Notices by Greg K-H (gregkh@social.kernel.org)
-
Embed this notice
Greg K-H (gregkh@social.kernel.org)'s status on Tuesday, 29-Apr-2025 22:06:15 JST 
Greg K-H
"Findings by static analyzers in Fedora 43" == "nonsense findings that someone wants someone else to wade through to weed out the obvious false-positives in their broken 'security' tool"
Someone needs to seriously reconsider this.
And yes, the tool is obviously broken, I looked at the first 3 "issues" found and just laughed, thinking this was a joke, but it seemed to actually be real, which is sad on so many levels...
{sigh} -
Embed this notice
Greg K-H (gregkh@social.kernel.org)'s status on Tuesday, 29-Apr-2025 22:06:13 JST
Greg K-H
@aho I wish, that might actually have spit out something useful... -
Embed this notice
Greg K-H (gregkh@social.kernel.org)'s status on Wednesday, 16-Apr-2025 16:31:07 JST
Greg K-H
And for those curious, here’s the current stats for kernel CVEs reserved/assigned/rejected since we started just over a year ago:
Year Reserved Assigned Rejected A+R Total 2019: 47 2 1 3 50 2020: 36 14 0 14 50 2021: 20 728 23 751 771 2022: 20 1098 16 1114 1134 2023: 20 493 28 521 541 2024: 20 3067 84 3151 3171 2025: 1837 384 12 396 2233 Total: 2000 5786 164 5950 7950 -
Embed this notice
Greg K-H (gregkh@social.kernel.org)'s status on Wednesday, 16-Apr-2025 16:31:06 JST
Greg K-H
More fun with CVE numbers:
=== CVEs Published Per Year === 2024: 4451 CVEs 2025: 1502 CVEs === CVEs Published in Last 6 Months === November 2024: 280 CVEs December 2024: 358 CVEs January 2025: 234 CVEs February 2025: 929 CVEs March 2025: 214 CVEs April 2025: 125 CVEs === Overall Averages === Average CVEs per month: 401.95 Average CVEs per week: 92.40 Average CVEs per day: 13.19 Statistics calculated from 2024-01-21 to 2025-04-16 -
Embed this notice
Greg K-H (gregkh@social.kernel.org)'s status on Wednesday, 16-Apr-2025 16:19:21 JST
Greg K-H
Given the news of the potential disruption of the CVE main server, I've reserved 1000 or so ids for the kernel now, which should last us a few weeks. -
Embed this notice
Greg K-H (gregkh@social.kernel.org)'s status on Thursday, 03-Apr-2025 04:09:33 JST
Greg K-H
@sjvn @bagder @joshbressers @TheNewStack It's not a formal group within cve.org, just a semi-regular meeting of open source projects who are CNAs to discuss things about being a CNA. -
Embed this notice
Greg K-H (gregkh@social.kernel.org)'s status on Thursday, 03-Apr-2025 04:08:58 JST
Greg K-H
@joshbressers @sjvn @TheNewStack I'm with @badger Linux is a CNA to help fix the CVE process, and so far we have already achieved some change, more to hopefully come.
And the CRA is going to cause other software projects to come to terms with their reporting process, so becoming a CNA is a good step forward in the whole thing.
And besides, what open source project doesn't want to actually control what other people are saying about your project? Just this week we "took back" a CVE issued by a rogue CNA against Linux when they shouldn't have done so. If we weren't a CNA we would never have been able to do so at all. -
Embed this notice
Greg K-H (gregkh@social.kernel.org)'s status on Thursday, 27-Feb-2025 02:36:26 JST
Greg K-H
Perl is now a CNA, able to assign their own CVE ids, this is great news!
https://security.metacpan.org/2025/02/25/cpansec-is-cna-for-perl-and-cpan.html
Just in time for my talk about this very topic in a few weeks about how all open source projects should be doing this:
https://lfms25.sched.com/event/1urXE/take-control-over-your-projects-cve-entries-before-someone-else-does-greg-kroah-hartman-linux-foundation -
Embed this notice
Greg K-H (gregkh@social.kernel.org)'s status on Saturday, 15-Feb-2025 06:48:31 JST
Greg K-H
While I don't know if is the first time this has happened, it's good to acknowledge this given all the crazy, odd, and incorrect press about Rust in Linux these days.
