On 02/10/2024 17:26, Jens Axboe wrote:
On 10/2/24 9:05 AM, Vegard Nossum wrote:Christophe JAILLET (1): null_blk: Remove usage of the deprecated ida_simple_xx() API Yu Kuai (1): null_blk: fix null-ptr-dereference while configuring 'power' and 'submit_queues'I don't see how either of these are CVEs? Obviously not a problem to backport either of them to stable, but I wonder what the reasoning for that is. IOW, feels like those CVEs are bogus, which I guess is hardly surprising :-)
IIRC the ida API change is not a fix for a CVE, but it makes the other patch apply more easily. The other patch is a fix for CVE-2024-36478, here's the CVE assignment: https://lore.kernel.org/linux-cve-announce/2024062136-CVE-2024-36478-d249@gregkh/ An issue being a CVE just means that it has been identified as a "weakness" and assigned a unique identifier, it does not mean it's necessarily a severe issue or that there is an exploit for it or anything like that. Unfortunately for distributions, there may be various customers or government agencies which expect or require all CVEs to be addressed (regardless of severity), which is why we're backporting these to stable and trying to close those gaps. Vegard
