CVE-2022-50375 (GCVE-0-2022-50375)
Vulnerability from cvelistv5
Published
2025-09-18 13:32
Modified
2025-09-18 13:32
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: tty: serial: fsl_lpuart: disable dma rx/tx use flags in lpuart_dma_shutdown lpuart_dma_shutdown tears down lpuart dma, but lpuart_flush_buffer can still occur which in turn tries to access dma apis if lpuart_dma_tx_use flag is true. At this point since dma is torn down, these dma apis can abort. Set lpuart_dma_tx_use and the corresponding rx flag lpuart_dma_rx_use to false in lpuart_dma_shutdown so that dmas are not accessed after they are relinquished. Otherwise, when try to kill btattach, kernel may panic. This patch may fix this issue. root@imx8ulpevk:~# btattach -B /dev/ttyLP2 -S 115200 ^C[ 90.182296] Internal error: synchronous external abort: 96000210 [#1] PREEMPT SMP [ 90.189806] Modules linked in: moal(O) mlan(O) [ 90.194258] CPU: 0 PID: 503 Comm: btattach Tainted: G O 5.15.32-06136-g34eecdf2f9e4 #37 [ 90.203554] Hardware name: NXP i.MX8ULP 9X9 EVK (DT) [ 90.208513] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 90.215470] pc : fsl_edma3_disable_request+0x8/0x60 [ 90.220358] lr : fsl_edma3_terminate_all+0x34/0x20c [ 90.225237] sp : ffff800013f0bac0 [ 90.228548] x29: ffff800013f0bac0 x28: 0000000000000001 x27: ffff000008404800 [ 90.235681] x26: ffff000008404960 x25: ffff000008404a08 x24: ffff000008404a00 [ 90.242813] x23: ffff000008404a60 x22: 0000000000000002 x21: 0000000000000000 [ 90.249946] x20: ffff800013f0baf8 x19: ffff00000559c800 x18: 0000000000000000 [ 90.257078] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 [ 90.264211] x14: 0000000000000003 x13: 0000000000000000 x12: 0000000000000040 [ 90.271344] x11: ffff00000600c248 x10: ffff800013f0bb10 x9 : ffff000057bcb090 [ 90.278477] x8 : fffffc0000241a08 x7 : ffff00000534ee00 x6 : ffff000008404804 [ 90.285609] x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff0000055b3480 [ 90.292742] x2 : ffff8000135c0000 x1 : ffff00000534ee00 x0 : ffff00000559c800 [ 90.299876] Call trace: [ 90.302321] fsl_edma3_disable_request+0x8/0x60 [ 90.306851] lpuart_flush_buffer+0x40/0x160 [ 90.311037] uart_flush_buffer+0x88/0x120 [ 90.315050] tty_driver_flush_buffer+0x20/0x30 [ 90.319496] hci_uart_flush+0x44/0x90 [ 90.323162] +0x34/0x12c [ 90.327253] tty_ldisc_close+0x38/0x70 [ 90.331005] tty_ldisc_release+0xa8/0x190 [ 90.335018] tty_release_struct+0x24/0x8c [ 90.339022] tty_release+0x3ec/0x4c0 [ 90.342593] __fput+0x70/0x234 [ 90.345652] ____fput+0x14/0x20 [ 90.348790] task_work_run+0x84/0x17c [ 90.352455] do_exit+0x310/0x96c [ 90.355688] do_group_exit+0x3c/0xa0 [ 90.359259] __arm64_sys_exit_group+0x1c/0x20 [ 90.363609] invoke_syscall+0x48/0x114 [ 90.367362] el0_svc_common.constprop.0+0xd4/0xfc [ 90.372068] do_el0_svc+0x2c/0x94 [ 90.375379] el0_svc+0x28/0x80 [ 90.378438] el0t_64_sync_handler+0xa8/0x130 [ 90.382711] el0t_64_sync+0x1a0/0x1a4 [ 90.386376] Code: 17ffffda d503201f d503233f f9409802 (b9400041) [ 90.392467] ---[ end trace 2f60524b4a43f1f6 ]--- [ 90.397073] note: btattach[503] exited with preempt_count 1 [ 90.402636] Fixing recursive fault but reboot is needed!
