CVE-2022-48704 in Linux
Summary
by MITRE • 05/03/2024
In the Linux kernel, the following vulnerability has been resolved:
drm/radeon: add a force flush to delay work when radeon
Although radeon card fence and wait for gpu to finish processing current batch rings, there is still a corner case that radeon lockup work queue may not be fully flushed, and meanwhile the radeon_suspend_kms() function has called pci_set_power_state() to put device in D3hot state. Per PCI spec rev 4.0 on 5.3.1.4.1 D3hot State. > Configuration and Message requests are the only TLPs accepted by a Function in > the D3hot state. All other received Requests must be handled as Unsupported Requests, > and all received Completions may optionally be handled as Unexpected Completions. This issue will happen in following logs: Unable to handle kernel paging request at virtual address 00008800e0008010 CPU 0 kworker/0:3(131): Oops 0 pc = [] ra = [] ps = 0000 Tainted: G W
pc is at si_gpu_check_soft_reset+0x3c/0x240 ra is at si_dma_is_lockup+0x34/0xd0 v0 = 0000000000000000 t0 = fff08800e0008010 t1 = 0000000000010000 t2 = 0000000000008010 t3 = fff00007e3c00000 t4 = fff00007e3c00258 t5 = 000000000000ffff t6 = 0000000000000001 t7 = fff00007ef078000 s0 = fff00007e3c016e8 s1 = fff00007e3c00000 s2 = fff00007e3c00018 s3 = fff00007e3c00000 s4 = fff00007fff59d80 s5 = 0000000000000000 s6 = fff00007ef07bd98 a0 = fff00007e3c00000 a1 = fff00007e3c016e8 a2 = 0000000000000008 a3 = 0000000000000001 a4 = 8f5c28f5c28f5c29 a5 = ffffffff810f4338 t8 = 0000000000000275 t9 = ffffffff809b66f8 t10 = ff6769c5d964b800 t11= 000000000000b886 pv = ffffffff811bea20 at = 0000000000000000 gp = ffffffff81d89690 sp = 00000000aa814126 Disabling lock debugging due to kernel taint Trace: [] si_dma_is_lockup+0x34/0xd0
[] radeon_fence_check_lockup+0xd0/0x290
[] process_one_work+0x280/0x550
[] worker_thread+0x70/0x7c0
[] worker_thread+0x130/0x7c0
[] kthread+0x200/0x210
[] worker_thread+0x0/0x7c0
[] kthread+0x14c/0x210
[] ret_from_kernel_thread+0x18/0x20
[] kthread+0x0/0x210
Code: ad3e0008 43f0074a ad7e0018 ad9e0020 8c3001e8 40230101 4821ed21 So force lockup work queue flush to fix this problem.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 09/29/2025
The vulnerability described in CVE-2022-48704 affects the Linux kernel's radeon graphics driver implementation and represents a critical issue in GPU resource management during system suspend operations. This flaw occurs within the direct rendering manager (drm) subsystem specifically in the radeon driver module where improper handling of work queue flushing leads to potential system crashes and lockups. The root cause lies in the driver's inability to guarantee complete flushing of pending work items before transitioning the graphics hardware into a low-power D3hot state, creating a race condition between GPU processing and system power management.
The technical implementation flaw manifests when the radeon_suspend_kms() function invokes pci_set_power_state() to place the device in D3hot state, while the radeon driver's fence mechanism and GPU batch ring processing may not have fully completed their operations. According to PCI specification revision 4.0 section 5.3.1.4.1, only configuration and message transactions are accepted by devices in D3hot state, making all other requests invalid and potentially causing kernel page faults. The kernel oops trace shows the failure occurring in si_dma_is_lockup() function when attempting to access virtual address 0x8800e0008010, indicating memory access violations during GPU lockup detection. This scenario creates a dangerous condition where work items remain in the queue but the hardware is already transitioning to a state where it cannot properly process further requests.
The operational impact of this vulnerability extends beyond simple system instability to potentially catastrophic system crashes during suspend operations, particularly affecting systems with radeon graphics hardware. When the driver fails to properly flush the lockup work queue before entering D3hot state, it creates a condition where subsequent GPU operations may generate page faults and kernel oops messages, leading to system hangs or complete crashes. This vulnerability affects the broader category of device driver power management issues and aligns with CWE-691, which covers insufficient control flow management in device drivers. The issue demonstrates a clear violation of proper resource synchronization protocols during system state transitions, making it particularly dangerous in embedded systems or servers where uninterrupted operation is critical.
Mitigation strategies for this vulnerability require kernel-level patches that enforce mandatory work queue flushing before entering low-power states. The fix implemented in the Linux kernel involves adding a force flush mechanism to ensure all pending work items are completed before the radeon driver transitions the GPU to D3hot state. Organizations should prioritize applying kernel updates that include this specific patch, as the vulnerability cannot be effectively mitigated through user-space configuration changes. Security teams should monitor for systems running affected kernel versions and ensure proper testing of suspend/resume functionality after patch application. The ATT&CK framework categorizes this vulnerability under T1547.001 (Registry Run Keys / Startup Folder) and T1059.001 (Command and Scripting Interpreter: PowerShell) as potential attack vectors, though the primary concern remains system stability rather than direct exploitation. System administrators should verify that all radeon graphics systems are updated to kernel versions containing the fix, particularly in enterprise environments where automated suspend operations are common and reliability is paramount.