lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAK8Kejo6p57u8tz1rnV5bhQVO_vz-p1nCsc_G=EvEr1u3FUP9g@mail.gmail.com>
Date:   Sat, 29 Jan 2022 09:19:18 -0600
From:   Kangjie Lu <kjlu@....edu>
To:     Greg KH <gregkh@...uxfoundation.org>
Cc:     Karol Herbst <kherbst@...hat.com>,
        Alex Deucher <alexdeucher@...il.com>,
        Lyude Paul <lyude@...hat.com>,
        Zhou Qingyang <zhou1615@....edu>,
        David Airlie <airlied@...ux.ie>,
        nouveau <nouveau@...ts.freedesktop.org>,
        LKML <linux-kernel@...r.kernel.org>,
        Maling list - DRI developers 
        <dri-devel@...ts.freedesktop.org>, Ben Skeggs <bskeggs@...hat.com>
Subject: Re: [PATCH] drm/nouveau/acr: Fix undefined behavior in nvkm_acr_hsfw_load_bl()

Hi,Greg,

On Sat, Jan 29, 2022 at 8:47 AM Greg KH <gregkh@...uxfoundation.org> wrote:
>
> On Sat, Jan 29, 2022 at 08:18:55AM -0600, Kangjie Lu wrote:
> > On Fri, Jan 28, 2022 at 1:58 PM Karol Herbst <kherbst@...hat.com> wrote:
> > >
> > > On Fri, Jan 28, 2022 at 8:54 PM Alex Deucher <alexdeucher@...il.com> wrote:
> > > >
> > > > On Fri, Jan 28, 2022 at 2:20 PM Lyude Paul <lyude@...hat.com> wrote:
> > > > >
> > > > > Sigh-thank you for catching this - I had totally forgot about the umn.edu ban.
> > > > > I pushed this already but I will go ahead and send a revert for this patch.
> > > > > Will cc you on it as well.
> > > >
> > > > This seems short-sighted.  If the patch is valid I see no reason to
> > > > not accept it.  I'm not trying to downplay the mess umn got into, but
> > > > as long as the patch is well scrutinized and fixes a valid issue, it
> > > > should be applied rather than leaving potential bugs in place.
> > > >
> > > > Alex
> > > >
> > >
> > > Even though knowing that malicious code can be introduced via
> > > perfectly fine looking patches, and sometimes one will never spot the
> > > problem, this patch isn't all that bad tbh.
> > >
> > > So should we reject patches out of "policies" or should we just be
> > > extra careful? But not addressing the concerns as Greg pointed out is
> > > also kind of a bad move, but also not knowing what the state of
> > > resolving this mess is anyway.
> >
> >
> > Seeing some discussion here, I feel I owe you some quick updates on
> > the state. We sent three testing patches in August 2020, which is a
> > serious mistake. We never did that again and will never do that again.
> > All other patches including recent ones were sent to fix real bugs,
> > not to introduce problems. Clearly, although most of the patches are
> > valid, some patches are still not good enough, but it is not about
> > malice. Fixing bugs in Linux isn't an easy task and takes so much
> > effort.
> >
> > We did not ignore the concerns pointed out by Greg, and have seriously
> > taken some actions. For example, we explained how our static-analysis
> > tool found the bugs, and members in my research group have internally
> > cross-reviewed the found bugs. We sent these patches after contacting
> > Greg---I thought Greg allowed us to send patches, but also requested
> > us to work on the last process with our administration.
>
> I do not recall saying anything like this at all.

I was referring to an email back to 11/13/2021 where you said
"some memory allocation checks are not ever going to be "resolved" as they are
not "real world" issues. So be aware of that when proposing patches
for these issues."

I optimistically interpreted this as, "you can still submit patches,
but I will personally ignore them". This turns out to be a
misunderstanding. I am sorry for that.

>
> On January 4, I wrote to you and your coworkers on the mailing list
> message https://lore.kernel.org/r/YdQfCGf8qr5zZJef@kroah.com by saying:
>
>         Note that your university is still in many kernel maintainer's
>         ignore-list (myself included, I dug this up as I saw Fei's response.)
>         Please work with your administration and the process that is currently
>         happening in order to give you all the needed training so you will not
>         keep causing these types of basic errors that keep your patches from
>         being accepted.
>
>         *plonk*
>
> And then later in a private email to you on January 5 where you emailed
> Kees and me to try to see if you were allowed to start sending patches
> again, I said:
>
>         A kernel developer with lots of experience has already offered to work
>         with your university.  Hopefully that process has already started, if
>         not, I suggest contacting your administration as they should know who
>         this is.
>
> and then I closed with:
>
>         Right now you all are still on my "ignore email" lists for patches.
>
> The patches recently submitted have been shown to be incomplete and in
> some places, completely wrong.  I have contacted your administration
> about this issue because they asked to know if there were any problems
> in the future at our last discussion.  In that response today, I wrote:
>
>         I know that incompetence can often times be hard to distinguish from
>         malice, but given the track-record here, we are now going to have to
>         treat this as malice.  If it is just incompetence, well, that's
>         something that your organization needs to overcome.
>
>         Either way, this is not something that the Linux kernel community should
>         be forced to endure.
>
> So to be explicit, so you do not misunderstand me somehow:
>
>         No more patches from umn.edu should be accepted into the Linux
>         kernel until further public notice.

This is clear to me.

> They should be considered a
>         "bad actor" given their prior history of submissions and lack of
>         complying with the kernel community's prior requirements to
>         them.

I am sorry for the delay of the last process which is unfortunately
not under the control of the researchers. According to our
administration, the process has started and is moving forward. I hope
that can be done soon.

Thanks.

>
> Is this understood?
>
> greg k-h



-- 
Kangjie Lu
Assistant Professor
Department of Computer Science and Engineering
University of Minnesota
https://www-users.cs.umn.edu/~kjlu

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