VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 8, 2025· Updated Apr 15, 2026

CVE-2022-50625

CVE-2022-50625

Description

In the Linux kernel, the following vulnerability has been resolved:

serial: amba-pl011: avoid SBSA UART accessing DMACR register

Chapter "B Generic UART" in "ARM Server Base System Architecture" [1] documentation describes a generic UART interface. Such generic UART does not support DMA. In current code, sbsa_uart_pops and amba_pl011_pops share the same stop_rx operation, which will invoke pl011_dma_rx_stop, leading to an access of the DMACR register. This commit adds a using_rx_dma check in pl011_dma_rx_stop to avoid the access to DMACR register for SBSA UARTs which does not support DMA.

When the kernel enables DMA engine with "CONFIG_DMA_ENGINE=y", Linux SBSA PL011 driver will access PL011 DMACR register in some functions. For most real SBSA Pl011 hardware implementations, the DMACR write behaviour will be ignored. So these DMACR operations will not cause obvious problems. But for some virtual SBSA PL011 hardware, like Xen virtual SBSA PL011 (vpl011) device, the behaviour might be different. Xen vpl011 emulation will inject a data abort to guest, when guest is accessing an unimplemented UART register. As Xen VPL011 is SBSA compatible, it will not implement DMACR register. So when Linux SBSA PL011 driver access DMACR register, it will get an unhandled data abort fault and the application will get a segmentation fault: Unhandled fault at 0xffffffc00944d048 Mem abort info: ESR = 0x96000000 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x00: ttbr address size fault Data abort info: ISV = 0, ISS = 0x00000000 CM = 0, WnR = 0 swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000020e2e000 [ffffffc00944d048] pgd=100000003ffff803, p4d=100000003ffff803, pud=100000003ffff803, pmd=100000003fffa803, pte=006800009c090f13 Internal error: ttbr address size fault: 96000000 [#1] PREEMPT SMP ... Call trace: pl011_stop_rx+0x70/0x80 tty_port_shutdown+0x7c/0xb4 tty_port_close+0x60/0xcc uart_close+0x34/0x8c tty_release+0x144/0x4c0 __fput+0x78/0x220 ____fput+0x1c/0x30 task_work_run+0x88/0xc0 do_notify_resume+0x8d0/0x123c el0_svc+0xa8/0xc0 el0t_64_sync_handler+0xa4/0x130 el0t_64_sync+0x1a0/0x1a4 Code: b9000083 b901f001 794038a0 8b000042 (b9000041) ---[ end trace 83dd93df15c3216f ]--- note: bootlogd[132] exited with preempt_count 1 /etc/rcS.d/S07bootlogd: line 47: 132 Segmentation fault start-stop-daemon

This has been discussed in the Xen community, and we think it should fix this in Linux. See [2] for more information.

[1] https://developer.arm.com/documentation/den0094/c/?lang=en [2] https://lists.xenproject.org/archives/html/xen-devel/2022-11/msg00543.html

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Linux kernel SBSA PL011 UART driver accesses DMACR register, causing a data abort fault on virtual hardware, leading to denial of service.

Vulnerability

Description

In the Linux kernel, the amba-pl011 serial driver improperly allows the SBSA UART variant to access the DMACR register. The ARM SBSA specification defines a generic UART interface that does not support DMA, yet the shared stop_rx operation between sbsa_uart_pops and amba_pl011_pops calls pl011_dma_rx_stop, which writes to the DMACR register. This results in an unauthorized register access on SBSA UARTs [1][4].

Exploitation

Context

The vulnerability is triggered when the kernel is built with CONFIG_DMA_ENGINE=y. On real SBSA PL011 hardware, the write to DMACR is typically ignored and harmless. However, on virtual implementations, such as Xen's virtual SBSA PL011 (vpl011), the DMACR register is not implemented. Any access causes a data abort exception, leading to a kernel panic or user-space segmentation fault when the serial port is closed or shut down [1][2].

Impact

An attacker who can trigger serial port operations (e.g., closing a tty device) on a system using a virtual SBSA PL011 UART can cause a denial of service. The fault manifests as an unhandled data abort, crashing the kernel or the affected process. The vulnerability does not allow code execution or privilege escalation [1].

Mitigation

The fix introduces a using_rx_dma check in pl011_dma_rx_stop to bypass DMACR access for SBSA UARTs. Patches have been committed to the Linux kernel stable branches [1][2][3][4]. Users should apply the updated kernel or ensure the serial driver is not used with DMA support on virtual SBSA platforms.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!
  4. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

9
94cdb9f33698
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
a4ea20ab82aa
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
78d837ce2051
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
965f07ea5fd1
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
d5b16eb076f4
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
d71a611fca19
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
38a10fdd54d1
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
64bc5dbc3260
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
1c5f0d3f480a
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.