Re: [PATCH v2] scsi: 3w-sas: validate request_id reported by controller

From: James Bottomley
Date: Tue Dec 16 2025 - 01:19:22 EST

Next message: Namhyung Kim: "Re: [PATCH 1/2] tools/build: Add a feature test for libopenssl"
Previous message: Dmitry Torokhov: "Re: [PATCH 2/4] Input: stmfts - Make comments correct"
In reply to: Shipei Qu: "[PATCH v2] scsi: 3w-sas: validate request_id reported by controller"
Next in thread: Shipei Qu: "Re: [PATCH v2] scsi: 3w-sas: validate request_id reported by controller"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 2025-12-16 at 14:01 +0800, Shipei Qu wrote:
> This issue was first reported via security@xxxxxxxxxx. The kernel
> security team replied that, under the usual upstream threat model
> (only trusted PCIe/Thunderbolt devices are allowed to bind to such
> drivers), it should be treated as a normal robustness bug rather than
> a security issue, and asked us to send fixes to the relevant
> development lists. This email follows that guidance.

Realistically the same rationale goes for us as well. Absent the
observation in the field of a problem device, we usually trust the
hardware, so unless you can find an actual device that exhibits the
problem this isn't really a fix for anything.

If the security@ list is happy that the existing trust model for
Thunderbolt/PCIe would prevent the attachment of malicious devices,
then I think we're also happy to take their word for it. Even if
thunderbolt were a security problem, the fix would likely be in the
trust model not in all possible drivers.

Regards,

James Bottomley

Next message: Namhyung Kim: "Re: [PATCH 1/2] tools/build: Add a feature test for libopenssl"
Previous message: Dmitry Torokhov: "Re: [PATCH 2/4] Input: stmfts - Make comments correct"
In reply to: Shipei Qu: "[PATCH v2] scsi: 3w-sas: validate request_id reported by controller"
Next in thread: Shipei Qu: "Re: [PATCH v2] scsi: 3w-sas: validate request_id reported by controller"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]