{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2022-49753","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-03-27T16:39:17.988Z","datePublished":"2025-03-27T16:43:01.252Z","dateUpdated":"2026-05-11T19:06:06.863Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:06:06.863Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: Fix double increment of client_count in dma_chan_get()\n\nThe first time dma_chan_get() is called for a channel the channel\nclient_count is incorrectly incremented twice for public channels,\nfirst in balance_ref_count(), and again prior to returning. This\nresults in an incorrect client count which will lead to the\nchannel resources not being freed when they should be. A simple\n test of repeated module load and unload of async_tx on a Dell\n Power Edge R7425 also shows this resulting in a kref underflow\n warning.\n\n[  124.329662] async_tx: api initialized (async)\n[  129.000627] async_tx: api initialized (async)\n[  130.047839] ------------[ cut here ]------------\n[  130.052472] refcount_t: underflow; use-after-free.\n[  130.057279] WARNING: CPU: 3 PID: 19364 at lib/refcount.c:28\nrefcount_warn_saturate+0xba/0x110\n[  130.065811] Modules linked in: async_tx(-) rfkill intel_rapl_msr\nintel_rapl_common amd64_edac edac_mce_amd ipmi_ssif kvm_amd dcdbas kvm\nmgag200 drm_shmem_helper acpi_ipmi irqbypass drm_kms_helper ipmi_si\nsyscopyarea sysfillrect rapl pcspkr ipmi_devintf sysimgblt fb_sys_fops\nk10temp i2c_piix4 ipmi_msghandler acpi_power_meter acpi_cpufreq vfat\nfat drm fuse xfs libcrc32c sd_mod t10_pi sg ahci crct10dif_pclmul\nlibahci crc32_pclmul crc32c_intel ghash_clmulni_intel igb megaraid_sas\ni40e libata i2c_algo_bit ccp sp5100_tco dca dm_mirror dm_region_hash\ndm_log dm_mod [last unloaded: async_tx]\n[  130.117361] CPU: 3 PID: 19364 Comm: modprobe Kdump: loaded Not\ntainted 5.14.0-185.el9.x86_64 #1\n[  130.126091] Hardware name: Dell Inc. PowerEdge R7425/02MJ3T, BIOS\n1.18.0 01/17/2022\n[  130.133806] RIP: 0010:refcount_warn_saturate+0xba/0x110\n[  130.139041] Code: 01 01 e8 6d bd 55 00 0f 0b e9 72 9d 8a 00 80 3d\n26 18 9c 01 00 75 85 48 c7 c7 f8 a3 03 9d c6 05 16 18 9c 01 01 e8 4a\nbd 55 00 <0f> 0b e9 4f 9d 8a 00 80 3d 01 18 9c 01 00 0f 85 5e ff ff ff\n48 c7\n[  130.157807] RSP: 0018:ffffbf98898afe68 EFLAGS: 00010286\n[  130.163036] RAX: 0000000000000000 RBX: ffff9da06028e598 RCX: 0000000000000000\n[  130.170172] RDX: ffff9daf9de26480 RSI: ffff9daf9de198a0 RDI: ffff9daf9de198a0\n[  130.177316] RBP: ffff9da7cddf3970 R08: 0000000000000000 R09: 00000000ffff7fff\n[  130.184459] R10: ffffbf98898afd00 R11: ffffffff9d9e8c28 R12: ffff9da7cddf1970\n[  130.191596] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n[  130.198739] FS:  00007f646435c740(0000) GS:ffff9daf9de00000(0000)\nknlGS:0000000000000000\n[  130.206832] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  130.212586] CR2: 00007f6463b214f0 CR3: 00000008ab98c000 CR4: 00000000003506e0\n[  130.219729] Call Trace:\n[  130.222192]  <TASK>\n[  130.224305]  dma_chan_put+0x10d/0x110\n[  130.227988]  dmaengine_put+0x7a/0xa0\n[  130.231575]  __do_sys_delete_module.constprop.0+0x178/0x280\n[  130.237157]  ? syscall_trace_enter.constprop.0+0x145/0x1d0\n[  130.242652]  do_syscall_64+0x5c/0x90\n[  130.246240]  ? exc_page_fault+0x62/0x150\n[  130.250178]  entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[  130.255243] RIP: 0033:0x7f6463a3f5ab\n[  130.258830] Code: 73 01 c3 48 8b 0d 75 a8 1b 00 f7 d8 64 89 01 48\n83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00\n00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 45 a8 1b 00 f7 d8 64 89\n01 48\n[  130.277591] RSP: 002b:00007fff22f972c8 EFLAGS: 00000206 ORIG_RAX:\n00000000000000b0\n[  130.285164] RAX: ffffffffffffffda RBX: 000055b6786edd40 RCX: 00007f6463a3f5ab\n[  130.292303] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 000055b6786edda8\n[  130.299443] RBP: 000055b6786edd40 R08: 0000000000000000 R09: 0000000000000000\n[  130.306584] R10: 00007f6463b9eac0 R11: 0000000000000206 R12: 000055b6786edda8\n[  130.313731] R13: 0000000000000000 R14: 000055b6786edda8 R15: 00007fff22f995f8\n[  130.320875]  </TASK>\n[  130.323081] ---[ end trace eff7156d56b5cf25 ]---\n\ncat /sys/class/dma/dma0chan*/in_use would get the wrong result.