Notices by Greg K-H (gregkh@social.kernel.org)

Embed this notice
Greg K-H (gregkh@social.kernel.org)'s status on Wednesday, 04-Jun-2025 17:51:31 JST Greg K-H

My seat name tag for the EU CRA meeting today...
In conversation about 17 days ago from social.kernel.org permalink
Attachments
1. Untitled attachment
  https://media.social.kernel.org/media/1cf2ce6ef522658d5cb63bc5f08aea5490eaf1e358ee6e7b42cb290c17dbf3db.jpg
Embed this notice
Greg K-H (gregkh@social.kernel.org)'s status on Tuesday, 29-Apr-2025 22:06:15 JST Greg K-H

"Findings by static analyzers in Fedora 43" == "nonsense findings that someone wants someone else to wade through to weed out the obvious false-positives in their broken 'security' tool"

Someone needs to seriously reconsider this.

And yes, the tool is obviously broken, I looked at the first 3 "issues" found and just laughed, thinking this was a joke, but it seemed to actually be real, which is sad on so many levels...

{sigh}

In conversation about 2 months ago from social.kernel.org permalink
Embed this notice
Greg K-H (gregkh@social.kernel.org)'s status on Tuesday, 29-Apr-2025 22:06:13 JST Greg K-H
in reply to
- Aho
@aho I wish, that might actually have spit out something useful...

In conversation about 2 months ago from social.kernel.org permalink
Embed this notice
Greg K-H (gregkh@social.kernel.org)'s status on Wednesday, 16-Apr-2025 16:31:07 JST Greg K-H

And for those curious, here’s the current stats for kernel CVEs reserved/assigned/rejected since we started just over a year ago:
Year Reserved Assigned Rejected A+R Total 2019: 47 2 1 3 50 2020: 36 14 0 14 50 2021: 20 728 23 751 771 2022: 20 1098 16 1114 1134 2023: 20 493 28 521 541 2024: 20 3067 84 3151 3171 2025: 1837 384 12 396 2233 Total: 2000 5786 164 5950 7950

In conversation about 2 months ago from social.kernel.org permalink
Embed this notice
Greg K-H (gregkh@social.kernel.org)'s status on Wednesday, 16-Apr-2025 16:31:06 JST Greg K-H
in reply to
- Greg K-H
More fun with CVE numbers:
=== CVEs Published Per Year === 2024: 4451 CVEs 2025: 1502 CVEs === CVEs Published in Last 6 Months === November 2024: 280 CVEs December 2024: 358 CVEs January 2025: 234 CVEs February 2025: 929 CVEs March 2025: 214 CVEs April 2025: 125 CVEs === Overall Averages === Average CVEs per month: 401.95 Average CVEs per week: 92.40 Average CVEs per day: 13.19 Statistics calculated from 2024-01-21 to 2025-04-16

In conversation about 2 months ago from social.kernel.org permalink
Embed this notice
Greg K-H (gregkh@social.kernel.org)'s status on Wednesday, 16-Apr-2025 16:19:21 JST Greg K-H

Given the news of the potential disruption of the CVE main server, I've reserved 1000 or so ids for the kernel now, which should last us a few weeks.

In conversation about 2 months ago from social.kernel.org permalink
Embed this notice
Greg K-H (gregkh@social.kernel.org)'s status on Thursday, 03-Apr-2025 04:09:33 JST Greg K-H
in reply to
@sjvn @bagder @joshbressers @TheNewStack It's not a formal group within cve.org, just a semi-regular meeting of open source projects who are CNAs to discuss things about being a CNA.
In conversation about 3 months ago from social.kernel.org permalink
Attachments
1. No result found on File_thumbnail lookup.
  
  cve-website
Embed this notice
Greg K-H (gregkh@social.kernel.org)'s status on Thursday, 03-Apr-2025 04:08:58 JST Greg K-H
in reply to
@joshbressers @sjvn @TheNewStack I'm with @badger Linux is a CNA to help fix the CVE process, and so far we have already achieved some change, more to hopefully come.

And the CRA is going to cause other software projects to come to terms with their reporting process, so becoming a CNA is a good step forward in the whole thing.

