Five vulnerabilities found, fixed, and merged through the standard maintainer process. io_uring/zcrx (a user_ref race producing a double-free that escalated to an OOB write), net/tipc, Bluetooth, RDMA/ionic, and net/rtnetlink. No drama, no out-of-tree patches — just the slow path: report, debug, propose, iterate, merge.
Most of these started by reading what syzbot already found and looking at the surrounding subsystem with a bit more care. The kernel community has the world's best fuzzer pointing at it 24/7. The job is filling in the part the fuzzer can't reason about — the lifecycle and protocol logic between crashes.
QEMU + kernel-under-test + a minimal initramfs. Faster iteration, no kernel panics on the development laptop, easier to share a reproducer with the maintainer.
If you have a patch ready when you report, the maintainer's job is review instead of triage. The fix lands faster and you don't end up arguing about scope with someone who has 200 other things to do.
Commit messages describe what the patch does and why, not how cool the bug is. The maintainer cares about the diff, not the marketing.
Six writeups with dedicated quick-facts, FAQ, and references — for engineers landing here from a search for the CVE itself.