{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2022-49977","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-06-18T10:57:27.385Z","datePublished":"2025-06-18T11:00:39.871Z","dateUpdated":"2026-05-11T19:10:21.520Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:10:21.520Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nftrace: Fix NULL pointer dereference in is_ftrace_trampoline when ftrace is dead\n\nftrace_startup does not remove ops from ftrace_ops_list when\nftrace_startup_enable fails:\n\nregister_ftrace_function\n  ftrace_startup\n    __register_ftrace_function\n      ...\n      add_ftrace_ops(&ftrace_ops_list, ops)\n      ...\n    ...\n    ftrace_startup_enable // if ftrace failed to modify, ftrace_disabled is set to 1\n    ...\n  return 0 // ops is in the ftrace_ops_list.\n\nWhen ftrace_disabled = 1, unregister_ftrace_function simply returns without doing anything:\nunregister_ftrace_function\n  ftrace_shutdown\n    if (unlikely(ftrace_disabled))\n            return -ENODEV;  // return here, __unregister_ftrace_function is not executed,\n                             // as a result, ops is still in the ftrace_ops_list\n    __unregister_ftrace_function\n    ...\n\nIf ops is dynamically allocated, it will be free later, in this case,\nis_ftrace_trampoline accesses NULL pointer:\n\nis_ftrace_trampoline\n  ftrace_ops_trampoline\n    do_for_each_ftrace_op(op, ftrace_ops_list) // OOPS! op may be NULL!\n\nSyzkaller reports as follows:\n[ 1203.506103] BUG: kernel NULL pointer dereference, address: 000000000000010b\n[ 1203.508039] #PF: supervisor read access in kernel mode\n[ 1203.508798] #PF: error_code(0x0000) - not-present page\n[ 1203.509558] PGD 800000011660b067 P4D 800000011660b067 PUD 130fb8067 PMD 0\n[ 1203.510560] Oops: 0000 [#1] SMP KASAN PTI\n[ 1203.511189] CPU: 6 PID: 29532 Comm: syz-executor.2 Tainted: G    B   W         5.10.0 #8\n[ 1203.512324] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n[ 1203.513895] RIP: 0010:is_ftrace_trampoline+0x26/0xb0\n[ 1203.514644] Code: ff eb d3 90 41 55 41 54 49 89 fc 55 53 e8 f2 00 fd ff 48 8b 1d 3b 35 5d 03 e8 e6 00 fd ff 48 8d bb 90 00 00 00 e8 2a 81 26 00 <48> 8b ab 90 00 00 00 48 85 ed 74 1d e8 c9 00 fd ff 48 8d bb 98 00\n[ 1203.518838] RSP: 0018:ffffc900012cf960 EFLAGS: 00010246\n[ 1203.520092] RAX: 0000000000000000 RBX: 000000000000007b RCX: ffffffff8a331866\n[ 1203.521469] RDX: 0000000000000000 RSI: 0000000000000008 RDI: 000000000000010b\n[ 1203.522583] RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffff8df18b07\n[ 1203.523550] R10: fffffbfff1be3160 R11: 0000000000000001 R12: 0000000000478399\n[ 1203.524596] R13: 0000000000000000 R14: ffff888145088000 R15: 0000000000000008\n[ 1203.525634] FS:  00007f429f5f4700(0000) GS:ffff8881daf00000(0000) knlGS:0000000000000000\n[ 1203.526801] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 1203.527626] CR2: 000000000000010b CR3: 0000000170e1e001 CR4: 00000000003706e0\n[ 1203.528611] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 1203.529605] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n\nTherefore, when ftrace_startup_enable fails, we need to rollback registration\nprocess and remove ops from ftrace_ops_list."