>Based on publicly-available information, we know the author of the patch is a Huawei employee, and despite attempts now to distance itself from the code after publication of this post, it still retains the Huawei naming. Further, on information from our sources, the employee is a Level 20 Principal Security staffer, the highest technical level within Huawei.
Grsecurity people have been involved in a lot of fights and accusations over the years. Also this was a first posting of the patch set. I think it's pretty hard to show malice here. Of course your bayesian prior will be influenced by how paranoid you are about Huawei in general.
edit: apologies to Grsecurity, as pointed out downthread they make no accusations of backdoors. Although apparently the Grsecurity blog post was also altered after comments from Huwaeithe PSIRT, don't know what was in the original version.
Actually if you read the grsecurity blog it is much more nuanced then the linked story (and would have been a much better source to link to IMO).
In particular they do not insinuate a backdoor. In fact their post is pretty consistent in that they criticize the quality (or lack thereof) and limited understanding of security, which they have done for many others as well.
This seems to really be a story blown out of proportion based on the current political climate. I don't believe a similar vulnerability in a patch from cisco, Intel, Google or any of the others (and they had patches which were similarly criticized by grsecurity) would have received a backdoor label in the headlines.
That is not to say that we should not strongly scrutinise patches from Huawei.
But reading the Grsecurity blog, it becomes even clearer that this is far from production code and would be very far from passing any kind of QC for production code.
If you are going to try to insert backdoors, you will come up with a way to of doing it with plausible deniability. Letting an employee post the patch own their own credentials is one way way of setting up plausible deniability.
Yes, of course. But the flip side is that any given bug is unlikely to be a covert backdoor.
Considering the scrutiny Huwaei is under, and how this patch was not proposed or destined to any existing used Linux component, this would be an odd risk-reward equation.
I fear this will be a nail in the coffin for any freedoms Huawei employees had to participate in open source infosec dev community on their own volition. We should be encouraging this kind of participation, not publically crucifying beginning participants and their employers for mistakes.