VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 24, 2025· Updated Apr 15, 2026

CVE-2022-50721

CVE-2022-50721

Description

In the Linux kernel, the following vulnerability has been resolved:

dmaengine: qcom-adm: fix wrong calling convention for prep_slave_sg

The calling convention for pre_slave_sg is to return NULL on error and provide an error log to the system. Qcom-adm instead provide error pointer when an error occur. This indirectly cause kernel panic for example for the nandc driver that checks only if the pointer returned by device_prep_slave_sg is not NULL. Returning an error pointer makes nandc think the device_prep_slave_sg function correctly completed and makes the kernel panics later in the code.

While nandc is the one that makes the kernel crash, it was pointed out that the real problem is qcom-adm not following calling convention for that function.

To fix this, drop returning error pointer and return NULL with an error log.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Qcom-ADM DMA driver in Linux kernel returns error pointers instead of NULL on failure, causing kernel panic in callers like the NAND controller.

Vulnerability

Overview

The Qcom-ADM DMA engine driver in the Linux kernel violates the established calling convention for the prep_slave_sg function. According to the DMA engine API, this function should return NULL on failure and log an error. However, the Qcom-ADM driver returns an error pointer (e.g., ERR_PTR(-ENOMEM)) when an error occurs [1].

Exploitation

Mechanism

This incorrect return value propagates to callers such as the NAND controller driver (nandc). The nandc driver only checks whether the pointer returned by device_prep_slave_sg is non-NULL, assuming a valid descriptor. When it receives an error pointer, it treats it as a valid descriptor and proceeds to use it, leading to a kernel panic later in the execution flow [1].

Impact

An attacker who can trigger an error condition in the Qcom-ADM driver (e.g., by exhausting memory or providing invalid parameters) can cause a denial of service via kernel panic. The vulnerability does not require special privileges beyond the ability to interact with the DMA subsystem through the NAND controller or other affected drivers.

Mitigation

The fix, committed in the Linux kernel stable tree, changes the Qcom-ADM driver to return NULL on error and log an appropriate error message, aligning with the expected calling convention [1]. Users should apply the kernel patch to prevent update to version containing commit b9d2140c3bad or later.

References
  1. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

3
5653bd020094
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
9a041174c58a
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
b9d2140c3bad
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.