Impacted products
Vendor Product Version
Linux Linux Version: 6250cc30c4c4e25393ba247f71bdc04b6af3191b
Version: 6250cc30c4c4e25393ba247f71bdc04b6af3191b
Version: 6250cc30c4c4e25393ba247f71bdc04b6af3191b
Version: 6250cc30c4c4e25393ba247f71bdc04b6af3191b
Version: 6250cc30c4c4e25393ba247f71bdc04b6af3191b
Version: 6250cc30c4c4e25393ba247f71bdc04b6af3191b
Create a notification for this product.
Show details on NVD website


{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/tty/serial/fsl_lpuart.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "29b897ac7b990882c74bd08605692214e7e58b83",
              "status": "affected",
              "version": "6250cc30c4c4e25393ba247f71bdc04b6af3191b",
              "versionType": "git"
            },
            {
              "lessThan": "9a56ade124d4891a31ab1300c57665f07f5b24d5",
              "status": "affected",
              "version": "6250cc30c4c4e25393ba247f71bdc04b6af3191b",
              "versionType": "git"
            },
            {
              "lessThan": "c4293def8860fd587a84400ccba5b49cec56e2c3",
              "status": "affected",
              "version": "6250cc30c4c4e25393ba247f71bdc04b6af3191b",
              "versionType": "git"
            },
            {
              "lessThan": "d554c14eb73ee91d76fc9aece4616f0b687c295d",
              "status": "affected",
              "version": "6250cc30c4c4e25393ba247f71bdc04b6af3191b",
              "versionType": "git"
            },
            {
              "lessThan": "3953e7f261e2f4d9c35f0c025df9f166f46aa626",
              "status": "affected",
              "version": "6250cc30c4c4e25393ba247f71bdc04b6af3191b",
              "versionType": "git"
            },
            {
              "lessThan": "316ae95c175a7d770d1bfe4c011192712f57aa4a",
              "status": "affected",
              "version": "6250cc30c4c4e25393ba247f71bdc04b6af3191b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/tty/serial/fsl_lpuart.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.9"
            },
            {
              "lessThan": "4.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.220",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.150",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.19.*",
              "status": "unaffected",
              "version": "5.19.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.220",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.150",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.75",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19.17",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.3",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: serial: fsl_lpuart: disable dma rx/tx use flags in lpuart_dma_shutdown\n\nlpuart_dma_shutdown tears down lpuart dma, but lpuart_flush_buffer can\nstill occur which in turn tries to access dma apis if lpuart_dma_tx_use\nflag is true. At this point since dma is torn down, these dma apis can\nabort. Set lpuart_dma_tx_use and the corresponding rx flag\nlpuart_dma_rx_use to false in lpuart_dma_shutdown so that dmas are not\naccessed after they are relinquished.\n\nOtherwise, when try to kill btattach, kernel may panic. This patch may\nfix this issue.