CVE-2022-49983 in Linux
Summary
by MITRE • 06/18/2025
In the Linux kernel, the following vulnerability has been resolved:
udmabuf: Set the DMA mask for the udmabuf device (v2)
If the DMA mask is not set explicitly, the following warning occurs when the userspace tries to access the dma-buf via the CPU as reported by syzbot here:
WARNING: CPU: 1 PID: 3595 at kernel/dma/mapping.c:188 __dma_map_sg_attrs+0x181/0x1f0 kernel/dma/mapping.c:188 Modules linked in: CPU: 0 PID: 3595 Comm: syz-executor249 Not tainted 5.17.0-rc2-syzkaller-00316-g0457e5153e0e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__dma_map_sg_attrs+0x181/0x1f0 kernel/dma/mapping.c:188 Code: 00 00 00 00 00 fc ff df 48 c1 e8 03 80 3c 10 00 75 71 4c 8b 3d c0 83 b5 0d e9 db fe ff ff e8 b6 0f 13 00 0f 0b e8 af 0f 13 00 <0f> 0b 45 31 e4 e9 54 ff ff ff e8 a0 0f 13 00 49 8d 7f 50 48 b8 00 RSP: 0018:ffffc90002a07d68 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: ffff88807e25e2c0 RSI: ffffffff81649e91 RDI: ffff88801b848408 RBP: ffff88801b848000 R08: 0000000000000002 R09: ffff88801d86c74f R10: ffffffff81649d72 R11: 0000000000000001 R12: 0000000000000002 R13: ffff88801d86c680 R14: 0000000000000001 R15: 0000000000000000 FS: 0000555556e30300(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000200000cc CR3: 000000001d74a000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> dma_map_sgtable+0x70/0xf0 kernel/dma/mapping.c:264 get_sg_table.isra.0+0xe0/0x160 drivers/dma-buf/udmabuf.c:72 begin_cpu_udmabuf+0x130/0x1d0 drivers/dma-buf/udmabuf.c:126 dma_buf_begin_cpu_access+0xfd/0x1d0 drivers/dma-buf/dma-buf.c:1164 dma_buf_ioctl+0x259/0x2b0 drivers/dma-buf/dma-buf.c:363 vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
__se_sys_ioctl fs/ioctl.c:860 [inline]
__x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f62fcf530f9 Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffe3edab9b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f62fcf530f9 RDX: 0000000020000200 RSI: 0000000040086200 RDI: 0000000000000006 RBP: 00007f62fcf170e0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f62fcf17170 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 </TASK>
v2: Dont't forget to deregister if DMA mask setup fails.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 11/30/2025
The vulnerability described in CVE-2022-49983 affects the Linux kernel's udmabuf subsystem, which provides a mechanism for userspace applications to access DMA buffers through the dma-buf framework. This issue arises when the DMA mask for a udmabuf device is not explicitly set, leading to a warning condition during CPU access attempts to the dma-buf. The problem manifests in kernel version 5.17.0-rc2 and is triggered when userspace tries to access DMA-capable memory regions through the CPU interface. The warning originates from kernel/dma/mapping.c at line 188 in the __dma_map_sg_attrs function, indicating an improper DMA mapping setup that could lead to system instability or data corruption.
The technical flaw occurs within the udmabuf driver's device initialization process where the DMA mask is not properly configured for the device. This omission causes the kernel's DMA mapping subsystem to detect an invalid or missing DMA mask configuration when userspace attempts to map DMA buffers for CPU access. The call trace shows the execution path from userspace ioctl calls through the dma-buf framework down to the core DMA mapping functions, where the failure occurs during the mapping process. The missing DMA mask prevents proper DMA address translation and memory mapping, causing the kernel to emit warnings that may indicate more serious underlying issues with DMA operations.
The operational impact of this vulnerability is significant for systems relying on udmabuf functionality, particularly in embedded systems, virtualization environments, or any setup where DMA buffers are accessed via userspace applications. When the DMA mask is not properly set, the system may experience degraded performance, memory access failures, or potential system crashes during DMA operations. The vulnerability affects the reliability of DMA buffer management, which is critical for high-performance computing, graphics processing, and network I/O operations. Systems using virtualization technologies or devices requiring direct memory access may be particularly susceptible to instability or data integrity issues.
The fix implemented addresses this issue by explicitly setting the DMA mask for udmabuf devices during initialization. Version 2 of the fix also ensures proper cleanup by deregistering the device if the DMA mask setup fails, preventing potential resource leaks or inconsistent device states. This remediation aligns with common security practices for kernel subsystems and follows the principle of least privilege by ensuring proper resource initialization. The solution follows established patterns in kernel development for DMA device management and prevents the warning conditions that could lead to more serious operational failures. This vulnerability demonstrates the importance of proper resource initialization in kernel drivers and aligns with CWE-754, which addresses improper check for special conditions, and ATT&CK technique T1068, which relates to exploit for privilege escalation through improper system configuration. The fix ensures that all udmabuf devices are properly configured for DMA operations before being made available to userspace, thereby maintaining system stability and preventing potential denial-of-service conditions.