On Sun, 28 May 2023, Greg Kroah-Hartman wrote: > On Sat, May 27, 2023 at 10:42:00PM +0200, Ben Hutchings wrote: > > I'm proposing to address the most obvious issues with dpt_i2o on stable > > branches. At this stage it may be better to remove it as has been done > > upstream, but I'd rather limit the regression for anyone still using > > the hardware. > > > > The changes are: > > > > - "scsi: dpt_i2o: Remove broken pass-through ioctl (I2OUSERCMD)", > > which closes security flaws including CVE-2023-2007. > > - "scsi: dpt_i2o: Do not process completions with invalid addresses", > > which removes the remaining bus_to_virt() call and may slightly > > improve handling of misbehaving hardware. > > > > These changes have been compiled on all the relevant stable branches, > > but I don't have hardware to test on. > > Why don't we just delete it in the stable trees as well? If no one has > the hardware (otherwise the driver would not have been removed), who is > going to hit these issues anyway? > It's already gone from two stable trees. Would you also have it deleted from users' machines, or would you have each distro separately maintain out-of-tree that code which it is presently shipping, or something else?