\nroot@imx8ulpevk:~# btattach -B /dev/ttyLP2 -S 115200\n^C[   90.182296] Internal error: synchronous external abort: 96000210 [#1] PREEMPT SMP\n[   90.189806] Modules linked in: moal(O) mlan(O)\n[   90.194258] CPU: 0 PID: 503 Comm: btattach Tainted: G           O      5.15.32-06136-g34eecdf2f9e4 #37\n[   90.203554] Hardware name: NXP i.MX8ULP 9X9 EVK (DT)\n[   90.208513] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[   90.215470] pc : fsl_edma3_disable_request+0x8/0x60\n[   90.220358] lr : fsl_edma3_terminate_all+0x34/0x20c\n[   90.225237] sp : ffff800013f0bac0\n[   90.228548] x29: ffff800013f0bac0 x28: 0000000000000001 x27: ffff000008404800\n[   90.235681] x26: ffff000008404960 x25: ffff000008404a08 x24: ffff000008404a00\n[   90.242813] x23: ffff000008404a60 x22: 0000000000000002 x21: 0000000000000000\n[   90.249946] x20: ffff800013f0baf8 x19: ffff00000559c800 x18: 0000000000000000\n[   90.257078] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\n[   90.264211] x14: 0000000000000003 x13: 0000000000000000 x12: 0000000000000040\n[   90.271344] x11: ffff00000600c248 x10: ffff800013f0bb10 x9 : ffff000057bcb090\n[   90.278477] x8 : fffffc0000241a08 x7 : ffff00000534ee00 x6 : ffff000008404804\n[   90.285609] x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff0000055b3480\n[   90.292742] x2 : ffff8000135c0000 x1 : ffff00000534ee00 x0 : ffff00000559c800\n[   90.299876] Call trace:\n[   90.302321]  fsl_edma3_disable_request+0x8/0x60\n[   90.306851]  lpuart_flush_buffer+0x40/0x160\n[   90.311037]  uart_flush_buffer+0x88/0x120\n[   90.315050]  tty_driver_flush_buffer+0x20/0x30\n[   90.319496]  hci_uart_flush+0x44/0x90\n[   90.323162]  +0x34/0x12c\n[   90.327253]  tty_ldisc_close+0x38/0x70\n[   90.331005]  tty_ldisc_release+0xa8/0x190\n[   90.335018]  tty_release_struct+0x24/0x8c\n[   90.339022]  tty_release+0x3ec/0x4c0\n[   90.342593]  __fput+0x70/0x234\n[   90.345652]  ____fput+0x14/0x20\n[   90.348790]  task_work_run+0x84/0x17c\n[   90.352455]  do_exit+0x310/0x96c\n[   90.355688]  do_group_exit+0x3c/0xa0\n[   90.359259]  __arm64_sys_exit_group+0x1c/0x20\n[   90.363609]  invoke_syscall+0x48/0x114\n[   90.367362]  el0_svc_common.constprop.0+0xd4/0xfc\n[   90.372068]  do_el0_svc+0x2c/0x94\n[   90.375379]  el0_svc+0x28/0x80\n[   90.378438]  el0t_64_sync_handler+0xa8/0x130\n[   90.382711]  el0t_64_sync+0x1a0/0x1a4\n[   90.386376] Code: 17ffffda d503201f d503233f f9409802 (b9400041)\n[   90.392467] ---[ end trace 2f60524b4a43f1f6 ]---\n[   90.397073] note: btattach[503] exited with preempt_count 1\n[   90.402636] Fixing recursive fault but reboot is needed!"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-18T13:32:58.361Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/29b897ac7b990882c74bd08605692214e7e58b83"
        },
        {
          "url": "https://git.kernel.org/stable/c/9a56ade124d4891a31ab1300c57665f07f5b24d5"
        },
        {
          "url": "https://git.kernel.org/stable/c/c4293def8860fd587a84400ccba5b49cec56e2c3"
        },
        {
          "url": "https://git.kernel.org/stable/c/d554c14eb73ee91d76fc9aece4616f0b687c295d"
        },
        {
          "url": "https://git.kernel.org/stable/c/3953e7f261e2f4d9c35f0c025df9f166f46aa626"
        },
        {
          "url": "https://git.kernel.org/stable/c/316ae95c175a7d770d1bfe4c011192712f57aa4a"
        }
      ],
      "title": "tty: serial: fsl_lpuart: disable dma rx/tx use flags in lpuart_dma_shutdown",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50375",
    "datePublished": "2025-09-18T13:32:58.361Z",
    "dateReserved": "2025-09-17T14:53:06.996Z",