A new in-kernel api just landed in linux-next from my tree and should hopefully show up in 6.14 to make some kinds of drivers easier to write, that has a rust binding added at the exact same time:
https://lore.kernel.org/all/2025021023-sandstorm-precise-9f5d@gregkh/
Many thanks to Lyude and Danilo and many other Rust kernel developers for the help in creating the binding and make the C side work well for both Rust and C code at the same time. The end result here for any C developer alone, is much better off for all of their help. -
Embed this notice
Greg K-H (gregkh@social.kernel.org)'s status on Tuesday, 28-Jan-2025 15:09:36 JST
Greg K-H
@bagder Oh crap, yes, that does work on this model! It's even buried on the spec sheet if you read it close enough. It didn't on a previous model I had, so I'll blame that reason why I never tried this out. Ok, one less cable to carry around with me when traveling now, thanks! -
Embed this notice
Greg K-H (gregkh@social.kernel.org)'s status on Monday, 27-Jan-2025 22:11:04 JST
Greg K-H
Scariest cable I have that I actually use. It's a USB-C to Thinkpad "adapter" that I bought to power a thinkpad that shipped with a giant 135W brick-of-a-power-supply. This cable does work, but has the tendency to "overload" many USB chargers, causing them to reset. Fun times, but good for traveling so I don't have to lug the brick around with me as well. -
Embed this notice
Greg K-H (gregkh@social.kernel.org)'s status on Tuesday, 21-Jan-2025 00:28:22 JST
Greg K-H
@alwayscurious @sima @sourcejedi That's one reason, the other one was "power just glitched, my printer better be on the same device node it was before it was turned off". Same for keyboards, mice, disks, etc. -
Embed this notice
Greg K-H (gregkh@social.kernel.org)'s status on Tuesday, 21-Jan-2025 00:27:37 JST
Greg K-H
@alwayscurious @sima "Normal" PCI hotplug systems should export this information, as the BIOS expects a user to add/remove PCI devices on a slot basis. Otherwise why would a BIOS care about exporting the slot number at all. So it's not required, and you are lucky if it shows up. good luck! -
Embed this notice
Greg K-H (gregkh@social.kernel.org)'s status on Friday, 17-Jan-2025 00:46:34 JST
Greg K-H
@joshbressers Linux is only #6? We better get on that to reclaim our 2nd ranked spot of last year despite only participating for 10 1/2 months, not the full 12 everyone else was able to have! :) -
Embed this notice
daniel:// stenberg:// (bagder@mastodon.social)'s status on Thursday, 16-Jan-2025 20:00:20 JST 
daniel:// stenberg://
#curl has been a CNA for a year now https://daniel.haxx.se/blog/2024/01/16/curl-is-a-cna/
-
Embed this notice
Greg K-H (gregkh@social.kernel.org)'s status on Wednesday, 15-Jan-2025 22:54:24 JST
Greg K-H
@monsieuricon I wish someone would tell me the steps for CVE repair for the kernel so we don't have to keep making them up as we go along :) -
Embed this notice
Greg K-H (gregkh@social.kernel.org)'s status on Monday, 13-Jan-2025 15:42:13 JST
Greg K-H
@alwayscurious @sima @sourcejedi Again, reuse of major/minor numbers was a design requirement at the time. And, you know the path / label / metadata / whatever for the block device before you mount it, so go off of that information if you don't trust the device major/minor number information. -
Embed this notice
Greg K-H (gregkh@social.kernel.org)'s status on Monday, 13-Jan-2025 15:40:38 JST
Greg K-H
@alwayscurious @sima PCI devices, at the bus/slot/function level do not have device nodes, so I don't understand the issue here.
They might have a specific PCI driver bound to them, at the function level, and if so, the parent of the device node for that class device (i.e. input, tty, drm, etc.) will then point to that PCI function. But PCI slots don't always match up to PCI bus and device numbers either, as that's a physical thing and many PCI systems don't expose or even know that information (i.e. the BIOS doesn't know.)
Also, PCI bus numbers can change at boot, so you can't know what is happening.
Driver probing can be deferred at any time by userspace for USB devices, and I think that was recently added for PCI devices too, look for the "trusted" device information in the documentation somewhere.
Good luck! -
Embed this notice
Greg K-H (gregkh@social.kernel.org)'s status on Sunday, 12-Jan-2025 18:46:58 JST
Greg K-H
@aho Thanks for the info, I'll look into it when I get a chance! I've fixed my original problem for now, so odds are I'll live with it until something breaks again. -
Embed this notice
Greg K-H (gregkh@social.kernel.org)'s status on Sunday, 12-Jan-2025 18:45:56 JST
Greg K-H
@alwayscurious @sima @sourcejedi That ship sailed decades ago as we had to support device node reuse a long time ago, it was a requirement! But obviously not your requirement :)
You have full control over device node creation in userspace, that's what udev gives you if you want (or any udev-like program). set up a whole different /dev/ with just your naming/numbering scheme. The kernel gives you the interface and the information to do this, why not take advantage of it if you need it?
All GNU social JP content and data are available under the