lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 15 Sep 2022 16:05:17 +0200
From:   Harald Welte <laforge@...monks.org>
To:     Arnd Bergmann <arnd@...db.de>
Cc:     Hyunwoo Kim <imv4bel@...il.com>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Ilpo Järvinen <ilpo.jarvinen@...ux.intel.com>,
        linux-kernel@...r.kernel.org,
        Dominik Brodowski <linux@...inikbrodowski.net>,
        Paul Fulghum <paulkf@...rogate.com>, akpm@...l.org,
        Lubomir Rintel <lkundrak@...sk>
Subject: Re: [PATCH] pcmcia: synclink_cs: Fix use-after-free in mgslpc_ioctl()

Hi Arnd,

On Thu, Sep 15, 2022 at 09:35:51AM +0200, Arnd Bergmann wrote:
> There is a good chance that we can remove both now, along with the
> synclink_cs. The scr24x driver is from 2016, but of course the
> hardware is much older. The cm4040/cm4000 drivers are from 2005.
> My guess is that the hardware still exists in actively used systems,
> but none of them get upgraded to modern kernels any more.

It is probably true.  But the same argument can be made about all of the
PCMCIA drivers.  It's been a long time since any new mass-market hardware
with PCMCIA slots has been produced.  Even if you count in the (non-express)
cardbus, the same argument holds true.

I personally haven't used any of those cm4000/cm4040 in ages.  But what
particularly the last decade of my professional career has taught me:
There are typically always more users of legacy tech out there than you
would imagine.  The question is whether those users are relevant enough
for today's kernel maintainers to care.  This isn't meant to sound
bitter - I'm just stating facts.  It can be a valid "developer resource
economic" decision to not care.

Regards,
	Harald

-- 
- Harald Welte <laforge@...monks.org>           http://laforge.gnumonks.org/
============================================================================
"Privacy in residential applications is a desirable marketing option."
                                                  (ETSI EN 300 175-7 Ch. A6)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