From: Greg KH <gregkh@linuxfoundation.org>
To: Michal Hocko <mhocko@suse.com>
Cc: cve@kernel.org, linux-kernel@vger.kernel.org,
linux-cve-announce@vger.kernel.org, Lee Jones <lee@kernel.org>
Subject: Re: CVE-2024-26650: platform/x86: p2sb: Allow p2sb_bar() calls during PCI device probe
Date: Wed, 22 May 2024 06:10:09 +0200 [thread overview]
Message-ID: <2024052216-detest-whiff-15e3@gregkh> (raw)
In-Reply-To: <Zkz2qpUP-HVROO1I@tiehlicka>
On Tue, May 21, 2024 at 09:31:54PM +0200, Michal Hocko wrote:
> This patch has been reverted in upstream by 03c6284df179 ("Revert
> "drm/amd/amdgpu: Fix potential ioremap() memory leaks in
> amdgpu_device_init()"") and based on the changelog the CVE should be
> rejected.
Ok, the original commit here happened in these releases:
6.1.76 6.6.15 6.7.3 6.8
while the revert is only in these releases:
6.1.86 6.6.27 6.8.6 6.9
but there are also commits in these releases that reference the original
commit and also say they fix it:
6.1.84 6.6.23 6.7.11
i.e. commit aec7d25b497c ("platform/x86: p2sb: On Goldmont only cache
P2SB and SPI devfn BAR") so that commit is also needed in order to make
this commit work properly, in other words, the original isn't totally
invalid on it's own.
So the revert is a fix for the original patch, and needs to keep being a
CVE, but you think that the original should not be because it was
reverted, right?
That kind of makes sense, but at the time, the original was a valid CVE,
so we were correct to assign that, what do we do about the "middle" one
here, ignore it? Without both of them, you might have a problem still
but I guess that's up to the systems that cherry-pick to work out,
right?
Should we be searching the database for assigned CVEs to the commits
that new ones are marked as "Fixes:" for and think about how to revoke
those original ones at the same time?
thanks,
greg k-h
next prev parent reply other threads:[~2024-05-22 4:10 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20240326175007.1388794-18-lee@kernel.org>
2024-05-21 19:31 ` CVE-2024-26650: platform/x86: p2sb: Allow p2sb_bar() calls during PCI device probe Michal Hocko
2024-05-22 4:10 ` Greg KH [this message]
2024-05-23 8:50 ` zhengzucheng
2024-05-23 13:51 ` Greg KH
2024-05-24 10:33 ` Michal Hocko
2024-05-24 10:33 ` Michal Hocko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2024052216-detest-whiff-15e3@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=cve@kernel.org \
--cc=lee@kernel.org \
--cc=linux-cve-announce@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mhocko@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox