CVE-2022-50362 in Linux
Summary
by MITRE • 09/17/2025
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: hisilicon: Add multi-thread support for a DMA channel
When we get a DMA channel and try to use it in multiple threads it will cause oops and hanging the system.
% echo 100 > /sys/module/dmatest/parameters/threads_per_chan % echo 100 > /sys/module/dmatest/parameters/iterations % echo 1 > /sys/module/dmatest/parameters/run [383493.327077] Unable to handle kernel paging request at virtual
address dead000000000108 [383493.335103] Mem abort info:
[383493.335103] ESR = 0x96000044
[383493.335105] EC = 0x25: DABT (current EL), IL = 32 bits
[383493.335107] SET = 0, FnV = 0
[383493.335108] EA = 0, S1PTW = 0
[383493.335109] FSC = 0x04: level 0 translation fault
[383493.335110] Data abort info:
[383493.335111] ISV = 0, ISS = 0x00000044
[383493.364739] CM = 0, WnR = 1
[383493.367793] [dead000000000108] address between user and kernel
address ranges [383493.375021] Internal error: Oops: 96000044 [#1] PREEMPT SMP
[383493.437574] CPU: 63 PID: 27895 Comm: dma0chan0-copy2 Kdump:
loaded Tainted: GO 5.17.0-rc4+ #2 [383493.457851] pstate: 204000c9 (nzCv daIF +PAN -UAO -TCO -DIT
-SSBS BTYPE=--) [383493.465331] pc : vchan_tx_submit+0x64/0xa0
[383493.469957] lr : vchan_tx_submit+0x34/0xa0
This occurs because the transmission timed out, and that's due to data race. Each thread rewrite channels's descriptor as soon as device_issue_pending is called. It leads to the situation that the driver thinks that it uses the right descriptor in interrupt handler while channels's descriptor has been changed by other thread. The descriptor which in fact reported interrupt will not be handled any more, as well as its tx->callback. That's why timeout reports.
With current fixes channels' descriptor changes it's value only when it has been used. A new descriptor is acquired from vc->desc_issued queue that is already filled with descriptors that are ready to be sent. Threads have no direct access to DMA channel descriptor. In case of channel's descriptor is busy, try to submit to HW again when a descriptor is completed. In this case, vc->desc_issued may be empty when hisi_dma_start_transfer is called, so delete error reporting on this. Now it is just possible to queue a descriptor for further processing.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 12/27/2025
The vulnerability CVE-2022-50362 affects the Linux kernel's DMA engine implementation specifically within the Hisilicon DMA driver. This issue manifests as a critical race condition that occurs when multiple threads attempt to utilize the same DMA channel simultaneously. The flaw stems from improper synchronization mechanisms within the driver's descriptor management system, leading to system instability and potential crashes. When concurrent access patterns are employed through the dmatest module parameters with high thread counts, the kernel experiences memory access violations that result in oops conditions and system hangs.
The technical root cause involves a data race condition in the DMA channel descriptor handling mechanism. When multiple threads invoke the device_issue_pending function concurrently, each thread overwrites the channel's descriptor without proper synchronization. This creates a scenario where the interrupt handler operates on an outdated descriptor reference while the actual descriptor has been modified by another thread. The virtual memory address access violation at dead000000000108 demonstrates the kernel's attempt to access memory in an invalid address range, which falls between user and kernel address spaces. The error code 0x96000044 indicates a data abort fault with level 0 translation fault, confirming the memory management issue.
The operational impact of this vulnerability extends beyond simple system crashes to include complete system hangs and loss of DMA functionality. The race condition causes timeouts in DMA operations because the interrupt handler cannot properly process the actual descriptor that generated the interrupt. This leads to a cascading failure where the tx->callback mechanism fails to execute, and the DMA channel becomes unresponsive. The fix implemented addresses this by ensuring that channel descriptor modifications only occur when the descriptor has actually been used, with new descriptors being acquired from a pre-filled vc->desc_issued queue. This approach prevents direct thread access to DMA channel descriptors and implements proper queuing mechanisms that maintain descriptor integrity during concurrent operations.
This vulnerability maps to CWE-362, which specifically addresses race conditions in concurrent programming, and aligns with ATT&CK technique T1499.004 for endpoint denial of service through resource exhaustion. The fix represents a fundamental improvement in kernel-level synchronization mechanisms for DMA channel operations, ensuring that the Hisilicon DMA driver properly handles multi-threaded access patterns. The solution eliminates the direct descriptor modification by threads and instead implements a queue-based approach that maintains proper descriptor lifecycle management. This approach prevents the scenario where one thread's descriptor modification invalidates another thread's interrupt handling context, thereby resolving both the immediate kernel oops conditions and the underlying concurrency issues that cause system hangs and timeout failures.