On 02/10/2024 17:26, Jens Axboe wrote:
On 10/2/24 9:05 AM, Vegard Nossum wrote:
Christophe JAILLET (1):
null_blk: Remove usage of the deprecated ida_simple_xx() API
Yu Kuai (1):
null_blk: fix null-ptr-dereference while configuring 'power' and
'submit_queues'
I don't see how either of these are CVEs? Obviously not a problem to
backport either of them to stable, but I wonder what the reasoning for
that is. IOW, feels like those CVEs are bogus, which I guess is hardly
surprising :-)
IIRC the ida API change is not a fix for a CVE, but it makes the other
patch apply more easily.
The other patch is a fix for CVE-2024-36478, here's the CVE assignment:
https://lore.kernel.org/linux-cve-announce/2024062136-CVE-2024-36478-d249@gregkh/
An issue being a CVE just means that it has been identified as a
"weakness" and assigned a unique identifier, it does not mean it's
necessarily a severe issue or that there is an exploit for it or
anything like that.
Unfortunately for distributions, there may be various customers or
government agencies which expect or require all CVEs to be addressed
(regardless of severity), which is why we're backporting these to stable
and trying to close those gaps.
Vegard