And besides, what open source project doesn't want to actually control what other people are saying about your project? Just this week we "took back" a CVE issued by a rogue CNA against Linux when they shouldn't have done so. If we weren't a CNA we would never have been able to do so at all.

In conversation about 3 months ago from social.kernel.org permalink
Embed this notice
Greg K-H (gregkh@social.kernel.org)'s status on Thursday, 27-Feb-2025 02:36:26 JST Greg K-H

Perl is now a CNA, able to assign their own CVE ids, this is great news!
https://security.metacpan.org/2025/02/25/cpansec-is-cna-for-perl-and-cpan.html

Just in time for my talk about this very topic in a few weeks about how all open source projects should be doing this:
https://lfms25.sched.com/event/1urXE/take-control-over-your-projects-cve-entries-before-someone-else-does-greg-kroah-hartman-linux-foundation
In conversation about 4 months ago from social.kernel.org permalink
Attachments
1. No result found on File_thumbnail lookup.
  
  CPANSec is CNA for Perl and the CPAN ecosystem
  
  from Stig Palmquist, Timothy Legge and Breno G. de Oliveira
  
  The CPAN Security Group was authorized by the CVE Program as a CVE Numbering Authority (CNA) on Feb 25, 2025. A CNA assigns and manages CVE identifiers for projects in their scope.
2. Domain not in remote thumbnail source whitelist: lfms25.sched.com
  
  The Linux Foundation Member Summit 2025: Take Control Over Your Project's CVE Ent...
  
  View more about this event at The Linux Foundation Member Summit 2025
Embed this notice
Greg K-H (gregkh@social.kernel.org)'s status on Saturday, 15-Feb-2025 06:48:31 JST Greg K-H

While I don't know if is the first time this has happened, it's good to acknowledge this given all the crazy, odd, and incorrect press about Rust in Linux these days.

A new in-kernel api just landed in linux-next from my tree and should hopefully show up in 6.14 to make some kinds of drivers easier to write, that has a rust binding added at the exact same time:
https://lore.kernel.org/all/2025021023-sandstorm-precise-9f5d@gregkh/

Many thanks to Lyude and Danilo and many other Rust kernel developers for the help in creating the binding and make the C side work well for both Rust and C code at the same time. The end result here for any C developer alone, is much better off for all of their help.
In conversation about 4 months ago from social.kernel.org permalink
Attachments
1. No result found on File_thumbnail lookup.
  
  [PATCH v4 0/9] Driver core: Add faux bus devices - Greg Kroah-Hartman
Embed this notice
Greg K-H (gregkh@social.kernel.org)'s status on Tuesday, 28-Jan-2025 15:09:36 JST Greg K-H
in reply to
- daniel:// stenberg://
@bagder Oh crap, yes, that does work on this model! It's even buried on the spec sheet if you read it close enough. It didn't on a previous model I had, so I'll blame that reason why I never tried this out. Ok, one less cable to carry around with me when traveling now, thanks!

In conversation about 5 months ago from social.kernel.org permalink
Embed this notice
Greg K-H (gregkh@social.kernel.org)'s status on Monday, 27-Jan-2025 22:11:04 JST Greg K-H

Scariest cable I have that I actually use. It's a USB-C to Thinkpad "adapter" that I bought to power a thinkpad that shipped with a giant 135W brick-of-a-power-supply. This cable does work, but has the tendency to "overload" many USB chargers, causing them to reset. Fun times, but good for traveling so I don't have to lug the brick around with me as well.
In conversation about 5 months ago from social.kernel.org permalink
Attachments
1. Untitled attachment
  https://media.social.kernel.org/media/6f7f936f6cc23c13cf4f5862d2c7555dce2627cf7d5df9682c063d9af11d4ba8.png
Embed this notice
Greg K-H (gregkh@social.kernel.org)'s status on Tuesday, 21-Jan-2025 00:28:22 JST Greg K-H
in reply to
@alwayscurious @sima @sourcejedi That's one reason, the other one was "power just glitched, my printer better be on the same device node it was before it was turned off". Same for keyboards, mice, disks, etc.

