Re: dpt_i2o fixes for stable

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, 28 May 2023, Greg Kroah-Hartman wrote:

> On Sun, May 28, 2023 at 07:58:11PM +1000, Finn Thain wrote:
> > On Sun, 28 May 2023, Greg Kroah-Hartman wrote:
> > 
> > > On Sat, May 27, 2023 at 10:42:00PM +0200, Ben Hutchings wrote:
> > > > I'm proposing to address the most obvious issues with dpt_i2o on stable
> > > > branches.  At this stage it may be better to remove it as has been done
> > > > upstream, but I'd rather limit the regression for anyone still using
> > > > the hardware.
> > > > 
> > > > The changes are:
> > > > 
> > > > - "scsi: dpt_i2o: Remove broken pass-through ioctl (I2OUSERCMD)",
> > > >   which closes security flaws including CVE-2023-2007.
> > > > - "scsi: dpt_i2o: Do not process completions with invalid addresses",
> > > >   which removes the remaining bus_to_virt() call and may slightly
> > > >   improve handling of misbehaving hardware.
> > > > 
> > > > These changes have been compiled on all the relevant stable branches,
> > > > but I don't have hardware to test on.
> > > 
> > > Why don't we just delete it in the stable trees as well?  If no one has
> > > the hardware (otherwise the driver would not have been removed), who is
> > > going to hit these issues anyway?
> > > 
> > 
> > It's already gone from two stable trees. Would you also have it deleted 
> > from users' machines, or would you have each distro separately maintain 
> > out-of-tree that code which it is presently shipping, or something else?
> 
> Delete it as obviously no one actually has this hardware.  Or just leave
> it alone, as obviously no one has this hardware so any changes made to
> the code would not actually affect anyone.
> 
> Or am I missing something here?
> 

Under the assumption that the hardware does not exist, surely there's no 
value in a distro shipping the driver. No argument from me on that point. 
But the assumption is questionable and impossible to validate.

As b04e75a4a8a8 was never reverted, I infer that users of v6.0 (and later) 
do not need the driver. How do you infer that users of distro kernels are 
not using a given driver?



[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux