CVE-2022-50362

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dmaengine: hisilicon: Add multi-thread support for a DMA channel<br /> <br /> When we get a DMA channel and try to use it in multiple threads it<br /> will cause oops and hanging the system.<br /> <br /> % echo 100 &gt; /sys/module/dmatest/parameters/threads_per_chan<br /> % echo 100 &gt; /sys/module/dmatest/parameters/iterations<br /> % echo 1 &gt; /sys/module/dmatest/parameters/run<br /> [383493.327077] Unable to handle kernel paging request at virtual<br /> address dead000000000108<br /> [383493.335103] Mem abort info:<br /> [383493.335103] ESR = 0x96000044<br /> [383493.335105] EC = 0x25: DABT (current EL), IL = 32 bits<br /> [383493.335107] SET = 0, FnV = 0<br /> [383493.335108] EA = 0, S1PTW = 0<br /> [383493.335109] FSC = 0x04: level 0 translation fault<br /> [383493.335110] Data abort info:<br /> [383493.335111] ISV = 0, ISS = 0x00000044<br /> [383493.364739] CM = 0, WnR = 1<br /> [383493.367793] [dead000000000108] address between user and kernel<br /> address ranges<br /> [383493.375021] Internal error: Oops: 96000044 [#1] PREEMPT SMP<br /> [383493.437574] CPU: 63 PID: 27895 Comm: dma0chan0-copy2 Kdump:<br /> loaded Tainted: GO 5.17.0-rc4+ #2<br /> [383493.457851] pstate: 204000c9 (nzCv daIF +PAN -UAO -TCO -DIT<br /> -SSBS BTYPE=--)<br /> [383493.465331] pc : vchan_tx_submit+0x64/0xa0<br /> [383493.469957] lr : vchan_tx_submit+0x34/0xa0<br /> <br /> This occurs because the transmission timed out, and that&amp;#39;s due<br /> to data race. Each thread rewrite channels&amp;#39;s descriptor as soon as<br /> device_issue_pending is called. It leads to the situation that<br /> the driver thinks that it uses the right descriptor in interrupt<br /> handler while channels&amp;#39;s descriptor has been changed by other<br /> thread. The descriptor which in fact reported interrupt will not<br /> be handled any more, as well as its tx-&gt;callback.<br /> That&amp;#39;s why timeout reports.<br /> <br /> With current fixes channels&amp;#39; descriptor changes it&amp;#39;s value only<br /> when it has been used. A new descriptor is acquired from<br /> vc-&gt;desc_issued queue that is already filled with descriptors<br /> that are ready to be sent. Threads have no direct access to DMA<br /> channel descriptor. In case of channel&amp;#39;s descriptor is busy, try<br /> to submit to HW again when a descriptor is completed. In this case,<br /> vc-&gt;desc_issued may be empty when hisi_dma_start_transfer is called,<br /> so delete error reporting on this. Now it is just possible to queue<br /> a descriptor for further processing.