{"id":"CVE-2022-50362","summary":"dmaengine: hisilicon: Add multi-thread support for a DMA channel","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: hisilicon: Add multi-thread support for a DMA channel\n\nWhen we get a DMA channel and try to use it in multiple threads it\nwill cause oops and hanging the system.\n\n% echo 100 \u003e /sys/module/dmatest/parameters/threads_per_chan\n% echo 100 \u003e /sys/module/dmatest/parameters/iterations\n% echo 1 \u003e /sys/module/dmatest/parameters/run\n[383493.327077] Unable to handle kernel paging request at virtual\n\t\taddress dead000000000108\n[383493.335103] Mem abort info:\n[383493.335103]   ESR = 0x96000044\n[383493.335105]   EC = 0x25: DABT (current EL), IL = 32 bits\n[383493.335107]   SET = 0, FnV = 0\n[383493.335108]   EA = 0, S1PTW = 0\n[383493.335109]   FSC = 0x04: level 0 translation fault\n[383493.335110] Data abort info:\n[383493.335111]   ISV = 0, ISS = 0x00000044\n[383493.364739]   CM = 0, WnR = 1\n[383493.367793] [dead000000000108] address between user and kernel\n\t\taddress ranges\n[383493.375021] Internal error: Oops: 96000044 [#1] PREEMPT SMP\n[383493.437574] CPU: 63 PID: 27895 Comm: dma0chan0-copy2 Kdump:\n\t\tloaded Tainted: GO 5.17.0-rc4+ #2\n[383493.457851] pstate: 204000c9 (nzCv daIF +PAN -UAO -TCO -DIT\n\t\t-SSBS BTYPE=--)\n[383493.465331] pc : vchan_tx_submit+0x64/0xa0\n[383493.469957] lr : vchan_tx_submit+0x34/0xa0\n\nThis occurs because the transmission timed out, and that's due\nto data race. Each thread rewrite channels's descriptor as soon as\ndevice_issue_pending is called. It leads to the situation that\nthe driver thinks that it uses the right descriptor in interrupt\nhandler while channels's descriptor has been changed by other\nthread. The descriptor which in fact reported interrupt will not\nbe handled any more, as well as its tx-\u003ecallback.\nThat's why timeout reports.\n\nWith current fixes channels' descriptor changes it's value only\nwhen it has been used. A new descriptor is acquired from\nvc-\u003edesc_issued queue that is already filled with descriptors\nthat are ready to be sent. Threads have no direct access to DMA\nchannel descriptor. In case of channel's descriptor is busy, try\nto submit to HW again when a descriptor is completed. In this case,\nvc-\u003edesc_issued may be empty when hisi_dma_start_transfer is called,\nso delete error reporting on this. Now it is just possible to queue\na descriptor for further processing.","modified":"2026-03-20T11:47:25.265695Z","published":"2025-09-17T14:56:14.189Z","related":["SUSE-SU-2025:03615-1","SUSE-SU-2025:03628-1","SUSE-SU-2025:3716-1","SUSE-SU-2025:3761-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50362.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/2cbb95883c990d0002a77e13d3278913ab26ad79"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7cb9b20941e1fb20d22d0a2f460a3d4fa417274c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/af12e209a9d559394d35875ba0e6c80407605888"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d4a8ec5cc7ff5d442bd49a44f26d74b2021ba4c8"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f4cee0b385cd0348e071d4d80c4c13cfe547c70d"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50362.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-50362"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"e9f08b65250d73ab70e79e194813f52b8d306784"},{"fixed":"af12e209a9d559394d35875ba0e6c80407605888"},{"fixed":"7cb9b20941e1fb20d22d0a2f460a3d4fa417274c"},{"fixed":"d4a8ec5cc7ff5d442bd49a44f26d74b2021ba4c8"},{"fixed":"f4cee0b385cd0348e071d4d80c4c13cfe547c70d"},{"fixed":"2cbb95883c990d0002a77e13d3278913ab26ad79"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-50362.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}