Linux Kernel 7.1.2, 6.18.37, and the final 7.0.14 release are now available, with 7.0.14 marking the end-of-life for the 7.0 branch. The update includes a significant revert of an NFS server patch that broke unmount operations by incorrectly deferring cleanup callbacks, restoring synchronous behavior to fix the regression. Security and stability improvements cover ksmbd session validation, virtiofs use-after-free crashes, and bounds checks added to IIO drivers to prevent out-of-bounds access. 

Linux Kernel 7.1.2, 7.0.14, and 6.18.37 Release Brings Critical Fixes and a Major NFSD Revert

Greg Kroah-Hartman has pushed out the latest stable updates: Linux Kernel 7.1.2, version 6.18.37, and the final 7.0.14 release before the 7.0 tree hits end-of-life. If you're still on the 7.0 branch, you'll want to plan an upgrade immediately. The 7.0.14 point release is the last gasp for that development line.

On top of the standard stream of bug fixes, this update carries a significant functional revert for NFS server users, closes several high-impact use-after-free paths, and hardens drivers against fault injection. You can grab the tarballs and patches from the standard Linux kernel FTP site starting today.

NFSD Revert and Security Hardening

The headline change for filesystem stability is a revert in the NFS server. Yang Erkun has restored synchronous cleanup in svc_export_put(), undoing a previous patch that tried to defer path_put() and auth_domain_put() calls. That deferral was intended to close a use-after-free in e_show() and c_show(), but discussion shows neither the diagnosis nor the remedy survives review.

The teardown was already RCU-deferred, so the synchronous form was never unsafe. Worse, the deferral introduced a regression where mount references lingered after exportfs -r dropped the last cache reference. That left umount failing with EBUSY. The revert brings back the synchronous cleanup and the call_rcu()/kfree_rcu() free of containing structures, while preserving the unrelated fix for ex_uuid and ex_stats access.

Security-wise, the ksmbd driver gets a critical hardening patch. Gil Portnoy closes a path where a crafted NTLM Type-1 blob in a compound request could bypass session validation. The driver was reusing a session bound by the first operation without re-checking the state, allowing a SESSION_SETUP with an IN_PROGRESS session to slip through to a TREE_CONNECT. That path would dereference a NULL user_name, wedging the ksmbd worker for all clients. The patch now rejects any non-first compound operation on a session that isn't SMB2_SESSION_VALID.

Virtio and fuse users also see stability wins. Miklos Szeredi patches a use-after-free in virtiofs submount umount. The crash occurred when num_waiting went down to zero prematurely, allowing iput() to Oops if the super block had already been destroyed. By reverting to synchronous release requests for auto_submounts, the driver avoids the crash. Fuse isn't far behind; Joanne Koong re-locks the request before replacing the page cache folio. Without this, fuse_chan_abort() could free the fuse_io_args while copy logic was still running.

Driver Hardening and Cleanup

Sam Daly has added bounds checks to two IIO drivers that were vulnerable to out-of-bounds array accesses. The TI ADS1298 ADC and VEML6075 light sensor can yield reserved values that exceed array limits. These patches guard against fault devices, missprogramming, or bus corruption. Not bad for a day's work.

Serial drivers get some love too. Stepan Ionichev fixes a use-after-free hazard in 8250_dw where the port stays registered if clock notifier registration fails. The port slot remained occupied until a reboot, referencing freed driver data. Viken Dadhaniya patches a RX DMA stall in qcom_geni when the length register hits zero, which previously caused the handler to drop out of the rearm path and lose input.

Giovanni Cabiddu removes the unused character device and IOCTLs from the Intel QAT crypto driver. The interface isn't in any public uAPI header and has no known in-tree or out-of-tree users. Device lifecycle is already managed via sysfs. Dropping the character device, the IOCTL definitions, and related data structures shrinks the attack surface. Gabriel Krisman Bertazi also trims io_uring's connect and bind ops. The code was wasting memory by allocating a full msghdr object when a sockaddr would do. The fix avoids the leak and skips the unnecessary allocation.

The 7.0 series hits EOL with 7.0.14. If you're running that branch, the clock is ticking. You can check your version with uname -r and head here for upgrade instructions.

Linux kernel 7.1.2 released

Linux kernel version 7.1.2 is now available:

Full source: https://cdn.kernel.org/pub/linux/kernel/v7.x/linux-7.1.2.tar.xz
Patch: https://cdn.kernel.org/pub/linux/kernel/v7.x/patch-7.1.2.xz
PGP Signature: https://cdn.kernel.org/pub/linux/kernel/v7.x/linux-7.1.2.tar.sign

You can view the summary of the changes at the following URL:
https://git.kernel.org/stable/ds/v7.1.2/v7.1.1

Linux kernel 7.0.14 released

Linux kernel version 7.0.14 (EOL) is now available:

Full source: https://cdn.kernel.org/pub/linux/kernel/v7.x/linux-7.0.14.tar.xz
Patch: https://cdn.kernel.org/pub/linux/kernel/v7.x/patch-7.0.14.xz
PGP Signature: https://cdn.kernel.org/pub/linux/kernel/v7.x/linux-7.0.14.tar.sign

You can view the summary of the changes at the following URL:
https://git.kernel.org/stable/ds/v7.0.14/v7.0.13

Linux kernel 6.18.37 released

Linux kernel version 6.18.37 is now available:

Full source: https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-6.18.37.tar.xz
Patch: https://cdn.kernel.org/pub/linux/kernel/v6.x/patch-6.18.37.xz
PGP Signature: https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-6.18.37.tar.sign

You can view the summary of the changes at the following URL:
https://git.kernel.org/stable/ds/v6.18.37/v6.18.36