    "dateUpdated": "2025-09-18T13:32:58.361Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-50375\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-09-18T14:15:36.110\",\"lastModified\":\"2025-09-19T16:00:46.437\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntty: serial: fsl_lpuart: disable dma rx/tx use flags in lpuart_dma_shutdown\\n\\nlpuart_dma_shutdown tears down lpuart dma, but lpuart_flush_buffer can\\nstill occur which in turn tries to access dma apis if lpuart_dma_tx_use\\nflag is true. At this point since dma is torn down, these dma apis can\\nabort. Set lpuart_dma_tx_use and the corresponding rx flag\\nlpuart_dma_rx_use to false in lpuart_dma_shutdown so that dmas are not\\naccessed after they are relinquished.\\n\\nOtherwise, when try to kill btattach, kernel may panic. This patch may\\nfix this issue.\\nroot@imx8ulpevk:~# btattach -B /dev/ttyLP2 -S 115200\\n^C[   90.182296] Internal error: synchronous external abort: 96000210 [#1] PREEMPT SMP\\n[   90.189806] Modules linked in: moal(O) mlan(O)\\n[   90.194258] CPU: 0 PID: 503 Comm: btattach Tainted: G           O      5.15.32-06136-g34eecdf2f9e4 #37\\n[   90.203554] Hardware name: NXP i.MX8ULP 9X9 EVK (DT)\\n[   90.208513] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\n[   90.215470] pc : fsl_edma3_disable_request+0x8/0x60\\n[   90.220358] lr : fsl_edma3_terminate_all+0x34/0x20c\\n[   90.225237] sp : ffff800013f0bac0\\n[   90.228548] x29: ffff800013f0bac0 x28: 0000000000000001 x27: ffff000008404800\\n[   90.235681] x26: ffff000008404960 x25: ffff000008404a08 x24: ffff000008404a00\\n[   90.242813] x23: ffff000008404a60 x22: 0000000000000002 x21: 0000000000000000\\n[   90.249946] x20: ffff800013f0baf8 x19: ffff00000559c800 x18: 0000000000000000\\n[   90.257078] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\\n[   90.264211] x14: 0000000000000003 x13: 0000000000000000 x12: 0000000000000040\\n[   90.271344] x11: ffff00000600c248 x10: ffff800013f0bb10 x9 : ffff000057bcb090\\n[   90.278477] x8 : fffffc0000241a08 x7 : ffff00000534ee00 x6 : ffff000008404804\\n[   90.285609] x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff0000055b3480\\n[   90.292742] x2 : ffff8000135c0000 x1 : ffff00000534ee00 x0 : ffff00000559c800\\n[   90.299876] Call trace:\\n[   90.302321]  fsl_edma3_disable_request+0x8/0x60\\n[   90.306851]  lpuart_flush_buffer+0x40/0x160\\n[   90.311037]  uart_flush_buffer+0x88/0x120\\n[   90.315050]  tty_driver_flush_buffer+0x20/0x30\\n[   90.319496]  hci_uart_flush+0x44/0x90\\n[   90.323162]  +0x34/0x12c\\n[   90.327253]  tty_ldisc_close+0x38/0x70\\n[   90.331005]  tty_ldisc_release+0xa8/0x190\\n[   90.335018]  tty_release_struct+0x24/0x8c\\n[   90.339022]  tty_release+0x3ec/0x4c0\\n[   90.342593]  __fput+0x70/0x234\\n[   90.345652]  ____fput+0x14/0x20\\n[   90.348790]  task_work_run+0x84/0x17c\\n[   90.352455]  do_exit+0x310/0x96c\\n[   90.355688]  do_group_exit+0x3c/0xa0\\n[   90.359259]  __arm64_sys_exit_group+0x1c/0x20\\n[   90.363609]  invoke_syscall+0x48/0x114\\n[   90.367362]  el0_svc_common.constprop.0+0xd4/0xfc\\n[   90.372068]  do_el0_svc+0x2c/0x94\\n[   90.375379]  el0_svc+0x28/0x80\\n[   90.378438]  el0t_64_sync_handler+0xa8/0x130\\n[   90.382711]  el0t_64_sync+0x1a0/0x1a4\\n[   90.386376] Code: 17ffffda d503201f d503233f f9409802 (b9400041)\\n[   90.392467] ---[ end trace 2f60524b4a43f1f6 ]---\\n[   90.397073] note: btattach[503] exited with preempt_count 1\\n[   90.402636] Fixing recursive fault but reboot is needed!\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/29b897ac7b990882c74bd08605692214e7e58b83\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/316ae95c175a7d770d1bfe4c011192712f57aa4a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/3953e7f261e2f4d9c35f0c025df9f166f46aa626\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/9a56ade124d4891a31ab1300c57665f07f5b24d5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/c4293def8860fd587a84400ccba5b49cec56e2c3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d554c14eb73ee91d76fc9aece4616f0b687c295d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.


Loading…

Loading…