On Sun, 2023-05-28 at 08:02 +0100, Greg Kroah-Hartman wrote: > On Sat, May 27, 2023 at 10:42:00PM +0200, Ben Hutchings wrote: > > I'm proposing to address the most obvious issues with dpt_i2o on stable > > branches. At this stage it may be better to remove it as has been done > > upstream, but I'd rather limit the regression for anyone still using > > the hardware. > > > > The changes are: > > > > - "scsi: dpt_i2o: Remove broken pass-through ioctl (I2OUSERCMD)", > > which closes security flaws including CVE-2023-2007. > > - "scsi: dpt_i2o: Do not process completions with invalid addresses", > > which removes the remaining bus_to_virt() call and may slightly > > improve handling of misbehaving hardware. > > > > These changes have been compiled on all the relevant stable branches, > > but I don't have hardware to test on. > > Why don't we just delete it in the stable trees as well? If no one has > the hardware (otherwise the driver would not have been removed), who is > going to hit these issues anyway? We don't know that no-one is using the hardware, just because no-one among a small group of kernel developers and early adopters has spoken up yet. Ben. -- Ben Hutchings - Debian developer, member of kernel, installer and LTS teams
