From: Michal Hocko <mhocko@suse.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: cve@kernel.org, linux-kernel@vger.kernel.org
Subject: Re: CVE-2023-52560: mm/damon/vaddr-test: fix memory leak in damon_do_test_apply_three_regions()
Date: Wed, 6 Mar 2024 09:56:49 +0100 [thread overview]
Message-ID: <Zegv0XmFyNzNYORb@tiehlicka> (raw)
In-Reply-To: <2024030604-unstuffed-grant-758c@gregkh>
On Wed 06-03-24 08:42:07, Greg KH wrote:
> On Wed, Mar 06, 2024 at 08:49:42AM +0100, Michal Hocko wrote:
> > On Tue 05-03-24 22:25:11, Greg KH wrote:
> > > On Tue, Mar 05, 2024 at 05:51:11PM +0100, Michal Hocko wrote:
> > > > On Sat 02-03-24 22:59:54, Greg KH wrote:
> > > > > Description
> > > > > ===========
> > > > >
> > > > > In the Linux kernel, the following vulnerability has been resolved:
> > > > >
> > > > > mm/damon/vaddr-test: fix memory leak in damon_do_test_apply_three_regions()
> > > > >
> > > > > When CONFIG_DAMON_VADDR_KUNIT_TEST=y and making CONFIG_DEBUG_KMEMLEAK=y
> > > > > and CONFIG_DEBUG_KMEMLEAK_AUTO_SCAN=y, the below memory leak is detected.
> > > >
> > > > This is a kunit test case AFAICS. Is this really a CVE material?
> > >
> > > People run kunit tests on real systems (again, we do not dictate use
> > > cases.) So yes, fixing a memory leak that can be triggered is resolving
> > > a weakness and so should get a CVE I would think, right?
> >
> > This is stretching the meaning of CVE beyond my imagination. Up to you
> > to decide but I yet have to see a real production system that casually
> > runs unit test just for <looking for a reason .... but failed>.
>
> I know of at least one place that uses kunit tests in "production", and
> I know of more that will be enabling them in newer releases, so this is
> a real thing.
I would be really curious to hear more details.
> Again, we just mark "fixes for a weakness" as a CVE and
> let others decide what to do with it.
OK, this is something we have discussed and concluded to disagree. Not
my call though but I would really like to hear _who_ outside of the stable
tree userbase is really appreciating this approach.
--
Michal Hocko
SUSE Labs
prev parent reply other threads:[~2024-03-06 8:56 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-02 21:59 CVE-2023-52560: mm/damon/vaddr-test: fix memory leak in damon_do_test_apply_three_regions() Greg Kroah-Hartman
2024-03-05 16:51 ` Michal Hocko
2024-03-05 22:25 ` Greg Kroah-Hartman
2024-03-06 7:49 ` Michal Hocko
2024-03-06 8:42 ` Greg Kroah-Hartman
2024-03-06 8:56 ` Michal Hocko [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Zegv0XmFyNzNYORb@tiehlicka \
--to=mhocko@suse.com \
--cc=cve@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.