Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v7.1-rc5 2026-05-14T12:23:06+00:00 2026-05-14T12:23:06+00:00 Jonathan Corbet corbet@lwn.net 2026-05-13T20:51:29+00:00 urn:sha1:561458db0d6b08b4e4956c6e4456d7781b18676f Rather than make readers search for this document, just a link to it where it is referenced. (While I was at it, I removed the unused and unneeded _threatmodel label from the top of threat-model.rst). Acked-by: Willy Tarreau <w@1wt.eu> Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Jonathan Corbet <corbet@lwn.net> 2026-05-12T17:09:14+00:00 Willy Tarreau w@1wt.eu 2026-05-09T09:47:55+00:00 urn:sha1:4bf85afb9f3ecd7c3b5d15a85b0902f8e725cd06 AI tools are increasingly used to assist in bug discovery. While these tools can identify valid issues, reports that are submitted without manual verification often lack context, contain speculative impact assessments, or include unnecessary formatting. Such reports increase triage effort, waste maintainers' time and may be ignored. Reports where the reporter has verified the issue and the proposed fix typically meet quality standards. This documentation outlines specific requirements for length, formatting, and impact evaluation to reduce the effort needed to deal with these reports. Cc: Greg KH <gregkh@linuxfoundation.org> Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Reviewed-by: Leon Romanovsky <leon@kernel.org> Signed-off-by: Willy Tarreau <w@1wt.eu> Signed-off-by: Jonathan Corbet <corbet@lwn.net> Message-ID: <20260509094755.2838-4-w@1wt.eu> 2026-05-12T17:09:14+00:00 Willy Tarreau w@1wt.eu 2026-05-09T09:47:54+00:00 urn:sha1:a03ef333fbd6cd861c8457c3d055ee3643a9baad The use of automated tools to find bugs in random locations of the kernel induces a raise of security reports even if most of them should just be reported as regular bugs. This patch is an attempt at drawing a line between what qualifies as a security bug and what does not, hoping to improve the situation and ease decision on the reporter's side. It defers the enumeration to a new file, threat-model.rst, that tries to enumerate various classes of issues that are and are not security bugs. This should permit to more easily update this file for various subsystem-specific rules without having to revisit the security bug reporting guide. Cc: Greg KH <gregkh@linuxfoundation.org> Cc: Leon Romanovsky <leon@kernel.org> Suggested-by: Leon Romanovsky <leon@kernel.org> Suggested-by: Greg KH <gregkh@linuxfoundation.org> Reviewed-by: Leon Romanovsky <leon@kernel.org> Reviewed-by: Shuah Khan <skhan@linuxfoundation.org> Signed-off-by: Willy Tarreau <w@1wt.eu> Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Jonathan Corbet <corbet@lwn.net> Message-ID: <20260509094755.2838-3-w@1wt.eu> 2026-05-12T17:09:14+00:00 Willy Tarreau w@1wt.eu 2026-05-09T09:47:53+00:00 urn:sha1:aed3c3346765e4317bb2ec6ff872e1c952e128ab With the increase of automated reports, the security team is dealing with way more messages than really needed. The reporting process works well with most teams so there is no need to systematically involve the security team in reports. Let's suggest to keep it for small lists of recipients and new reporters only. This should continue to cover the risk of lost messages while reducing the volume from prolific reporters. Cc: Greg KH <gregkh@linuxfoundation.org> Cc: Leon Romanovsky <leon@kernel.org> Reviewed-by: Leon Romanovsky <leon@kernel.org> Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Willy Tarreau <w@1wt.eu> Signed-off-by: Jonathan Corbet <corbet@lwn.net> Message-ID: <20260509094755.2838-2-w@1wt.eu> 2026-04-04T08:38:43+00:00 Willy Tarreau w@1wt.eu 2026-04-04T08:20:33+00:00 urn:sha1:f387e2e2b9d302688dbdceebe9aade221c90f09e In previous patch "Documentation: clarify the mandatory and desirable info for security reports" I left two typos that I didn't detect in local checks. One is "get_maintainers.pl" (no 's' in the script