Posts by gregkh@social.kernel.org
(DIR) Post #AwS0izPp9uIgOwMsVs by gregkh@social.kernel.org
2025-07-24T07:00:06.386009Z
1 likes, 0 repeats
Saving this here to use later. As seen in the comments on yet-another-ai story on Lobsters:"How could you claim to have a neutral, informed opinion on LLMs without signing up for a bunch of subscriptions and constantly talking to the liar machine to see if it told a truth today?"
(DIR) Post #AwcLsh2WeGXwHKGKCe by gregkh@social.kernel.org
2025-07-29T06:07:38.469758Z
0 likes, 2 repeats
Looks like the risc-v community is learning from history! Hopefully this results in more upstream development efforts: https://riscv.org/blog/2025/07/risc-v-upstreaming/
(DIR) Post #Ay4DgzduGTGnjq91l2 by gregkh@social.kernel.org
2025-09-10T14:39:02.831460Z
0 likes, 1 repeats
Pro tip, when sending a bug to the kernel security team, and it's reviewed and shown to not actually be a bug at all due to the report being "written" by a llm which can't actually parse C very well, don't proceed to "curse" the reviewer for pointing this out.{sigh}
(DIR) Post #Ay5P4J0hiPq77X5R7Q by gregkh@social.kernel.org
2025-09-11T05:01:47.291745Z
1 likes, 0 repeats
@msw @jacques @bagder I have no problem adding additional data like "This config option means you will not be vulnerable" to our records today, if people want to submit that information to us. We take patches and additions to the kernel cve.org records on a weekly basis from vendors that work to narrow down affected kernel ranges and add additional references.So we could do what you want today, no changes to anything that cve.org does right now would be needed, just send us a patch! But that was not what was being proposed at all, unfortunately.
(DIR) Post #Ay7pdGx2LiivzgcpXc by gregkh@social.kernel.org
2025-09-12T08:40:12.942252Z
1 likes, 0 repeats
Some days it's great to get a patch series like this in your inbox: https://lore.kernel.org/all/20250912081718.3827390-1-tzungbi@kernel.org/ implementing a feature to resolve so many reference count issues that a number of us kernel developers have been grumbling about for years.Bonus is that it "looks like" the pattern that the Rust implementation in the kernel uses so switching between the two languages shouldn't be that difficult as the terminology and usage is not so different.
(DIR) Post #AymG5Z5TpfWL7xbVNA by gregkh@social.kernel.org
2025-10-01T20:38:57.339657Z
1 likes, 0 repeats
Benchmarking the different machines in my office with the wonderful kcbench: http://www.kroah.com/log/blog/2025/10/01/the-only-benchmark-that-matters-is.../
(DIR) Post #AynL4sVCrA41yt5Zcu by gregkh@social.kernel.org
2025-10-02T09:45:01.768596Z
1 likes, 0 repeats
@ncopa You do NOT want to see the kcbench results for the riscv system I have here, it's so sad it's not even funny. So sad I haven't even powered it on in a few months, it's pretty much useless :(
(DIR) Post #B0nqReE3Sfy2QdCa4e by gregkh@social.kernel.org
2025-12-01T11:15:36.366372Z
1 likes, 0 repeats
As pointed out on an irc channel, yet another example of kernel developers having to do crazy things to paper over hardware bugs: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f076ef44a44d02ed91543f820c14c2c7dff53716
(DIR) Post #B0s8PKh1gjYz4pdeNM by gregkh@social.kernel.org
2025-12-03T12:58:24.781358Z
1 likes, 0 repeats
The last 5.4.y kernel release has now happened: https://lore.kernel.org/all/2025120319-blip-grime-93e8@gregkh/Please don't use this branch anymore, it's really old, and pretty obsolete, and has over 1500 unfixed CVEs in it:https://lore.kernel.org/all/2025120358-skating-outage-7c61@gregkh/And if you are stuck with that kernel version for some reason, go ask your vendor to fix those 1500+ CVEs, otherwise you are paying for support that doesn't actually do anything for you...
