: arm_ffa: Remove vm_id argument in ffa_rxtx_unmap() Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 120/212] firmware: arm_scpi: Fix device_node reference leak in probe path Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 121/212] firmware: arm_scmi: Fix NULL dereference on notify error path Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 122/212] Bluetooth: LE L2CAP: Disconnect if received packets SDU exceeds IMTU Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 123/212] Bluetooth: LE L2CAP: Disconnect if sum of payload sizes exceed SDU Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 124/212] Bluetooth: SMP: make SM/PER/KDU/BI-04-C happy Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 125/212] Bluetooth: ISO: Fix defer tests being unstable Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 126/212] Bluetooth: hci_sync: Fix hci_le_create_conn_sync Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 127/212] Bluetooth: MGMT: Fix list corruption and UAF in command complete handlers Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 128/212] Bluetooth: HIDP: Fix possible UAF Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 129/212] Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 130/212] Bluetooth: qca: fix ROM version reading on WCN3998 chips Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 131/212] bridge: cfm: Fix race condition in peer_mep deletion Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 132/212] net/rose: fix NULL pointer dereference in rose_transmit_link on reconnect Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 133/212] mpls: add missing unregister_netdevice_notifier to mpls_init Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 134/212] netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct() Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 135/212] netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp() Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 136/212] netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 137/212] nf_tables: nft_dynset: fix possible stateful expression memleak in error path Greg Kroah-Hartman
2026-03-23 13:45 ` [PATCH 6.18 138/212] netfilter: nft_ct: drop pending enqueued packets on removal Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 139/212] netfilter: xt_CT: drop pending enqueued packets on template removal Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 140/212] netfilter: xt_time: use unsigned int for monthday bit shift Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 141/212] netfilter: nf_conntrack_h323: check for zero length in DecodeQ931() Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 142/212] crypto: ccp - Fix leaking the same page twice Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 143/212] net: bcmgenet: increase WoL poll timeout Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 144/212] net: mana: fix use-after-free in mana_hwc_destroy_channel() by reordering teardown Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 145/212] sched: idle: Consolidate the handling of two special cases Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 146/212] PM: runtime: Fix a race condition related to device removal Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 147/212] bonding: prevent potential infinite loop in bond_header_parse() Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 148/212] net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock() Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 149/212] net/sched: teql: Fix double-free in teql_master_xmit Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 150/212] net: airoha: Remove airoha_dev_stop() in airoha_remove() Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 151/212] net: usb: cdc_ncm: add ndpoffset to NDP16 nframes bounds check Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 152/212] net: usb: cdc_ncm: add ndpoffset to NDP32 " Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 153/212] clsact: Fix use-after-free in init/destroy rollback asymmetry Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 154/212] net: usb: aqc111: Do not perform PM inside suspend callback Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 155/212] ACPICA: Update the format of Arg3 of _DSM Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 156/212] igc: fix missing update of skb->tail in igc_xmit_frame() Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 157/212] igc: fix page fault in XDP TX timestamps handling Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 158/212] iavf: fix VLAN filter lost on add/delete race Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 159/212] libie: prevent memleak in fwlog code Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 160/212] wifi: mac80211: fix NULL deref in mesh_matches_local() Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 161/212] wifi: wlcore: Return -ENOMEM instead of -EAGAIN if there is not enough headroom Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 162/212] wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 163/212] ACPI: processor: Fix previous acpi_processor_errata_piix4() fix Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 164/212] netdevsim: drop PSP ext ref on forward failure Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 165/212] net: macb: fix uninitialized rx_fs_lock Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 166/212] net/mlx5: qos: Restrict RTNL area to avoid a lock cycle Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 167/212] net/mlx5e: Prevent concurrent access to IPSec ASO context Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 168/212] net/mlx5e: Fix race condition during IPSec ESN update Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 169/212] udp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG_IPV6=n Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 