{"id":"CVE-2022-49992","summary":"mm/mprotect: only reference swap pfn page if type match","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm/mprotect: only reference swap pfn page if type match\n\nYu Zhao reported a bug after the commit \"mm/swap: Add swp_offset_pfn() to\nfetch PFN from swap entry\" added a check in swp_offset_pfn() for swap type [1]:\n\n  kernel BUG at include/linux/swapops.h:117!\n  CPU: 46 PID: 5245 Comm: EventManager_De Tainted: G S         O L 6.0.0-dbg-DEV #2\n  RIP: 0010:pfn_swap_entry_to_page+0x72/0xf0\n  Code: c6 48 8b 36 48 83 fe ff 74 53 48 01 d1 48 83 c1 08 48 8b 09 f6\n  c1 01 75 7b 66 90 48 89 c1 48 8b 09 f6 c1 01 74 74 5d c3 eb 9e \u003c0f\u003e 0b\n  48 ba ff ff ff ff 03 00 00 00 eb ae a9 ff 0f 00 00 75 13 48\n  RSP: 0018:ffffa59e73fabb80 EFLAGS: 00010282\n  RAX: 00000000ffffffe8 RBX: 0c00000000000000 RCX: ffffcd5440000000\n  RDX: 1ffffffffff7a80a RSI: 0000000000000000 RDI: 0c0000000000042b\n  RBP: ffffa59e73fabb80 R08: ffff9965ca6e8bb8 R09: 0000000000000000\n  R10: ffffffffa5a2f62d R11: 0000030b372e9fff R12: ffff997b79db5738\n  R13: 000000000000042b R14: 0c0000000000042b R15: 1ffffffffff7a80a\n  FS:  00007f549d1bb700(0000) GS:ffff99d3cf680000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 0000440d035b3180 CR3: 0000002243176004 CR4: 00000000003706e0\n  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n  Call Trace:\n   \u003cTASK\u003e\n   change_pte_range+0x36e/0x880\n   change_p4d_range+0x2e8/0x670\n   change_protection_range+0x14e/0x2c0\n   mprotect_fixup+0x1ee/0x330\n   do_mprotect_pkey+0x34c/0x440\n   __x64_sys_mprotect+0x1d/0x30\n\nIt triggers because pfn_swap_entry_to_page() could be called upon e.g. a\ngenuine swap entry.\n\nFix it by only calling it when it's a write migration entry where the page*\nis used.\n\n[1] https://lore.kernel.org/lkml/CAOUHufaVC2Za-p8m0aiHw6YkheDcrO-C3wRGixwDS32VTS+k1w@mail.gmail.com/","modified":"2026-04-11T12:44:46.137768Z","published":"2025-06-18T11:00:52.581Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49992.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/3d2f78f08cd8388035ac375e731ec1ac1b79b09d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5fcf81e308d1f4ae95f31690d2a80b7061385ff9"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49992.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-49992"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"6c287605fd56466e645693eff3ae7c08fba56e0a"},{"fixed":"5fcf81e308d1f4ae95f31690d2a80b7061385ff9"},{"fixed":"3d2f78f08cd8388035ac375e731ec1ac1b79b09d"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49992.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.19.0"},{"fixed":"5.19.6"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49992.json"}}],"schema_version":"1.7.5"}