CVE-2022-49810

Source
https://nvd.nist.gov/vuln/detail/CVE-2022-49810
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-49810.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-49810
Downstream
Related
Published
2025-05-01T14:09:35Z
Modified
2025-10-21T11:04:06.630800Z
Summary
netfs: Fix missing xas_retry() calls in xarray iteration
Details

In the Linux kernel, the following vulnerability has been resolved:

netfs: Fix missing xas_retry() calls in xarray iteration

netfslib has a number of places in which it performs iteration of an xarray whilst being under the RCU read lock. It should call xas_retry() as the first thing inside of the loop and do "continue" if it returns true in case the xarray walker passed out a special value indicating that the walk needs to be redone from the root[*].

Fix this by adding the missing retry checks.

[*] I wonder if this should be done inside xasfind(), xasnext_node() and suchlike, but I'm told that's not an simple change to effect.

This can cause an oops like that below. Note the faulting address - this is an internal value (|0x2) returned from xarray.

BUG: kernel NULL pointer dereference, address: 0000000000000402 ... RIP: 0010:netfsrrequnlock+0xef/0x380 [netfs] ... Call Trace: netfsrreqassess+0xa6/0x240 [netfs] netfsreadpage+0x173/0x3b0 [netfs] ? initwaitvarentry+0x50/0x50 filemapreadpage+0x33/0xf0 filemapgetpages+0x2f2/0x3f0 filemapread+0xaa/0x320 ? dofilpopen+0xb2/0x150 ? rmqueue+0x3be/0xe10 cephreaditer+0x1fe/0x680 [ceph] ? newsyncread+0x115/0x1a0 newsyncread+0x115/0x1a0 vfsread+0xf3/0x180 ksysread+0x5f/0xe0 dosyscall64+0x38/0x90 entrySYSCALL64after_hwframe+0x44/0xae

Changes:

ver #2) - Changed an unsigned int to a size_t to reduce the likelihood of an overflow as per Willy's suggestion. - Added an additional patch to fix the maths.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
3d3c95046742e4eebaa4b891b0b01cbbed94ebbd
Fixed
b2cc07a76f1eb12de3b22caf5fdbf856a7bef16d
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
3d3c95046742e4eebaa4b891b0b01cbbed94ebbd
Fixed
7e043a80b5dae5c2d2cf84031501de7827fd6c00

Affected versions

v5.*

v5.12
v5.12-rc5
v5.12-rc6
v5.12-rc7
v5.12-rc8
v5.13
v5.13-rc1
v5.13-rc2
v5.13-rc3
v5.13-rc4
v5.13-rc5
v5.13-rc6
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8

v6.*

v6.0
v6.0-rc1
v6.0-rc2
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.0.1
v6.0.2
v6.0.3
v6.0.4
v6.0.5
v6.0.6
v6.0.7
v6.0.8
v6.0.9
v6.1-rc1
v6.1-rc2
v6.1-rc3
v6.1-rc4

Database specific

vanir_signatures

[
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b2cc07a76f1eb12de3b22caf5fdbf856a7bef16d",
        "target": {
            "file": "fs/netfs/buffered_read.c"
        },
        "digest": {
            "line_hashes": [
                "32041236763448323049134596760215294735",
                "101360373092268390583134700279932228748",
                "84998093689135306465443532097221899512",
                "140162646945368296730221431287157531125",
                "186659782890191041575137493199793193889",
                "55217904426352896351492941418217551418"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "signature_type": "Line",
        "signature_version": "v1",
        "id": "CVE-2022-49810-2ad27136"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7e043a80b5dae5c2d2cf84031501de7827fd6c00",
        "target": {
            "function": "netfs_rreq_unlock_folios",
            "file": "fs/netfs/buffered_read.c"
        },
        "digest": {
            "function_hash": "64960086076983741621304677781979921537",
            "length": 1701.0
        },
        "deprecated": false,
        "signature_type": "Function",
        "signature_version": "v1",
        "id": "CVE-2022-49810-7d8c0e07"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7e043a80b5dae5c2d2cf84031501de7827fd6c00",
        "target": {
            "file": "fs/netfs/io.c"
        },
        "digest": {
            "line_hashes": [
                "196706438013368698993778113111946467770",
                "1487931568068748432592337077671317350",
                "1532217284170509331313661188725790774",
                "89221781230092756785509775672626676449"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "signature_type": "Line",
        "signature_version": "v1",
        "id": "CVE-2022-49810-b67a841e"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b2cc07a76f1eb12de3b22caf5fdbf856a7bef16d",
        "target": {
            "function": "netfs_rreq_unlock_folios",
            "file": "fs/netfs/buffered_read.c"
        },
        "digest": {
            "function_hash": "64960086076983741621304677781979921537",
            "length": 1701.0
        },
        "deprecated": false,
        "signature_type": "Function",
        "signature_version": "v1",
        "id": "CVE-2022-49810-d473323d"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7e043a80b5dae5c2d2cf84031501de7827fd6c00",
        "target": {
            "function": "netfs_rreq_unmark_after_write",
            "file": "fs/netfs/io.c"
        },
        "digest": {
            "function_hash": "8484745214304597863304458925264838268",
            "length": 514.0
        },
        "deprecated": false,
        "signature_type": "Function",
        "signature_version": "v1",
        "id": "CVE-2022-49810-e3ffe5e3"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b2cc07a76f1eb12de3b22caf5fdbf856a7bef16d",
        "target": {
            "file": "fs/netfs/io.c"
        },
        "digest": {
            "line_hashes": [
                "196706438013368698993778113111946467770",
                "1487931568068748432592337077671317350",
                "1532217284170509331313661188725790774",
                "89221781230092756785509775672626676449"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "signature_type": "Line",
        "signature_version": "v1",
        "id": "CVE-2022-49810-e45896c1"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7e043a80b5dae5c2d2cf84031501de7827fd6c00",
        "target": {
            "file": "fs/netfs/buffered_read.c"
        },
        "digest": {
            "line_hashes": [
                "32041236763448323049134596760215294735",
                "101360373092268390583134700279932228748",
                "84998093689135306465443532097221899512",
                "140162646945368296730221431287157531125",
                "186659782890191041575137493199793193889",
                "55217904426352896351492941418217551418"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "signature_type": "Line",
        "signature_version": "v1",
        "id": "CVE-2022-49810-f0ec414b"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b2cc07a76f1eb12de3b22caf5fdbf856a7bef16d",
        "target": {
            "function": "netfs_rreq_unmark_after_write",
            "file": "fs/netfs/io.c"
        },
        "digest": {
            "function_hash": "8484745214304597863304458925264838268",
            "length": 514.0
        },
        "deprecated": false,
        "signature_type": "Function",
        "signature_version": "v1",
        "id": "CVE-2022-49810-f3d1feaa"
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.13.0
Fixed
6.0.10