In the Linux kernel, the following vulnerability has been resolved:

netfs: Fix missing xas_retry() calls in xarray iteration

netfslib has a number of places in which it performs iteration of an xarray whilst being under the RCU read lock. It should call xas_retry() as the first thing inside of the loop and do "continue" if it returns true in case the xarray walker passed out a special value indicating that the walk needs to be redone from the root[*].

Fix this by adding the missing retry checks.

[*] I wonder if this should be done inside xasfind(), xasnext_node() and suchlike, but I'm told that's not an simple change to effect.

This can cause an oops like that below. Note the faulting address - this is an internal value (|0x2) returned from xarray.

BUG: kernel NULL pointer dereference, address: 0000000000000402 ... RIP: 0010:netfsrrequnlock+0xef/0x380 [netfs] ... Call Trace: netfsrreqassess+0xa6/0x240 [netfs] netfsreadpage+0x173/0x3b0 [netfs] ? initwaitvarentry+0x50/0x50 filemapreadpage+0x33/0xf0 filemapgetpages+0x2f2/0x3f0 filemapread+0xaa/0x320 ? dofilpopen+0xb2/0x150 ? rmqueue+0x3be/0xe10 cephreaditer+0x1fe/0x680 [ceph] ? newsyncread+0x115/0x1a0 newsyncread+0x115/0x1a0 vfsread+0xf3/0x180 ksysread+0x5f/0xe0 dosyscall64+0x38/0x90 entrySYSCALL64after_hwframe+0x44/0xae

Changes:

ver #2) - Changed an unsigned int to a size_t to reduce the likelihood of an overflow as per Willy's suggestion. - Added an additional patch to fix the maths.