CVE-2022-50375

In the Linux kernel, the following vulnerability has been resolved:

tty: serial: fsllpuart: disable dma rx/tx use flags in lpuartdma_shutdown

lpuartdmashutdown tears down lpuart dma, but lpuartflushbuffer can still occur which in turn tries to access dma apis if lpuartdmatxuse flag is true. At this point since dma is torn down, these dma apis can abort. Set lpuartdmatxuse and the corresponding rx flag lpuartdmarxuse to false in lpuartdma_shutdown so that dmas are not accessed after they are relinquished.

Otherwise, when try to kill btattach, kernel may panic. This patch may fix this issue. root@imx8ulpevk:~# btattach -B /dev/ttyLP2 -S 115200 ^C[ 90.182296] Internal error: synchronous external abort: 96000210 [#1] PREEMPT SMP [ 90.189806] Modules linked in: moal(O) mlan(O) [ 90.194258] CPU: 0 PID: 503 Comm: btattach Tainted: G O 5.15.32-06136-g34eecdf2f9e4 #37 [ 90.203554] Hardware name: NXP i.MX8ULP 9X9 EVK (DT) [ 90.208513] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 90.215470] pc : fsledma3disablerequest+0x8/0x60 [ 90.220358] lr : fsledma3terminateall+0x34/0x20c [ 90.225237] sp : ffff800013f0bac0 [ 90.228548] x29: ffff800013f0bac0 x28: 0000000000000001 x27: ffff000008404800 [ 90.235681] x26: ffff000008404960 x25: ffff000008404a08 x24: ffff000008404a00 [ 90.242813] x23: ffff000008404a60 x22: 0000000000000002 x21: 0000000000000000 [ 90.249946] x20: ffff800013f0baf8 x19: ffff00000559c800 x18: 0000000000000000 [ 90.257078] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 [ 90.264211] x14: 0000000000000003 x13: 0000000000000000 x12: 0000000000000040 [ 90.271344] x11: ffff00000600c248 x10: ffff800013f0bb10 x9 : ffff000057bcb090 [ 90.278477] x8 : fffffc0000241a08 x7 : ffff00000534ee00 x6 : ffff000008404804 [ 90.285609] x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff0000055b3480 [ 90.292742] x2 : ffff8000135c0000 x1 : ffff00000534ee00 x0 : ffff00000559c800 [ 90.299876] Call trace: [ 90.302321] fsledma3disablerequest+0x8/0x60 [ 90.306851] lpuartflushbuffer+0x40/0x160 [ 90.311037] uartflushbuffer+0x88/0x120 [ 90.315050] ttydriverflushbuffer+0x20/0x30 [ 90.319496] hciuartflush+0x44/0x90 [ 90.323162] +0x34/0x12c [ 90.327253] ttyldiscclose+0x38/0x70 [ 90.331005] ttyldiscrelease+0xa8/0x190 [ 90.335018] ttyreleasestruct+0x24/0x8c [ 90.339022] tty_release+0x3ec/0x4c0 [ 90.342593] __fput+0x70/0x234 [ 90.345652] ____fput+0x14/0x20 [ 90.348790] taskworkrun+0x84/0x17c [ 90.352455] doexit+0x310/0x96c [ 90.355688] dogroup_exit+0x3c/0xa0 [ 90.359259] _arm64sysexitgroup+0x1c/0x20 [ 90.363609] invokesyscall+0x48/0x114 [ 90.367362] el0svccommon.constprop.0+0xd4/0xfc [ 90.372068] doel0svc+0x2c/0x94 [ 90.375379] el0svc+0x28/0x80 [ 90.378438] el0t64synchandler+0xa8/0x130 [ 90.382711] el0t64sync+0x1a0/0x1a4 [ 90.386376] Code: 17ffffda d503201f d503233f f9409802 (b9400041) [ 90.392467] ---[ end trace 2f60524b4a43f1f6 ]--- [ 90.397073] note: btattach[503] exited with preemptcount 1 [ 90.402636] Fixing recursive fault but reboot is needed!