CVE-2022-50375
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-18

Last updated on: 2025-12-11

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: tty: serial: fsl_lpuart: disable dma rx/tx use flags in lpuart_dma_shutdown lpuart_dma_shutdown tears down lpuart dma, but lpuart_flush_buffer can still occur which in turn tries to access dma apis if lpuart_dma_tx_use flag is true. At this point since dma is torn down, these dma apis can abort. Set lpuart_dma_tx_use and the corresponding rx flag lpuart_dma_rx_use to false in lpuart_dma_shutdown so that dmas are not accessed after they are relinquished. Otherwise, when try to kill btattach, kernel may panic. This patch may fix this issue. root@imx8ulpevk:~# btattach -B /dev/ttyLP2 -S 115200 ^C[ 90.182296] Internal error: synchronous external abort: 96000210 [#1] PREEMPT SMP [ 90.189806] Modules linked in: moal(O) mlan(O) [ 90.194258] CPU: 0 PID: 503 Comm: btattach Tainted: G O 5.15.32-06136-g34eecdf2f9e4 #37 [ 90.203554] Hardware name: NXP i.MX8ULP 9X9 EVK (DT) [ 90.208513] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 90.215470] pc : fsl_edma3_disable_request+0x8/0x60 [ 90.220358] lr : fsl_edma3_terminate_all+0x34/0x20c [ 90.225237] sp : ffff800013f0bac0 [ 90.228548] x29: ffff800013f0bac0 x28: 0000000000000001 x27: ffff000008404800 [ 90.235681] x26: ffff000008404960 x25: ffff000008404a08 x24: ffff000008404a00 [ 90.242813] x23: ffff000008404a60 x22: 0000000000000002 x21: 0000000000000000 [ 90.249946] x20: ffff800013f0baf8 x19: ffff00000559c800 x18: 0000000000000000 [ 90.257078] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 [ 90.264211] x14: 0000000000000003 x13: 0000000000000000 x12: 0000000000000040 [ 90.271344] x11: ffff00000600c248 x10: ffff800013f0bb10 x9 : ffff000057bcb090 [ 90.278477] x8 : fffffc0000241a08 x7 : ffff00000534ee00 x6 : ffff000008404804 [ 90.285609] x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff0000055b3480 [ 90.292742] x2 : ffff8000135c0000 x1 : ffff00000534ee00 x0 : ffff00000559c800 [ 90.299876] Call trace: [ 90.302321] fsl_edma3_disable_request+0x8/0x60 [ 90.306851] lpuart_flush_buffer+0x40/0x160 [ 90.311037] uart_flush_buffer+0x88/0x120 [ 90.315050] tty_driver_flush_buffer+0x20/0x30 [ 90.319496] hci_uart_flush+0x44/0x90 [ 90.323162] +0x34/0x12c [ 90.327253] tty_ldisc_close+0x38/0x70 [ 90.331005] tty_ldisc_release+0xa8/0x190 [ 90.335018] tty_release_struct+0x24/0x8c [ 90.339022] tty_release+0x3ec/0x4c0 [ 90.342593] __fput+0x70/0x234 [ 90.345652] ____fput+0x14/0x20 [ 90.348790] task_work_run+0x84/0x17c [ 90.352455] do_exit+0x310/0x96c [ 90.355688] do_group_exit+0x3c/0xa0 [ 90.359259] __arm64_sys_exit_group+0x1c/0x20 [ 90.363609] invoke_syscall+0x48/0x114 [ 90.367362] el0_svc_common.constprop.0+0xd4/0xfc [ 90.372068] do_el0_svc+0x2c/0x94 [ 90.375379] el0_svc+0x28/0x80 [ 90.378438] el0t_64_sync_handler+0xa8/0x130 [ 90.382711] el0t_64_sync+0x1a0/0x1a4 [ 90.386376] Code: 17ffffda d503201f d503233f f9409802 (b9400041) [ 90.392467] ---[ end trace 2f60524b4a43f1f6 ]--- [ 90.397073] note: btattach[503] exited with preempt_count 1 [ 90.402636] Fixing recursive fault but reboot is needed!
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-18
Last Modified
2025-12-11
Generated
2026-05-06
AI Q&A
2025-09-18
EPSS Evaluated
2026-05-05
NVD
CVE-2022-50375
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 4.9 (inc) to 5.4.220 (exc)
linux linux_kernel From 5.5 (inc) to 5.10.150 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.75 (exc)
linux linux_kernel From 5.16 (inc) to 5.19.17 (exc)
linux linux_kernel From 6.0 (inc) to 6.0.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-NVD-CWE-noinfo
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability occurs in the Linux kernel's serial driver for fsl_lpuart. When the lpuart_dma_shutdown function tears down the DMA (Direct Memory Access), certain flags indicating DMA usage (lpuart_dma_tx_use and lpuart_dma_rx_use) are not reset to false. As a result, another function, lpuart_flush_buffer, may still attempt to access DMA APIs after the DMA has been shut down, which can cause the kernel to abort or panic. This issue can happen, for example, when trying to kill the btattach process, leading to a kernel panic and system instability.


How can this vulnerability impact me? :

This vulnerability can cause the Linux kernel to panic and crash when certain serial device operations are performed, such as terminating the btattach process. Kernel panics lead to system instability, unexpected reboots, and potential loss of data or service availability. This can disrupt normal operation of devices relying on the affected serial driver, impacting system reliability.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by observing kernel panic messages related to dma API access after dma shutdown, especially when using the btattach command on affected devices. For example, running the command `btattach -B /dev/ttyLP2 -S 115200` may trigger the issue and produce kernel error logs indicating synchronous external aborts and stack traces involving fsl_edma3_disable_request and lpuart_flush_buffer. Monitoring dmesg or kernel logs for such errors can help detect the vulnerability.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation involves applying the patch that disables dma rx/tx use flags in lpuart_dma_shutdown to prevent dma APIs from being accessed after dma is torn down. Until the patch is applied, avoid killing btattach processes or using affected serial devices in a way that triggers dma shutdown to prevent kernel panics. Rebooting the system after encountering the issue is also necessary as indicated by the kernel logs.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart