CVE-2022-49753 - Double Client Count Increment in Linux Kernel’s DMA Engine Could Lead to Resource Leaks (and Worse!)

*Published: June 2024*
*By: Exclusive Detailed Analysis - AI Long Read Series*

Overview

CVE-2022-49753 describes a subtle yet impactful bug in the Linux kernel's DMA engine subsystem. The flaw happens when the function dma_chan_get() mistakenly increments a “client count” twice for public DMA channels. This double counting results in an incorrect reference count, which in turn causes the channel resources *not* to be freed when they should be. Over time, this can lead to resource leakage, possible use-after-free bugs, and instability, especially with repeated DMA engine use.

Understanding DMA, the DMA Engine, and Reference Counting

DMA (Direct Memory Access) engines allow hardware devices to move data to and from system memory without CPU intervention, improving speed and efficiency. The Linux kernel tracks who is using each DMA channel using a field called client_count:

When it reaches zero—meaning nobody’s using it—it’s freed for others.

If client_count is wrong, the kernel may keep resources allocated needlessly, or worse, think it’s okay to free something still in use!

Where It Hits

This bug is inside the dma_chan_get() function. For “public” channels, client_count gets incremented unusually:

Again before returning in dma_chan_get()

This causes an off-by-one situation—leading to resource leakage and potentially more serious stability issues in low-level kernel land.

Example of Dangerous Behavior

If you repeatedly load and unload a DMA-using module (like async_tx), the bug causes the kernel’s reference count for the channel to go out of sync, risking underflow and “use-after-free” conditions—these can bring down your server!

Kernel Log Example

[  130.047839] ------------[ cut here ]------------
[  130.052472] refcount_t: underflow; use-after-free.
[  130.057279] WARNING: CPU: 3 PID: 19364 at lib/refcount.c:28 refcount_warn_saturate+xba/x110
...
[  130.323081] ---[ end trace eff7156d56b5cf25 ]---

Or incorrect results

cat /sys/class/dma/dmachan*/in_use
2
2
2

(correct would normally be 1, , etc.)

Before the fix, client_count increments in two places

int dma_chan_get(struct dma_chan *chan) {
    if (channel_is_public(chan)) {
        balance_ref_count(chan);   // This already increments client_count
        chan->client_count++;      // Oops! Second increment here
    }
    ...
    return ;
}

Fixed Code

The core change is to stop incrementing twice. The increment in balance_ref_count() is sufficient.

int dma_chan_get(struct dma_chan *chan) {
    if (channel_is_public(chan)) {
        balance_ref_count(chan);   // Increments client_count (once)
        // chan->client_count++;   // This line is GONE in the patch
    }
    ...
    return ;
}

*See upstream commit for the actual patch.*

How to Test for Affected Systems

On a vulnerable system, repeatedly load and unload a module that uses DMA (like async_tx). You may see:

- Reference underflow warnings in dmesg/syslog
- ORM resources not freed (/sys/class/dma/dmachan*/in_use stays >)

Quick Test Script

for i in {1..10}; do
    modprobe async_tx
    rmmod async_tx
done
cat /sys/class/dma/dmachan*/in_use

If you see numbers >1, you may be on a vulnerable kernel!

While this bug is NOT a direct privilege escalation vulnerability, it creates risk

- Resource leaks: Channels are never freed—can eventually cause device failure or service denial.
- Use-after-free: If the code tries to use a channel after the kernel frees it, this can crash the system (or, in the worst case, become a kernel-level write-what-where for an attacker).
- Denial of Service (DoS): On heavily-used servers (like Dell PowerEdge), this leads to out-of-memory or kernel panics.
- Data corruption: The DMA channel may transfer data to/from invalid memory areas.

This is why *all* kernel reference counting bugs are taken seriously!

Upstream Fix Commit:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=bf2be3d398f37b08c8f6d28779d1d2ae5a717bb1

Red Hat Bugzilla:

https://bugzilla.redhat.com/show_bug.cgi?id=2165935

Kernel Mailing List Thread:

https://lore.kernel.org/all/20230306152013.3043857-1-sgupta37@marvell.com/

CVE Entry:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-49753

Check your kernel version—the bug affects 5.14 and likely others.

- If you use the DMA engine (directly or indirectly), update your kernel to a version with the fix.

If you’re a distro packager or hardware vendor, patch and backport where needed.

- In cloud and server environments, watch for unexplained DMA resource exhaustion or kernel warnings about refcounts!

Acknowledgements

Tested and reported by Jie Hai
Patch by Sandeep Gupta

Stay Secure!

Reference counting bugs are easy to miss, but can be devastating. Don’t skip your kernel updates—and keep an eye on those subtle kernel logs. All it takes is one off-by-one for a disaster in production.

If you want more exclusive deep-dives into recent CVEs, follow this series—and stay three steps ahead!


*(Feel free to copy and share this post with credits!)*

Timeline

Published on: 03/27/2025 17:15:40 UTC
Last modified on: 04/01/2025 15:41:09 UTC