Re: dpt_i2o fixes for stable

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, 2023-05-28 at 08:02 +0100, Greg Kroah-Hartman wrote:
> On Sat, May 27, 2023 at 10:42:00PM +0200, Ben Hutchings wrote:
> > I'm proposing to address the most obvious issues with dpt_i2o on stable
> > branches.  At this stage it may be better to remove it as has been done
> > upstream, but I'd rather limit the regression for anyone still using
> > the hardware.
> > 
> > The changes are:
> > 
> > - "scsi: dpt_i2o: Remove broken pass-through ioctl (I2OUSERCMD)",
> >   which closes security flaws including CVE-2023-2007.
> > - "scsi: dpt_i2o: Do not process completions with invalid addresses",
> >   which removes the remaining bus_to_virt() call and may slightly
> >   improve handling of misbehaving hardware.
> > 
> > These changes have been compiled on all the relevant stable branches,
> > but I don't have hardware to test on.
> 
> Why don't we just delete it in the stable trees as well?  If no one has
> the hardware (otherwise the driver would not have been removed), who is
> going to hit these issues anyway?

We don't know that no-one is using the hardware, just because no-one
among a small group of kernel developers and early adopters has spoken
up yet.

Ben.

-- 
Ben Hutchings - Debian developer, member of kernel, installer and LTS
teams




[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux