FKIE_CVE-2022-50362

Vulnerability from fkie_nvd - Published: 2025-09-17 15:15 - Updated: 2025-09-18 13:43
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: dmaengine: hisilicon: Add multi-thread support for a DMA channel When we get a DMA channel and try to use it in multiple threads it will cause oops and hanging the system. % echo 100 > /sys/module/dmatest/parameters/threads_per_chan % echo 100 > /sys/module/dmatest/parameters/iterations % echo 1 > /sys/module/dmatest/parameters/run [383493.327077] Unable to handle kernel paging request at virtual address dead000000000108 [383493.335103] Mem abort info: [383493.335103] ESR = 0x96000044 [383493.335105] EC = 0x25: DABT (current EL), IL = 32 bits [383493.335107] SET = 0, FnV = 0 [383493.335108] EA = 0, S1PTW = 0 [383493.335109] FSC = 0x04: level 0 translation fault [383493.335110] Data abort info: [383493.335111] ISV = 0, ISS = 0x00000044 [383493.364739] CM = 0, WnR = 1 [383493.367793] [dead000000000108] address between user and kernel address ranges [383493.375021] Internal error: Oops: 96000044 [#1] PREEMPT SMP [383493.437574] CPU: 63 PID: 27895 Comm: dma0chan0-copy2 Kdump: loaded Tainted: GO 5.17.0-rc4+ #2 [383493.457851] pstate: 204000c9 (nzCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [383493.465331] pc : vchan_tx_submit+0x64/0xa0 [383493.469957] lr : vchan_tx_submit+0x34/0xa0 This occurs because the transmission timed out, and that's due to data race. Each thread rewrite channels's descriptor as soon as device_issue_pending is called. It leads to the situation that the driver thinks that it uses the right descriptor in interrupt handler while channels's descriptor has been changed by other thread. The descriptor which in fact reported interrupt will not be handled any more, as well as its tx->callback. That's why timeout reports. With current fixes channels' descriptor changes it's value only when it has been used. A new descriptor is acquired from vc->desc_issued queue that is already filled with descriptors that are ready to be sent. Threads have no direct access to DMA channel descriptor. In case of channel's descriptor is busy, try to submit to HW again when a descriptor is completed. In this case, vc->desc_issued may be empty when hisi_dma_start_transfer is called, so delete error reporting on this. Now it is just possible to queue a descriptor for further processing.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/2cbb95883c990d0002a77e13d3278913ab26ad79
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/7cb9b20941e1fb20d22d0a2f460a3d4fa417274c
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/af12e209a9d559394d35875ba0e6c80407605888
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/d4a8ec5cc7ff5d442bd49a44f26d74b2021ba4c8
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/f4cee0b385cd0348e071d4d80c4c13cfe547c70d
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: hisilicon: Add multi-thread support for a DMA channel\n\nWhen we get a DMA channel and try to use it in multiple threads it\nwill cause oops and hanging the system.\n\n% echo 100 \u003e /sys/module/dmatest/parameters/threads_per_chan\n% echo 100 \u003e /sys/module/dmatest/parameters/iterations\n% echo 1 \u003e /sys/module/dmatest/parameters/run\n[383493.327077] Unable to handle kernel paging request at virtual\n\t\taddress dead000000000108\n[383493.335103] Mem abort info:\n[383493.335103]   ESR = 0x96000044\n[383493.335105]   EC = 0x25: DABT (current EL), IL = 32 bits\n[383493.335107]   SET = 0, FnV = 0\n[383493.335108]   EA = 0, S1PTW = 0\n[383493.335109]   FSC = 0x04: level 0 translation fault\n[383493.335110] Data abort info:\n[383493.335111]   ISV = 0, ISS = 0x00000044\n[383493.364739]   CM = 0, WnR = 1\n[383493.367793] [dead000000000108] address between user and kernel\n\t\taddress ranges\n[383493.375021] Internal error: Oops: 96000044 [#1] PREEMPT SMP\n[383493.437574] CPU: 63 PID: 27895 Comm: dma0chan0-copy2 Kdump:\n\t\tloaded Tainted: GO 5.17.0-rc4+ #2\n[383493.457851] pstate: 204000c9 (nzCv daIF +PAN -UAO -TCO -DIT\n\t\t-SSBS BTYPE=--)\n[383493.465331] pc : vchan_tx_submit+0x64/0xa0\n[383493.469957] lr : vchan_tx_submit+0x34/0xa0\n\nThis occurs because the transmission timed out, and that\u0027s due\nto data race. Each thread rewrite channels\u0027s descriptor as soon as\ndevice_issue_pending is called. It leads to the situation that\nthe driver thinks that it uses the right descriptor in interrupt\nhandler while channels\u0027s descriptor has been changed by other\nthread. The descriptor which in fact reported interrupt will not\nbe handled any more, as well as its tx-\u003ecallback.\nThat\u0027s why timeout reports.\n\nWith current fixes channels\u0027 descriptor changes it\u0027s value only\nwhen it has been used. A new descriptor is acquired from\nvc-\u003edesc_issued queue that is already filled with descriptors\nthat are ready to be sent. Threads have no direct access to DMA\nchannel descriptor. In case of channel\u0027s descriptor is busy, try\nto submit to HW again when a descriptor is completed. In this case,\nvc-\u003edesc_issued may be empty when hisi_dma_start_transfer is called,\nso delete error reporting on this. Now it is just possible to queue\na descriptor for further processing."
    }
  ],
  "id": "CVE-2022-50362",
  "lastModified": "2025-09-18T13:43:34.310",
  "metrics": {},
  "published": "2025-09-17T15:15:34.980",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/2cbb95883c990d0002a77e13d3278913ab26ad79"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/7cb9b20941e1fb20d22d0a2f460a3d4fa417274c"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/af12e209a9d559394d35875ba0e6c80407605888"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/d4a8ec5cc7ff5d442bd49a44f26d74b2021ba4c8"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/f4cee0b385cd0348e071d4d80c4c13cfe547c70d"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.