On Sun, 28 May 2023, Greg Kroah-Hartman wrote: > On Sun, May 28, 2023 at 07:58:11PM +1000, Finn Thain wrote: > > On Sun, 28 May 2023, Greg Kroah-Hartman wrote: > > > > > On Sat, May 27, 2023 at 10:42:00PM +0200, Ben Hutchings wrote: > > > > I'm proposing to address the most obvious issues with dpt_i2o on stable > > > > branches. At this stage it may be better to remove it as has been done > > > > upstream, but I'd rather limit the regression for anyone still using > > > > the hardware. > > > > > > > > The changes are: > > > > > > > > - "scsi: dpt_i2o: Remove broken pass-through ioctl (I2OUSERCMD)", > > > > which closes security flaws including CVE-2023-2007. > > > > - "scsi: dpt_i2o: Do not process completions with invalid addresses", > > > > which removes the remaining bus_to_virt() call and may slightly > > > > improve handling of misbehaving hardware. > > > > > > > > These changes have been compiled on all the relevant stable branches, > > > > but I don't have hardware to test on. > > > > > > Why don't we just delete it in the stable trees as well? If no one has > > > the hardware (otherwise the driver would not have been removed), who is > > > going to hit these issues anyway? > > > > > > > It's already gone from two stable trees. Would you also have it deleted > > from users' machines, or would you have each distro separately maintain > > out-of-tree that code which it is presently shipping, or something else? > > Delete it as obviously no one actually has this hardware. Or just leave > it alone, as obviously no one has this hardware so any changes made to > the code would not actually affect anyone. > > Or am I missing something here? > Under the assumption that the hardware does not exist, surely there's no value in a distro shipping the driver. No argument from me on that point. But the assumption is questionable and impossible to validate. As b04e75a4a8a8 was never reverted, I infer that users of v6.0 (and later) do not need the driver. How do you infer that users of distro kernels are not using a given driver?
