CVE-2022-49810

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfs: Fix missing xas_retry() calls in xarray iteration<br /> <br /> netfslib has a number of places in which it performs iteration of an xarray<br /> whilst being under the RCU read lock. It *should* call xas_retry() as the<br /> first thing inside of the loop and do "continue" if it returns true in case<br /> the xarray walker passed out a special value indicating that the walk needs<br /> to be redone from the root[*].<br /> <br /> Fix this by adding the missing retry checks.<br /> <br /> [*] I wonder if this should be done inside xas_find(), xas_next_node() and<br /> suchlike, but I&amp;#39;m told that&amp;#39;s not an simple change to effect.<br /> <br /> This can cause an oops like that below. Note the faulting address - this<br /> is an internal value (|0x2) returned from xarray.<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000402<br /> ...<br /> RIP: 0010:netfs_rreq_unlock+0xef/0x380 [netfs]<br /> ...<br /> Call Trace:<br /> netfs_rreq_assess+0xa6/0x240 [netfs]<br /> netfs_readpage+0x173/0x3b0 [netfs]<br /> ? init_wait_var_entry+0x50/0x50<br /> filemap_read_page+0x33/0xf0<br /> filemap_get_pages+0x2f2/0x3f0<br /> filemap_read+0xaa/0x320<br /> ? do_filp_open+0xb2/0x150<br /> ? rmqueue+0x3be/0xe10<br /> ceph_read_iter+0x1fe/0x680 [ceph]<br /> ? new_sync_read+0x115/0x1a0<br /> new_sync_read+0x115/0x1a0<br /> vfs_read+0xf3/0x180<br /> ksys_read+0x5f/0xe0<br /> do_syscall_64+0x38/0x90<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> <br /> Changes:<br /> ========<br /> ver #2)<br /> - Changed an unsigned int to a size_t to reduce the likelihood of an<br /> overflow as per Willy&amp;#39;s suggestion.<br /> - Added an additional patch to fix the maths.