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["kernel/trace/ftrace.c"],"versions":[{"version":"8a56d7761d2d041ae5e8215d20b4167d8aa93f51","lessThan":"8569b4ada1e0b9bfaa125bd0c0967918b6560fa2","status":"affected","versionType":"git"},{"version":"8a56d7761d2d041ae5e8215d20b4167d8aa93f51","lessThan":"4c34a2a6c9927c239dd2e295a03d49b37b618d2c","status":"affected","versionType":"git"},{"version":"8a56d7761d2d041ae5e8215d20b4167d8aa93f51","lessThan":"ddffe882d74ef43a3494f0ab0c24baf076c45f96","status":"affected","versionType":"git"},{"version":"8a56d7761d2d041ae5e8215d20b4167d8aa93f51","lessThan":"934e49f7d696afdae9f979abe3f308408184e17b","status":"affected","versionType":"git"},{"version":"8a56d7761d2d041ae5e8215d20b4167d8aa93f51","lessThan":"dbd8c8fc60480e3faa3ae7e27ebe03371ecd1b77","status":"affected","versionType":"git"},{"version":"8a56d7761d2d041ae5e8215d20b4167d8aa93f51","lessThan":"e4ae97295984ff1b9b340ed18ae1b066f36b7835","status":"affected","versionType":"git"},{"version":"8a56d7761d2d041ae5e8215d20b4167d8aa93f51","lessThan":"d81bd6671f45fde4c3ac7fd7733c6e3082ae9d8e","status":"affected","versionType":"git"},{"version":"8a56d7761d2d041ae5e8215d20b4167d8aa93f51","lessThan":"c3b0f72e805f0801f05fa2aa52011c4bfc694c44","status":"affected","versionType":"git"},{"version":"969a08e9048ddd0d655a19e692673cdb95116ce6","status":"affected","versionType":"git"},{"version":"51d351d5b949ae7204696ada7ef502ed34d34fb0","status":"affected","versionType":"git"},{"version":"2940c25bec92f40a3f7f32504b8ea115d1701892","status":"affected","versionType":"git"},{"version":"189f4e672fc1c086f78818affc810ef29dda42a3","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["kernel/trace/ftrace.c"],"versions":[{"version":"3.13","status":"affected"},{"version":"0","lessThan":"3.13","status":"unaffected","versionType":"semver"},{"version":"4.9.327","lessThanOrEqual":"4.9.*","status":"unaffected","versionType":"semver"},{"version":"4.14.292","lessThanOrEqual":"4.14.*","status":"unaffected","versionType":"semver"},{"version":"4.19.257","lessThanOrEqual":"4.19.*","status":"unaffected","versionType":"semver"},{"version":"5.4.212","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.141","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.65","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"5.19.7","lessThanOrEqual":"5.19.*","status":"unaffected","versionType":"semver"},{"version":"6.0","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.13","versionEndExcluding":"4.9.327"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.13","versionEndExcluding":"4.14.292"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.13","versionEndExcluding":"4.19.257"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.13","versionEndExcluding":"5.4.212"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.13","versionEndExcluding":"5.10.141"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.13","versionEndExcluding":"5.15.65"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.13","versionEndExcluding":"5.19.7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.13","versionEndExcluding":"6.0"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.2.54"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.4.72"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.10.22"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.12.3"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/8569b4ada1e0b9bfaa125bd0c0967918b6560fa2"},{"url":"https://git.kernel.org/stable/c/4c34a2a6c9927c239dd2e295a03d49b37b618d2c"},{"url":"https://git.kernel.org/stable/c/ddffe882d74ef43a3494f0ab0c24baf076c45f96"},{"url":"https://git.kernel.org/stable/c/934e49f7d696afdae9f979abe3f308408184e17b"},{"url":"https://git.kernel.org/stable/c/dbd8c8fc60480e3faa3ae7e27ebe03371ecd1b77"},{"url":"https://git.kernel.org/stable/c/e4ae97295984ff1b9b340ed18ae1b066f36b7835"},{"url":"https://git.kernel.org/stable/c/d81bd6671f45fde4c3ac7fd7733c6e3082ae9d8e"},{"url":"https://git.kernel.org/stable/c/c3b0f72e805f0801f05fa2aa52011c4bfc694c44"}],"title":"ftrace: Fix NULL pointer dereference in is_ftrace_trampoline when ftrace is dead","x_generator":{"engine":"bippy-1.2.0"}}}}