In conversation about 5 months ago from social.kernel.org permalink
Embed this notice
Greg K-H (gregkh@social.kernel.org)'s status on Tuesday, 21-Jan-2025 00:27:37 JST Greg K-H
in reply to
- 🐧sima🐧
- Demi Marie Obenour
@alwayscurious @sima "Normal" PCI hotplug systems should export this information, as the BIOS expects a user to add/remove PCI devices on a slot basis. Otherwise why would a BIOS care about exporting the slot number at all. So it's not required, and you are lucky if it shows up. good luck!

In conversation about 5 months ago from social.kernel.org permalink
Embed this notice
Greg K-H (gregkh@social.kernel.org)'s status on Friday, 17-Jan-2025 00:46:34 JST Greg K-H
in reply to
- Josh Bressers
@joshbressers Linux is only #6? We better get on that to reclaim our 2nd ranked spot of last year despite only participating for 10 1/2 months, not the full 12 everyone else was able to have! :)

In conversation about 5 months ago from social.kernel.org permalink
Embed this notice
daniel:// stenberg:// (bagder@mastodon.social)'s status on Thursday, 16-Jan-2025 20:00:20 JST daniel:// stenberg://

#curl has been a CNA for a year now https://daniel.haxx.se/blog/2024/01/16/curl-is-a-cna/
In conversation about 5 months ago from mastodon.social permalink Repeated by gregkh
Attachments
1. Domain not in remote thumbnail source whitelist: daniel.haxx.se
  
  curl is a CNA
  
  from Daniel Stenberg
  
  The curl project has been accepted as a CVE Numbering Authority (CNA) for vulnerabilities in all products directly made or managed by the project. If I'm counting correctly, we are the 351st CNA. The official announcement from Mitre states: curl is now a CVE Numbering Authority (CNA) for all products made and managed by the … Continue reading curl is a CNA →
Embed this notice
Greg K-H (gregkh@social.kernel.org)'s status on Wednesday, 15-Jan-2025 22:54:24 JST Greg K-H
in reply to
- K. Ryabitsev ????
@monsieuricon I wish someone would tell me the steps for CVE repair for the kernel so we don't have to keep making them up as we go along :)

In conversation about 5 months ago from social.kernel.org permalink
Embed this notice
Greg K-H (gregkh@social.kernel.org)'s status on Monday, 13-Jan-2025 15:42:13 JST Greg K-H
in reply to
@alwayscurious @sima @sourcejedi Again, reuse of major/minor numbers was a design requirement at the time. And, you know the path / label / metadata / whatever for the block device before you mount it, so go off of that information if you don't trust the device major/minor number information.

In conversation about 5 months ago from social.kernel.org permalink
Embed this notice
Greg K-H (gregkh@social.kernel.org)'s status on Monday, 13-Jan-2025 15:40:38 JST Greg K-H
in reply to
- 🐧sima🐧
- Demi Marie Obenour
@alwayscurious @sima PCI devices, at the bus/slot/function level do not have device nodes, so I don't understand the issue here.

They might have a specific PCI driver bound to them, at the function level, and if so, the parent of the device node for that class device (i.e. input, tty, drm, etc.) will then point to that PCI function. But PCI slots don't always match up to PCI bus and device numbers either, as that's a physical thing and many PCI systems don't expose or even know that information (i.e. the BIOS doesn't know.)

Also, PCI bus numbers can change at boot, so you can't know what is happening.

Driver probing can be deferred at any time by userspace for USB devices, and I think that was recently added for PCI devices too, look for the "trusted" device information in the documentation somewhere.

Good luck!

In conversation about 5 months ago from social.kernel.org permalink
Embed this notice
Greg K-H (gregkh@social.kernel.org)'s status on Sunday, 12-Jan-2025 18:46:58 JST Greg K-H
in reply to
- Aho
@aho Thanks for the info, I'll look into it when I get a chance! I've fixed my original problem for now, so odds are I'll live with it until something breaks again.

In conversation about 5 months ago from social.kernel.org permalink

Before

Public

Notices by Greg K-H (gregkh@social.kernel.org)

User actions

Following 0

Followers 0

Groups 0

Statistics

Feeds