VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 24, 2025· Updated Apr 15, 2026

CVE-2022-50774

CVE-2022-50774

Description

In the Linux kernel, the following vulnerability has been resolved:

crypto: qat - fix DMA transfer direction

When CONFIG_DMA_API_DEBUG is selected, while running the crypto self test on the QAT crypto algorithms, the function add_dma_entry() reports a warning similar to the one below, saying that overlapping mappings are not supported. This occurs in tests where the input and the output scatter list point to the same buffers (i.e. two different scatter lists which point to the same chunks of memory).

The logic that implements the mapping uses the flag DMA_BIDIRECTIONAL for both the input and the output scatter lists which leads to overlapped write mappings. These are not supported by the DMA layer.

Fix by specifying the correct DMA transfer directions when mapping buffers. For in-place operations where the input scatter list matches the output scatter list, buffers are mapped once with DMA_BIDIRECTIONAL, otherwise input buffers are mapped using the flag DMA_TO_DEVICE and output buffers are mapped with DMA_FROM_DEVICE. Overlapping a read mapping with a write mapping is a valid case in dma-coherent devices like QAT. The function that frees and unmaps the buffers, qat_alg_free_bufl() has been changed accordingly to the changes to the mapping function.

DMA-API: 4xxx 0000:06:00.0: cacheline tracking EEXIST, overlapping mappings aren't supported WARNING: CPU: 53 PID: 4362 at kernel/dma/debug.c:570 add_dma_entry+0x1e9/0x270 ... Call Trace: dma_map_page_attrs+0x82/0x2d0 ? preempt_count_add+0x6a/0xa0 qat_alg_sgl_to_bufl+0x45b/0x990 [intel_qat] qat_alg_aead_dec+0x71/0x250 [intel_qat] crypto_aead_decrypt+0x3d/0x70 test_aead_vec_cfg+0x649/0x810 ? number+0x310/0x3a0 ? vsnprintf+0x2a3/0x550 ? scnprintf+0x42/0x70 ? valid_sg_divisions.constprop.0+0x86/0xa0 ? test_aead_vec+0xdf/0x120 test_aead_vec+0xdf/0x120 alg_test_aead+0x185/0x400 alg_test+0x3d8/0x500 ? crypto_acomp_scomp_free_ctx+0x30/0x30 ? __schedule+0x32a/0x12a0 ? ttwu_queue_wakelist+0xbf/0x110 ? _raw_spin_unlock_irqrestore+0x23/0x40 ? try_to_wake_up+0x83/0x570 ? _raw_spin_unlock_irqrestore+0x23/0x40 ? __set_cpus_allowed_ptr_locked+0xea/0x1b0 ? crypto_acomp_scomp_free_ctx+0x30/0x30 cryptomgr_test+0x27/0x50 kthread+0xe6/0x110 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x1f/0x30

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2022-50774 fixes a DMA mapping bug in the Linux kernel's QAT crypto driver that caused overlapping write mappings, triggering DMA-API warnings.

Root

Cause The vulnerability is a DMA transfer direction bug in the Linux kernel's intel_qat crypto driver. When performing in-place encryption or decryption operations, the driver incorrectly used the DMA_BIDIRECTIONAL flag for both input and output scatter-gather lists that pointed to the same memory buffers. This created overlapping write mappings, which are unsupported by the DMA layer and triggered DMA-API: cacheline tracking EEXIST, overlapping mappings aren't supported warnings when CONFIG_DMA_API_DEBUG was enabled [1].

Exploitation

This is a logic error in kernel code, not a remotely exploitable vulnerability. An attacker would need local access to trigger the affected crypto operations (e.g., running crypto self-tests or using QAT hardware acceleration for symmetric encryption). The issue manifests during legitimate usage of the QAT driver's aead and related algorithms, where the scatter lists for input and output share the same physical memory ranges [2].

Impact

The direct impact is limited to kernel warnings and potential performance degradation due to incorrect DMA buffer tracking. Under CONFIG_DMA_API_DEBUG, the driver could hang or produce corrupted ciphertext if the overlapping DMA mappings caused coherency issues. A local attacker with sufficient privileges could potentially exploit the mis-mapping to leak sensitive data from DMA buffers or cause denial of service via repeated warnings [2].

Mitigation

The fix was applied to the Linux kernel mainline and stable branches. It changes the DMA mapping logic to use DMA_BIDIRECTIONAL only for true in-place operations, and otherwise maps input buffers with DMA_TO_DEVICE and output buffers with DMA_FROM_DEVICE, which avoids overlapping write mappings. The companion function qat_alg_free_bufl() was also updated accordingly [1][2]. Administrators should apply the updated kernel packages for their distribution as soon as available.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

5
426d5bc089e7
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
1f1ab76e2515
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
429348d4f675
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
c4c9d9edf484
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
cf5bb835b7c8
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.