Bug 2402204 (CVE-2022-50540)

Summary: CVE-2022-50540 kernel: dmaengine: qcom-adm: fix wrong sizeof config in slave_config
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A logic error was found in the Linux kernel Qualcomm ADM DMA engine driver's slave configuration handling. A local user with privileges to configure DMA operations can trigger DMA slave setup on Qualcomm ADM hardware, causing the driver to use an incorrect size comparison (pointer size instead of struct size) that results in ignoring critical DMA configuration values, which leads to kernel panic and denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-10-07 16:02:42 UTC 
In the Linux kernel, the following vulnerability has been resolved:

dmaengine: qcom-adm: fix wrong sizeof config in slave_config

Fix broken slave_config function that uncorrectly compare the
peripheral_size with the size of the config pointer instead of the size
of the config struct. This cause the crci value to be ignored and cause
a kernel panic on any slave that use adm driver.

To fix this, compare to the size of the struct and NOT the size of the
pointer.
Comment 1 Jon Moroney 2025-10-07 20:38:56 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025100755-CVE-2022-50540-46a8@gregkh/T