CVE-2022-49753

In the Linux kernel, the following vulnerability has been resolved:

dmaengine: Fix double increment of clientcount in dmachan_get()

The first time dmachanget() is called for a channel the channel clientcount is incorrectly incremented twice for public channels, first in balancerefcount(), and again prior to returning. This results in an incorrect client count which will lead to the channel resources not being freed when they should be. A simple test of repeated module load and unload of asynctx on a Dell Power Edge R7425 also shows this resulting in a kref underflow warning.

[ 124.329662] asynctx: api initialized (async) [ 129.000627] asynctx: api initialized (async) [ 130.047839] ------------[ cut here ]------------ [ 130.052472] refcountt: underflow; use-after-free. [ 130.057279] WARNING: CPU: 3 PID: 19364 at lib/refcount.c:28 refcountwarnsaturate+0xba/0x110 [ 130.065811] Modules linked in: asynctx(-) rfkill intelraplmsr intelraplcommon amd64edac edacmceamd ipmissif kvmamd dcdbas kvm mgag200 drmshmemhelper acpiipmi irqbypass drmkmshelper ipmisi syscopyarea sysfillrect rapl pcspkr ipmidevintf sysimgblt fbsysfops k10temp i2cpiix4 ipmimsghandler acpipowermeter acpicpufreq vfat fat drm fuse xfs libcrc32c sdmod t10pi sg ahci crct10difpclmul libahci crc32pclmul crc32cintel ghashclmulniintel igb megaraidsas i40e libata i2calgobit ccp sp5100tco dca dmmirror dmregionhash dmlog dmmod [last unloaded: asynctx] [ 130.117361] CPU: 3 PID: 19364 Comm: modprobe Kdump: loaded Not tainted 5.14.0-185.el9.x8664 #1 [ 130.126091] Hardware name: Dell Inc. PowerEdge R7425/02MJ3T, BIOS 1.18.0 01/17/2022 [ 130.133806] RIP: 0010:refcountwarnsaturate+0xba/0x110 [ 130.139041] Code: 01 01 e8 6d bd 55 00 0f 0b e9 72 9d 8a 00 80 3d 26 18 9c 01 00 75 85 48 c7 c7 f8 a3 03 9d c6 05 16 18 9c 01 01 e8 4a bd 55 00 <0f> 0b e9 4f 9d 8a 00 80 3d 01 18 9c 01 00 0f 85 5e ff ff ff 48 c7 [ 130.157807] RSP: 0018:ffffbf98898afe68 EFLAGS: 00010286 [ 130.163036] RAX: 0000000000000000 RBX: ffff9da06028e598 RCX: 0000000000000000 [ 130.170172] RDX: ffff9daf9de26480 RSI: ffff9daf9de198a0 RDI: ffff9daf9de198a0 [ 130.177316] RBP: ffff9da7cddf3970 R08: 0000000000000000 R09: 00000000ffff7fff [ 130.184459] R10: ffffbf98898afd00 R11: ffffffff9d9e8c28 R12: ffff9da7cddf1970 [ 130.191596] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 130.198739] FS: 00007f646435c740(0000) GS:ffff9daf9de00000(0000) knlGS:0000000000000000 [ 130.206832] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 130.212586] CR2: 00007f6463b214f0 CR3: 00000008ab98c000 CR4: 00000000003506e0 [ 130.219729] Call Trace: [ 130.222192] <TASK> [ 130.224305] dmachanput+0x10d/0x110 [ 130.227988] dmaengineput+0x7a/0xa0 [ 130.231575] _dosysdeletemodule.constprop.0+0x178/0x280 [ 130.237157] ? syscalltraceenter.constprop.0+0x145/0x1d0 [ 130.242652] dosyscall64+0x5c/0x90 [ 130.246240] ? excpagefault+0x62/0x150 [ 130.250178] entrySYSCALL64afterhwframe+0x63/0xcd [ 130.255243] RIP: 0033:0x7f6463a3f5ab [ 130.258830] Code: 73 01 c3 48 8b 0d 75 a8 1b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 45 a8 1b 00 f7 d8 64 89 01 48 [ 130.277591] RSP: 002b:00007fff22f972c8 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 [ 130.285164] RAX: ffffffffffffffda RBX: 000055b6786edd40 RCX: 00007f6463a3f5ab [ 130.292303] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 000055b6786edda8 [ 130.299443] RBP: 000055b6786edd40 R08: 0000000000000000 R09: 0000000000000000 [ 130.306584] R10: 00007f6463b9eac0 R11: 0000000000000206 R12: 000055b6786edda8 [ 130.313731] R13: 0000000000000000 R14: 000055b6786edda8 R15: 00007fff22f995f8 [ 130.320875] </TASK> [ 130.323081] ---[ end trace eff7156d56b5cf25 ]---

cat /sys/class/dma/dma0chan*/in_use would get the wrong result. 2 2 2

Test-by: Jie Hai haijie1@huawei.com