CVE-2022-49778
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-49778
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49778.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2022-49778
- Downstream
- Published
- 2025-05-01T14:09:13Z
- Modified
- 2025-10-08T11:07:32.533185Z
- Summary
- arm64/mm: fix incorrect file_map_count for non-leaf pmd/pud
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
arm64/mm: fix incorrect filemapcount for non-leaf pmd/pud
The page table check trigger BUG_ON() unexpectedly when collapse hugepage:
------------[ cut here ]------------ kernel BUG at mm/pagetablecheck.c:82! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 6 PID: 68 Comm: khugepaged Not tainted 6.1.0-rc3+ #750 Hardware name: linux,dummy-virt (DT) pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : pagetablecheckclear.isra.0+0x258/0x3f0 lr : pagetablecheckclear.isra.0+0x240/0x3f0 [...] Call trace: pagetablecheckclear.isra.0+0x258/0x3f0 _pagetablecheckpmdclear+0xbc/0x108 pmdpcollapseflush+0xb0/0x160 collapsehugepage+0xa08/0x1080 hpagecollapsescanpmd+0xf30/0x1590 khugepagedscanmmslot.constprop.0+0x52c/0xac8 khugepaged+0x338/0x518 kthread+0x278/0x2f8 retfromfork+0x10/0x20 [...]
Since pmduseraccessiblepage() doesn't check if a pmd is leaf, it decrease filemapcount for a non-leaf pmd comes from collapsehugepage(). and so trigger BUGON() unexpectedly.
Fix this problem by using pmdleaf() insteal of pmdpresent() in pmduseraccessiblepage(). Moreover, use pudleaf() for puduseraccessible_page() too.
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced42b2547137f5c974bb1bfd657c869fe96b96d86fFixed2d458046df634088611d44fd77f45465e833ef78
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced42b2547137f5c974bb1bfd657c869fe96b96d86fFixed5b47348fc0b18a78c96f8474cc90b7525ad1bbfe
Affected versions
v5.*
v6.*
Database specific
{
"vanir_signatures": [
{
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"306507672363475253427361777728457269675",
"9357714687907280558954832401085388196",
"152418771722077316736892683180079830641",
"99900829397867285954818794022758846211",
"70631202160218115849736981995842136215",
"258195420320358054058039893982258404691",
"250317684160790416534387891613344669217",
"50749555854767041715198201017025996800"
]
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5b47348fc0b18a78c96f8474cc90b7525ad1bbfe",
"deprecated": false,
"target": {
"file": "arch/arm64/include/asm/pgtable.h"
},
"signature_type": "Line",
"id": "CVE-2022-49778-2ceec40c"
},
{
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"306507672363475253427361777728457269675",
"9357714687907280558954832401085388196",
"152418771722077316736892683180079830641",
"99900829397867285954818794022758846211",
"70631202160218115849736981995842136215",
"258195420320358054058039893982258404691",
"250317684160790416534387891613344669217",
"50749555854767041715198201017025996800"
]
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2d458046df634088611d44fd77f45465e833ef78",
"deprecated": false,
"target": {
"file": "arch/arm64/include/asm/pgtable.h"
},
"signature_type": "Line",
"id": "CVE-2022-49778-6509daa4"
}
]
}