When a Research Paper Turned Into a Linux Kernel Security Disaster
A controversial university paper on covertly injecting vulnerabilities into open‑source software sparked a chain of malicious Linux kernel patches, provoked a fierce response from maintainer Greg Kroah‑Hartman, and forced the University of Minnesota to suspend the research amid heated community debate.
Universities require students to publish rigorous theses, but some topics are unusually quirky, such as a study on horse‑tail motion or a statistical survey of prayer efficacy.
One recent paper titled “The Feasibility of Introducing Vulnerabilities into Open‑Source Software by Submitting Fake Code” (available at GitHub ) attracted attention for its dual nature: it could teach defensive techniques or, conversely, serve as a guide for malicious exploitation.
The authors, Kangjie Lu and Qiushi Wu, both graduate students at the University of Minnesota, submitted specially crafted code patches to the Linux kernel that silently introduced malicious behavior without drawing attention.
Another student, Aditya Pakki, later reused these methods to submit additional problematic patches. The following commit illustrates the changes:
Signed-off-by: Aditya Pakki <[email protected]>
---
net/rds/message.c | 1 +
net/rds/send.c | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/rds/message.c b/net/rds/message.c
index 071a261fdaab..90ebcfe5fe3b 100644
--- a/net/rds/message.c
+++ b/net/rds/message.c
@@ -180,6 +180,7 @@ void rds_message_put(struct rds_message *rm)
rds_message_purge(rm);
kfree(rm);
+ rm = NULL;
}
}
EXPORT_SYMBOL_GPL(rds_message_put);
diff --git a/net/rds/send.c b/net/rds/send.c
index 985d0b7713ac..fe5264b9d4b3 100644
--- a/net/rds/send.c
+++ b/net/rds/send.c
@@ -665,7 +665,7 @@ static void rds_send_remove_from_sock(struct list_head *messages, int status)
unlock_and_drop:
spin_unlock_irqrestore(&rm->m_rs_lock, flags);
rds_message_put(rm);
- if (was_on_sock)
+ if (was_on_sock && rm)
rds_message_put(rm);
}Linux kernel maintainer Greg Kroah‑Hartman publicly rebuked Pakki, warning that such malicious experiments waste community time and could lead to formal complaints against the university.
Greg, I respectfully ask you to stop the near‑defamatory accusations. These patches were generated by a new static analyzer I built. I sent them hoping for feedback. Clearly it was a misstep, but your pre‑conceptions led to baseless claims. I will cease sending patches.
In response, Kroah‑Hartman announced a ban on all future submissions from the University of Minnesota and the removal of existing contributions.
The university issued a statement emphasizing the seriousness of the incident, suspending the research, and pledging a thorough investigation.
We take this matter very seriously and have immediately suspended the research. We will investigate the methodology and its approval process, determine appropriate remediation, and, if necessary, implement safeguards to prevent future issues. Results will be reported promptly.
The Linux community largely sided with Kroah‑Hartman, arguing that academic research should not waste developers’ time, while some startups argued that exploring such possibilities drives industry progress.
Readers are invited to share their opinions on the balance between academic curiosity and responsible open‑source stewardship.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Programmer DD
A tinkering programmer and author of "Spring Cloud Microservices in Action"
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.