CVE-2022-49753

CVE-2022-49753 is a use-after-free vulnerability (CWE-416) in the Linux kernel's dmaengine subsystem, stemming from a double increment of the client_count in the dma_chan_get() function for public DMA channels. The initial increment occurs in balance_ref_count(), followed by another before the function returns, resulting in an incorrect reference count. This prevents proper freeing of channel resources upon client release, as demonstrated by a kref underflow warning during repeated load and unload of the async_tx module on a Dell PowerEdge R7425 server running kernel 5.14.0-185.el9.x86_64. Additionally, querying /sys/class/dma/dma0chan*/in_use yields incorrect results, such as repeated values of 2.

A local attacker with low privileges (AV:L/AC:L/PR:L/UI:N) can exploit this vulnerability to achieve high confidentiality, integrity, and availability impacts (CVSS 3.1 score of 7.8), potentially triggering use-after-free conditions. Exploitation manifests during operations like module unloading (e.g., via modprobe on async_tx), leading to refcount underflow and warnings from refcount_warn_saturate() in lib/refcount.c, as shown in the provided kernel trace involving dma_chan_put() and dmaengine_put().

Mitigation involves applying upstream patches from the Linux kernel stable repository, including commits such as 142d644fd2cc059ffa042fbfb68e766433ef3afd, 18dd3b30d4c7e8440c63118c7a7b687372b9567f, 1b409e14b4b7af034e0450f95c165b6c5c87dbc1, 42ecd72f02cd657b00b559621e7ef7d2c4d3e5f1, and 71c601965532c38030133535f7cd93c1efa75af1, which correct the double increment issue.