\n2\n2\n2\n\nTest-by: Jie Hai <haijie1@huawei.com>"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/dma/dmaengine.c"],"versions":[{"version":"d2f4f99db3e9ec8b063cf2e45704e2bb95428317","lessThan":"1b409e14b4b7af034e0450f95c165b6c5c87dbc1","status":"affected","versionType":"git"},{"version":"d2f4f99db3e9ec8b063cf2e45704e2bb95428317","lessThan":"c6221afe573413fd2981e291f7df4a58283e0654","status":"affected","versionType":"git"},{"version":"d2f4f99db3e9ec8b063cf2e45704e2bb95428317","lessThan":"18dd3b30d4c7e8440c63118c7a7b687372b9567f","status":"affected","versionType":"git"},{"version":"d2f4f99db3e9ec8b063cf2e45704e2bb95428317","lessThan":"42ecd72f02cd657b00b559621e7ef7d2c4d3e5f1","status":"affected","versionType":"git"},{"version":"d2f4f99db3e9ec8b063cf2e45704e2bb95428317","lessThan":"71c601965532c38030133535f7cd93c1efa75af1","status":"affected","versionType":"git"},{"version":"d2f4f99db3e9ec8b063cf2e45704e2bb95428317","lessThan":"142d644fd2cc059ffa042fbfb68e766433ef3afd","status":"affected","versionType":"git"},{"version":"d2f4f99db3e9ec8b063cf2e45704e2bb95428317","lessThan":"f3dc1b3b4750851a94212dba249703dd0e50bb20","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/dma/dmaengine.c"],"versions":[{"version":"4.0","status":"affected"},{"version":"0","lessThan":"4.0","status":"unaffected","versionType":"semver"},{"version":"4.14.305","lessThanOrEqual":"4.14.*","status":"unaffected","versionType":"semver"},{"version":"4.19.272","lessThanOrEqual":"4.19.*","status":"unaffected","versionType":"semver"},{"version":"5.4.231","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.166","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.91","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.9","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.2","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.0","versionEndExcluding":"4.14.305"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.0","versionEndExcluding":"4.19.272"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.0","versionEndExcluding":"5.4.231"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.0","versionEndExcluding":"5.10.166"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.0","versionEndExcluding":"5.15.91"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.0","versionEndExcluding":"6.1.9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.0","versionEndExcluding":"6.2"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/1b409e14b4b7af034e0450f95c165b6c5c87dbc1"},{"url":"https://git.kernel.org/stable/c/c6221afe573413fd2981e291f7df4a58283e0654"},{"url":"https://git.kernel.org/stable/c/18dd3b30d4c7e8440c63118c7a7b687372b9567f"},{"url":"https://git.kernel.org/stable/c/42ecd72f02cd657b00b559621e7ef7d2c4d3e5f1"},{"url":"https://git.kernel.org/stable/c/71c601965532c38030133535f7cd93c1efa75af1"},{"url":"https://git.kernel.org/stable/c/142d644fd2cc059ffa042fbfb68e766433ef3afd"},{"url":"https://git.kernel.org/stable/c/f3dc1b3b4750851a94212dba249703dd0e50bb20"}],"title":"dmaengine: Fix double increment of client_count in dma_chan_get()","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":7.8,"attackVector":"LOCAL","baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","integrityImpact":"HIGH","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"LOW","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"id":"CVE-2022-49753","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"version":"2.0.3","timestamp":"2025-03-28T15:22:36.398911Z"}}}],"problemTypes":[{"descriptions":[{"lang":"en","type":"CWE","cweId":"CWE-416","description":"CWE-416 Use After Free"}]}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-03-28T15:31:59.515Z"}}]}}