(DIR) Post #B13rvmsH4xLIQHJCIy by gregkh@social.kernel.org
2025-12-09T04:43:28.440416Z
1 likes, 0 repeats
Starting to write up a series of articles about the Linux kernel CVE work that has happened in the past 2 years, starting with some "back to basics" information about how Linux kernels are numbered as many people/companies really don't know how we do this, and it matters a lot in tracking bugfixes and how to determine "vulnerable" and "fixed" kernel releases:http://www.kroah.com/log/blog/2025/12/08/linux-cves-more-than-you-ever-wanted-to-know/andhttp://www.kroah.com/log/blog/2025/12/09/linux-kernel-version-numbers/
(DIR) Post #B1HD0Dv15wyZY91jPs by gregkh@social.kernel.org
2025-12-15T15:19:44.474796Z
0 likes, 1 repeats
Two different ways to help track kernel commits across the different kernel branches, depending on your use case (bash + big git repo, or binary + sqlite db). I use them both on a daily basis: http://www.kroah.com/log/blog/2025/12/15/tracking-kernel-commits-across-branches/
(DIR) Post #B1JS3kjpPsMxppr2XI by gregkh@social.kernel.org
2025-12-16T16:09:42.836556Z
1 likes, 2 repeats
Rust is is not a "silver bullet" that can solve all security problems, but it sure helps out a lot and will cut out huge swatches of Linux kernel vulnerabilities as it gets used more widely in our codebase.That being said, we just assigned our first CVE for some Rust code in the kernel: https://lore.kernel.org/all/2025121614-CVE-2025-68260-558d@gregkh/ where the offending issue just causes a crash, not the ability to take advantage of the memory corruption, a much better thing overall.Note the other 159 kernel CVEs issued today for fixes in the C portion of the codebase, so as always, everyone should be upgrading to newer kernels to remain secure overall.
(DIR) Post #B1iTOCbyiaTjRsFbk0 by gregkh@social.kernel.org
2025-12-28T12:29:17.160303Z
0 likes, 0 repeats
The kernel CNA assigned their 10000th CVE last week, CVE-2025-68750So far the “stats” look like: YearReservedAssignedRejected A+RReturnedTotal 2019: 0 2 1 3 47 50 2020: 0 17 0 17 33 50 2021: 0 732 24 756 16 772 2022: 32041 472088 02091 2023: 11464 471511 01512 2024: 63069 963165 03171 2025: 732421 392460 02533 Total: 839746 25410000 9610179Note, the “year” is the year the bug was fixed in the kernel tree, NOT the year the CVE was applied for/assigned.
(DIR) Post #B24O6veixWt0hLuhNI by gregkh@social.kernel.org
2026-01-08T07:20:26.400095Z
0 likes, 0 repeats
@manx @bagder It does not take longer than that, it's a "simple" api call (i.e. a scripted curl command) that any CNA can do to get a CVE number, and you can allocate any amount at once (within reason, CNAs have a max they are allowed to request and "hold" without assigning at any point in time, usually around 500 or so.)
(DIR) Post #B2oPL9v9CCvLGzCIlc by gregkh@social.kernel.org
2026-01-30T08:48:33.969477Z
1 likes, 0 repeats
Prediction for the potential future:When the AI coding agent companies are just about to run out of money, down to their last few % raised as none of their customers are actually paying the real cost required to run these services, they pivot and take all of the uploaded code that was willingly sent to them, turn it into thousands of products / services to sell / rent, disconnect the public api endpoints leaving their old customers helpless as they no longer remember how to program "in the raw" and can not understand their own codebases, and compete directly against them putting their own customers all out of business which finally results in a positive income stream and "validation" of the coding agent companies previously over-hyped business valuations."But copyright law will prevent this!" you say...
(DIR) Post #B2qKijqnfGbjugVZ0C by gregkh@social.kernel.org
2026-01-31T11:51:06.106083Z
3 likes, 0 repeats
Traditional #FOSDEM lunch break, club-mate and kernel CVE assignments.
(DIR) Post #B2updKNApzKWetOFns by gregkh@social.kernel.org
2026-02-02T15:33:30.092941Z
1 likes, 0 repeats
As it came up in a few conversations during "FOSDEM week", here's a link to the OpenSSF blog post about why the idea of "attestation for open source projects" is, in my opinion, and others, a bad idea:https://openssf.org/blog/2026/01/21/preserving-open-source-sustainability-while-advancing-cybersecurity-compliance/Yes, FOSS foundations and projects need ways of getting funding, that is very important, but thinking that "attestation is how we will get that money!" might not be such a good idea given the risks involved, and the past experience for those that have attempted it.
(DIR) Post #B34d7sxZS6bmnCFqpk by gregkh@social.kernel.org
2026-02-07T07:35:41.851721Z
1 likes, 0 repeats
Looks like the AI companies have finally run out of money as they are asking various open source projects to test their closed source products for them for free. What could go wrong with giving access to an unknown tool to private code repos?If I didn't know better, I would think this is an elaborate phishing scam, or they have run out of data to scrape and need more training material.Gotta admire their brazenness...
(DIR) Post #B34gYJTrlppERAebcu by gregkh@social.kernel.org
2026-02-07T10:00:17.570700Z
1 likes, 0 repeats
@lain I wish I was hallucinating this timeline, that would make me much happier as I would know I could just sober up and it would all be over.
(DIR) Post #B354C5FYOiUgpWtOLY by gregkh@social.kernel.org
2026-02-07T09:19:25.983860Z
1 likes, 0 repeats
Curiosity got the best of me, and I clicked on the links and this just looks like an OpenAI "sales funnel", which is pretty hilarious when you consider the target was open source security teams, none of which could ever fill out these types of forms without flat out lying.