170/212] net: bonding: fix NULL deref in bond_debug_rlb_hash_show Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 171/212] netfilter: bpf: defer hook memory release until rcu readers are done Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 172/212] netfilter: nf_tables: release flowtable after rcu grace period on error Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 173/212] nfnetlink_osf: validate individual option lengths in fingerprints Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 174/212] net: mvpp2: guard flow control update with global_tx_fc in buffer switching Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 175/212] net: shaper: protect late read accesses to the hierarchy Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 176/212] net: shaper: protect from late creation of hierarchy Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 177/212] net: dsa: bcm_sf2: fix missing clk_disable_unprepare() in error paths Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 178/212] icmp: fix NULL pointer dereference in icmp_tag_validation() Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 179/212] MPTCP: fix lock class name family in pm_nl_create_listen_socket Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 180/212] hwmon: (pmbus/ina233) Add error check for pmbus_read_word_data() return value Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 181/212] hwmon: (pmbus/mp2975) " Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 182/212] hwmon: (pmbus/mp2869) Check pmbus_read_byte_data() before using its " Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 183/212] hwmon: (pmbus/isl68137) Fix unchecked return value and use sysfs_emit() Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 184/212] USB: serial: f81232: fix incomplete serial port generation Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 185/212] i2c: cp2615: fix serial string NULL-deref at probe Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 186/212] i2c: fsi: Fix a potential leak in fsi_i2c_probe() Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 187/212] i2c: pxa: defer reset on Armada 3700 when recovery is used Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 188/212] irqchip/riscv-rpmi-sysmsi: Fix mailbox channel leak in rpmi_sysmsi_probe() Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 189/212] perf/x86/intel: Add missing branch counters constraint apply Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 190/212] perf/x86: Move event pointer setup earlier in x86_pmu_enable() Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 191/212] ring-buffer: Fix to update per-subbuf entries of persistent ring buffer Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 192/212] tracing: Fix failure to read user space from system call trace events Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 193/212] x86/platform/uv: Handle deconfigured sockets Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 194/212] tracing: Fix trace_marker copy link list updates Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 195/212] binfmt_elf_fdpic: fix AUXV size calculation for ELF_HWCAP3 and ELF_HWCAP4 Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 196/212] mtd: rawnand: serialize lock/unlock against other NAND operations Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 197/212] mtd: rawnand: brcmnand: skip DMA during panic write Greg Kroah-Hartman
2026-03-23 13:46 ` [PATCH 6.18 198/212] spi: amlogic: spifc-a4: Remove redundant clock cleanup Greg Kroah-Hartman
2026-03-23 13:47 ` [PATCH 6.18 199/212] spi: amlogic-spisg: Fix memory leak in aml_spisg_probe() Greg Kroah-Hartman
2026-03-23 13:47 ` [PATCH 6.18 200/212] drm/vmwgfx: Dont overwrite KMS surface dirty tracker Greg Kroah-Hartman
2026-03-23 13:47 ` [PATCH 6.18 201/212] iommu/sva: Fix crash in iommu_sva_unbind_device() Greg Kroah-Hartman
2026-03-23 13:47 ` [PATCH 6.18 202/212] drm/amd/display: Fix DisplayID not-found handling in parse_edid_displayid_vrr() Greg Kroah-Hartman
2026-03-23 13:47 ` [PATCH 6.18 203/212] drm/amd: fix dcn 2.01 check Greg Kroah-Hartman
2026-03-23 13:47 ` [PATCH 6.18 204/212] drm/bridge: dw-hdmi-qp: fix multi-channel audio output Greg Kroah-Hartman
2026-03-23 13:47 ` Greg Kroah-Hartman [this message]
2026-03-23 13:47 ` [PATCH 6.18 206/212] ksmbd: fix use-after-free in durable v2 replay of active file handles Greg Kroah-Hartman
2026-03-23 13:47 ` [PATCH 6.18 207/212] drm/i915/gt: Check set_default_submission() before deferencing Greg Kroah-Hartman
2026-03-23 13:47 ` [PATCH 6.18 208/212] fs/tests: exec: Remove bad test vector Greg Kroah-Hartman
2026-03-23 13:47 ` [PATCH 6.18 209/212] lib/bootconfig: check xbc_init_node() return in override path Greg Kroah-Hartman
2026-03-23 13:47 ` [PATCH 6.18 210/212] tools/bootconfig: fix fd leak in load_xbc_file() on fstat failure Greg Kroah-Hartman
2026-03-23 13:47 ` [PATCH 6.18 211/212] arm64: realm: Fix PTE_NS_SHARED for 52bit PA support Greg Kroah-Hartman
2026-03-23 13:47 ` [PATCH 6.18 212/212] hwmon: (max6639) Fix pulses-per-revolution implementation Greg Kroah-Hartman
2026-03-23 15:20 ` [PATCH 6.18 000/212] 6.18.20-rc1 review Brett A C Sheffield
2026-03-23 18:45 ` Peter Schneider
2026-03-23 20:49 ` Florian Fainelli
2026-03-23 22:06 ` Shuah Khan
2026-03-24 5:09 ` Jeffrin Thalakkottoor
2026-03-24 8:17 ` Ron Economos
2026-03-24 9:04 ` Jon Hunter
2026-03-24 9:53 ` Wentao Guan
2026-03-24 14:58 ` Mark Brown
2026-03-24 18:58 ` Dileep malepu
2026-03-25 1:04 ` Miguel Ojeda
2026-03-25 10:56 ` Shung-Hsi Yu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260323134510.268059351@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=imv4bel@gmail.com \
--cc=linkinjeon@kernel.org \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=stfrench@microsoft.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox