Re: Re: CVE-2021-20219 Linux kernel: improper synchronization in flush_to_ldisc() can lead to DoS

[Sasha Levin <sashal () kernel org>]

Hey Brad,

I'll let Greg respond on your concerns with him, I've removed those
references to him from my reply.

On Fri, Mar 19, 2021 at 03:58:25PM -0400, Brad Spengler wrote:
> Hi Sasha,
>
> > I'm really not sure how to respond to this. I don't own upstream, my
> > name isn't Linus, Greg, nor do I maintain a major subsystem. I don't
> > have any control over how upstream commits look like.
>
> Both you and Greg certainly have control over stable kernel commit
> messages (it's the same ability you use to add the upstream commit ID).

So we do, but traditionally I haven't changed the commit message. I also
don't have an additional source of information when I queue up the
commits, so I'm not sure how my ability to edit stable commit messages
helps here.

> > Great, let's work together on making it better, but it's been following
> > the same pattern for quite a while now.
>
> I think both you and Greg are exaggerating the level of "extra work" this
> temporary blip creates for you -- with the exception of the RH backport
> issue, it was not difficult at all for me to determine what issue was
> being discussed, without even having to plug the CVEs into bugzilla.redhat.com
> which produces:
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-35519
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-3428

So this CVE link above is exactly what I referred to: how do you go from
CVE-2021-3428 to the commit in question?

--
Thanks,
Sasha