CVE-2022-49753
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
27/03/2025
Last modified:
01/04/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
dmaengine: Fix double increment of client_count in dma_chan_get()<br />
<br />
The first time dma_chan_get() is called for a channel the channel<br />
client_count is incorrectly incremented twice for public channels,<br />
first in balance_ref_count(), and again prior to returning. This<br />
results in an incorrect client count which will lead to the<br />
channel resources not being freed when they should be. A simple<br />
test of repeated module load and unload of async_tx on a Dell<br />
Power Edge R7425 also shows this resulting in a kref underflow<br />
warning.<br />
<br />
[ 124.329662] async_tx: api initialized (async)<br />
[ 129.000627] async_tx: api initialized (async)<br />
[ 130.047839] ------------[ cut here ]------------<br />
[ 130.052472] refcount_t: underflow; use-after-free.<br />
[ 130.057279] WARNING: CPU: 3 PID: 19364 at lib/refcount.c:28<br />
refcount_warn_saturate+0xba/0x110<br />
[ 130.065811] Modules linked in: async_tx(-) rfkill intel_rapl_msr<br />
intel_rapl_common amd64_edac edac_mce_amd ipmi_ssif kvm_amd dcdbas kvm<br />
mgag200 drm_shmem_helper acpi_ipmi irqbypass drm_kms_helper ipmi_si<br />
syscopyarea sysfillrect rapl pcspkr ipmi_devintf sysimgblt fb_sys_fops<br />
k10temp i2c_piix4 ipmi_msghandler acpi_power_meter acpi_cpufreq vfat<br />
fat drm fuse xfs libcrc32c sd_mod t10_pi sg ahci crct10dif_pclmul<br />
libahci crc32_pclmul crc32c_intel ghash_clmulni_intel igb megaraid_sas<br />
i40e libata i2c_algo_bit ccp sp5100_tco dca dm_mirror dm_region_hash<br />
dm_log dm_mod [last unloaded: async_tx]<br />
[ 130.117361] CPU: 3 PID: 19364 Comm: modprobe Kdump: loaded Not<br />
tainted 5.14.0-185.el9.x86_64 #1<br />
[ 130.126091] Hardware name: Dell Inc. PowerEdge R7425/02MJ3T, BIOS<br />
1.18.0 01/17/2022<br />
[ 130.133806] RIP: 0010:refcount_warn_saturate+0xba/0x110<br />
[ 130.139041] Code: 01 01 e8 6d bd 55 00 0f 0b e9 72 9d 8a 00 80 3d<br />
26 18 9c 01 00 75 85 48 c7 c7 f8 a3 03 9d c6 05 16 18 9c 01 01 e8 4a<br />
bd 55 00 0b e9 4f 9d 8a 00 80 3d 01 18 9c 01 00 0f 85 5e ff ff ff<br />
48 c7<br />
[ 130.157807] RSP: 0018:ffffbf98898afe68 EFLAGS: 00010286<br />
[ 130.163036] RAX: 0000000000000000 RBX: ffff9da06028e598 RCX: 0000000000000000<br />
[ 130.170172] RDX: ffff9daf9de26480 RSI: ffff9daf9de198a0 RDI: ffff9daf9de198a0<br />
[ 130.177316] RBP: ffff9da7cddf3970 R08: 0000000000000000 R09: 00000000ffff7fff<br />
[ 130.184459] R10: ffffbf98898afd00 R11: ffffffff9d9e8c28 R12: ffff9da7cddf1970<br />
[ 130.191596] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000<br />
[ 130.198739] FS: 00007f646435c740(0000) GS:ffff9daf9de00000(0000)<br />
knlGS:0000000000000000<br />
[ 130.206832] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br />
[ 130.212586] CR2: 00007f6463b214f0 CR3: 00000008ab98c000 CR4: 00000000003506e0<br />
[ 130.219729] Call Trace:<br />
[ 130.222192] <br />
[ 130.224305] dma_chan_put+0x10d/0x110<br />
[ 130.227988] dmaengine_put+0x7a/0xa0<br />
[ 130.231575] __do_sys_delete_module.constprop.0+0x178/0x280<br />
[ 130.237157] ? syscall_trace_enter.constprop.0+0x145/0x1d0<br />
[ 130.242652] do_syscall_64+0x5c/0x90<br />
[ 130.246240] ? exc_page_fault+0x62/0x150<br />
[ 130.250178] entry_SYSCALL_64_after_hwframe+0x63/0xcd<br />
[ 130.255243] RIP: 0033:0x7f6463a3f5ab<br />
[ 130.258830] Code: 73 01 c3 48 8b 0d 75 a8 1b 00 f7 d8 64 89 01 48<br />
83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00<br />
00 0f 05 3d 01 f0 ff ff 73 01 c3 48 8b 0d 45 a8 1b 00 f7 d8 64 89<br />
01 48<br />
[ 130.277591] RSP: 002b:00007fff22f972c8 EFLAGS: 00000206 ORIG_RAX:<br />
00000000000000b0<br />
[ 130.285164] RAX: ffffffffffffffda RBX: 000055b6786edd40 RCX: 00007f6463a3f5ab<br />
[ 130.292303] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 000055b6786edda8<br />
[ 130.299443] RBP: 000055b6786edd40 R08: 0000000000000000 R09: 0000000000000000<br />
[ 130.306584] R10: 00007f6463b9eac0 R11: 0000000000000206 R12: 000055b6786edda8<br />
[ 130.313731] R13: 0000000000000000 R14: 000055b6786edda8 R15: 00007fff22f995f8<br />
[ 130.320875] <br />
[ 130.323081] ---[ end trace eff7156d56b5cf25 ]---<br />
<br />
cat /sys/class/dma/dma0chan*/in_use would get the wrong result.<br />
2<br />
2<br />
2<br />
<br />
Test-by: Jie Hai
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.0 (including) | 4.14.305 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.15 (including) | 4.19.272 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.20 (including) | 5.4.231 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.5 (including) | 5.10.166 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.91 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 6.1.9 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.2:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.2:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.2:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.2:rc4:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/142d644fd2cc059ffa042fbfb68e766433ef3afd
- https://git.kernel.org/stable/c/18dd3b30d4c7e8440c63118c7a7b687372b9567f
- https://git.kernel.org/stable/c/1b409e14b4b7af034e0450f95c165b6c5c87dbc1
- https://git.kernel.org/stable/c/42ecd72f02cd657b00b559621e7ef7d2c4d3e5f1
- https://git.kernel.org/stable/c/71c601965532c38030133535f7cd93c1efa75af1
- https://git.kernel.org/stable/c/c6221afe573413fd2981e291f7df4a58283e0654
- https://git.kernel.org/stable/c/f3dc1b3b4750851a94212dba249703dd0e50bb20