lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <YfT7JaD7N0AZRS59@kroah.com>
Date:   Sat, 29 Jan 2022 09:30:29 +0100
From:   Greg KH <gregkh@...uxfoundation.org>
To:     Karol Herbst <kherbst@...hat.com>
Cc:     Alex Deucher <alexdeucher@...il.com>,
        Lyude Paul <lyude@...hat.com>,
        Zhou Qingyang <zhou1615@....edu>,
        David Airlie <airlied@...ux.ie>,
        nouveau <nouveau@...ts.freedesktop.org>,
        Kangjie Lu <kjlu@....edu>, LKML <linux-kernel@...r.kernel.org>,
        Maling list - DRI developers 
        <dri-devel@...ts.freedesktop.org>, Ben Skeggs <bskeggs@...hat.com>
Subject: Re: [PATCH] drm/nouveau/acr: Fix undefined behavior in
 nvkm_acr_hsfw_load_bl()

On Fri, Jan 28, 2022 at 08:57:56PM +0100, Karol Herbst wrote:
> On Fri, Jan 28, 2022 at 8:54 PM Alex Deucher <alexdeucher@...il.com> wrote:
> >
> > On Fri, Jan 28, 2022 at 2:20 PM Lyude Paul <lyude@...hat.com> wrote:
> > >
> > > Sigh-thank you for catching this - I had totally forgot about the umn.edu ban.
> > > I pushed this already but I will go ahead and send a revert for this patch.
> > > Will cc you on it as well.
> >
> > This seems short-sighted.  If the patch is valid I see no reason to
> > not accept it.  I'm not trying to downplay the mess umn got into, but
> > as long as the patch is well scrutinized and fixes a valid issue, it
> > should be applied rather than leaving potential bugs in place.
> >
> > Alex
> >
> 
> Even though knowing that malicious code can be introduced via
> perfectly fine looking patches, and sometimes one will never spot the
> problem, this patch isn't all that bad tbh.
> 
> So should we reject patches out of "policies" or should we just be
> extra careful? But not addressing the concerns as Greg pointed out is
> also kind of a bad move, but also not knowing what the state of
> resolving this mess is anyway.

If you think the change is correct, and are willing to sign off on it,
that's fine for now.

The big issue here is that the umn.edu "researchers" are not folling the
very basic and simple proceedures that we worked to set up with them,
and have resumed sending buggy patches to the kernel community.  If you
think this one is not a problem, then feel free to keep it.

As I just now told their administration, it is very difficult to tell
malice from incompetence.  If this is malice, then we need to defend our
community.  If this is just incompetence, then the university has to
handle that as the contributions are coming in their name, _and_ we also
need to defend from that.  What we have tried in the past for this group
is obviously not working, so we now will need to do something else.

{sigh}

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