name), and the other one is a missing closing quote after "Reported-by", which didn't have effect here but I don't know if it can break rendering elsewhere (e.g. on the public HTML page). Better fix it before it gets merged. Signed-off-by: Willy Tarreau <w@1wt.eu> Link: https://patch.msgid.link/20260404082033.5160-1-w@1wt.eu Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2026-04-03T11:11:23+00:00 Willy Tarreau w@1wt.eu 2026-04-03T06:20:18+00:00 urn:sha1:496fa1befba1e8ff149af5120cd9c9616bb05120 A significant part of the effort of the security team consists in begging reporters for patch proposals, or asking them to provide them in regular format, and most of the time they're willing to provide this, they just didn't know that it would help. So let's add a section detailing the required and desirable contents in a security report to help reporters write more actionable reports which do not require round trips. Cc: Eric Dumazet <edumazet@google.com> Cc: Greg KH <greg@kroah.com> Signed-off-by: Willy Tarreau <w@1wt.eu> Link: https://patch.msgid.link/20260403062018.31080-4-w@1wt.eu Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2026-04-03T11:11:23+00:00 Willy Tarreau w@1wt.eu 2026-04-03T06:20:17+00:00 urn:sha1:a72b832a482372001a158c8014d116b053089b5d These days, 80% of the work done by the security team consists in locating the affected subsystem in a report, running get_maintainers on it, forwarding the report to these persons and responding to the reporter with them in Cc. This is a huge and unneeded overhead that we must try to lower for a better overall efficiency. This patch adds a complete section explaining how to figure the list of recipients to send the report to. Cc: Eric Dumazet <edumazet@google.com> Cc: Greg KH <greg@kroah.com> Signed-off-by: Willy Tarreau <w@1wt.eu> Link: https://patch.msgid.link/20260403062018.31080-3-w@1wt.eu Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2026-04-03T11:11:23+00:00 Willy Tarreau w@1wt.eu 2026-04-03T06:20:16+00:00 urn:sha1:f2b1cbef153636fa498324b47e822e8b4d1774aa This clarifies the fact that the bug reporters must use a valid e-mail address to send their report, and that the security team assists developers working on a fix but doesn't always produce fixes on its own. Cc: Eric Dumazet <edumazet@google.com> Cc: Greg KH <greg@kroah.com> Signed-off-by: Willy Tarreau <w@1wt.eu> Link: https://patch.msgid.link/20260403062018.31080-2-w@1wt.eu Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2025-12-22T22:32:03+00:00 Willy Tarreau w@1wt.eu 2025-11-29T14:17:41+00:00 urn:sha1:ceddb2c001d9f22fd3712dc0425c3a15bc504461 As the trend of AI-generated reports is growing, the trend of unreadable reports in gimmicky formats is following, and we cannot request that developers rely on online viewers to be able to read a security report full for formatting tags. Let's just insist on the plain text requirement a bit more. Signed-off-by: Willy Tarreau <w@1wt.eu> Signed-off-by: Ingo Molnar <mingo@kernel.org> Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Jonathan Corbet <corbet@lwn.net> Message-ID: <20251129141741.19046-1-w@1wt.eu> 2025-08-17T10:23:30+00:00 Willy Tarreau w@1wt.eu 2025-08-14T19:27:30+00:00 urn:sha1:3a68841d1d9b6eb32b2652bbb83acd17d5eb9135 The text was presenting the team, the the e-mail address, then some of the expectations, then what form of e-mail is expected. By switching the e-mail paragraph two paragraphs later and dropping the "Contact" sub-section, we can have a more natural flow that presents the team, then its expectation, then how to best contribute, then where to send. And more importantly, it increases the chances that reporters have read the prerequisites before finding the e-mail address. Signed-off-by: Willy Tarreau <w@1wt.eu> Reviewed-by: Kees Cook <kees@kernel.org> Link: https://lore.kernel.org/r/20250814192730.19252-2-w@1wt.eu Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>