Update information on CVE-2022-20158

1 files changed, 12 insertions, 6 deletions

diff --git a/active/CVE-2022-20158 b/active/CVE-2022-20158
index 8ff7a7d7..98f2cd51 100644
--- a/active/CVE-2022-20158
+++ b/active/CVE-2022-20158
@@ -3,16 +3,22 @@ References:
  https://source.android.com/security/bulletin/pixel/2022-08-01
  https://android.googlesource.com/kernel/common/+/69e8f03c5ced3e4e6fb4181f4dac185104e3420b
  https://android.googlesource.com/kernel/common/+/80d91b86a199798ee2321a0ab0f09e6e12764678
+ https://lore.kernel.org/all/420a6c4a-e526-4e8b-d5bd-563c40aa94e1@huaweicloud.com/
+ https://lore.kernel.org/all/YvYAmmaJgvydex4p@google.com/
 Notes:
  carnil> The second commit is 0b3ea0926afb ("fs: explicitly unregister
  carnil> per-superblock BDIs") in 5.16-rc1.
  carnil> Is this an Android specific issue? 5.16-rc1 contains as well
  carnil> 702f2d1e3b33 ("mm: don't automatically unregister bdis") as
  carnil> "All BDI users now unregister explicitly" at that point.
+ carnil> Lee Jones clarified that the issue is specific to Android
+ carnil> released kernel versions which had an internal, device specific
+ carnil> commit, causing the issue. This does not affect upstream or
+ carnil> stable kernels accordingly.
 Bugs:
-upstream:
-5.10-upstream-stable:
-4.19-upstream-stable:
-sid:
-5.10-bullseye-security:
-4.19-buster-security:
+upstream: N/A "Vulnerable code not present; issue specific to Android kernel"
+5.10-upstream-stable: N/A "Vulnerable code not present; issue specific to Android kernel"
+4.19-upstream-stable: N/A "Vulnerable code not present; issue specific to Android kernel"
+sid: N/A "Vulnerable code not present; issue specific to Android kernel"
+5.10-bullseye-security: N/A "Vulnerable code not present; issue specific to Android kernel"
+4.19-buster-security: N/A "Vulnerable code not present; issue specific to Android kernel"