On 10/2/24 9:46 AM, Vegard Nossum wrote: > > On 02/10/2024 17:26, Jens Axboe wrote: >> On 10/2/24 9:05 AM, Vegard Nossum wrote: >>> Christophe JAILLET (1): >>> null_blk: Remove usage of the deprecated ida_simple_xx() API >>> >>> Yu Kuai (1): >>> null_blk: fix null-ptr-dereference while configuring 'power' and >>> 'submit_queues' >> >> I don't see how either of these are CVEs? Obviously not a problem to >> backport either of them to stable, but I wonder what the reasoning for >> that is. IOW, feels like those CVEs are bogus, which I guess is hardly >> surprising :-) > > IIRC the ida API change is not a fix for a CVE, but it makes the other > patch apply more easily. Ah ok > The other patch is a fix for CVE-2024-36478, here's the CVE assignment: > > https://lore.kernel.org/linux-cve-announce/2024062136-CVE-2024-36478-d249@gregkh/ > > An issue being a CVE just means that it has been identified as a > "weakness" and assigned a unique identifier, it does not mean it's > necessarily a severe issue or that there is an exploit for it or > anything like that. > > Unfortunately for distributions, there may be various customers or > government agencies which expect or require all CVEs to be addressed > (regardless of severity), which is why we're backporting these to stable > and trying to close those gaps. It's a root only thing, have a hard time a world in which that's a CVE. Not that I really care, what constitutes a CVE has a wide spread. -- Jens Axboe
