On 10/2/24 9:50 AM, Dan Carpenter wrote: > On Wed, Oct 02, 2024 at 09:26:46AM -0600, Jens Axboe wrote: >> On 10/2/24 9:05 AM, Vegard Nossum wrote: >>> Christophe JAILLET (1): >>> null_blk: Remove usage of the deprecated ida_simple_xx() API > > It makes cherry-picking the next commit slightly easier. There is still some > conflict resolution necessary so it doesn't help very much. Could we annotate > these with a Stable-dep-of: tag otherwise we get a lot of questions like this. > > Also when we backport patches from 6.6.y to 6.1.y then we can drop any > unnecessary Stable-dep-of patches. > >>> >>> Yu Kuai (1): >>> null_blk: fix null-ptr-dereference while configuring 'power' and >>> 'submit_queues' >> >> I don't see how either of these are CVEs? Obviously not a problem to >> backport either of them to stable, but I wonder what the reasoning for >> that is. IOW, feels like those CVEs are bogus, which I guess is hardly >> surprising :-) > > The definition of CVE includes NULL dereferences so that's automatic. Sure, I'm not a total idiot, even if it may seem like it. But this one requires root - both to load the driver, and to trigger it after it being loaded. It's not a non-root user triggerable oops. And maybe that's fine and that's still a CVE, at least we're not doing scores here... -- Jens Axboe
