CVE-2022-50844
Description
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: Fix type of second parameter in odn_edit_dpm_table() callback
With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), indirect call targets are validated against the expected function pointer prototype to make sure the call target is valid to help mitigate ROP attacks. If they are not identical, there is a failure at run time, which manifests as either a kernel panic or thread getting killed. A proposed warning in clang aims to catch these at compile time, which reveals:
drivers/gpu/drm/amd/amdgpu/../pm/swsmu/amdgpu_smu.c:3008:29: error: incompatible function pointer types initializing 'int (*)(void *, uint32_t, long *, uint32_t)' (aka 'int (*)(void *, unsigned int, long *, unsigned int)') with an expression of type 'int (void *, enum PP_OD_DPM_TABLE_COMMAND, long *, uint32_t)' (aka 'int (void *, enum PP_OD_DPM_TABLE_COMMAND, long *, unsigned int)') [-Werror,-Wincompatible-function-pointer-types-strict] .odn_edit_dpm_table = smu_od_edit_dpm_table, ^~~~~~~~~~~~~~~~~~~~~ 1 error generated.
There are only two implementations of ->odn_edit_dpm_table() in 'struct amd_pm_funcs': smu_od_edit_dpm_table() and pp_odn_edit_dpm_table(). One has a second parameter type of 'enum PP_OD_DPM_TABLE_COMMAND' and the other uses 'u32'. Ultimately, smu_od_edit_dpm_table() calls ->od_edit_dpm_table() from 'struct pptable_funcs' and pp_odn_edit_dpm_table() calls ->odn_edit_dpm_table() from 'struct pp_hwmgr_func', which both have a second parameter type of 'enum PP_OD_DPM_TABLE_COMMAND'.
Update the type parameter in both the prototype in 'struct amd_pm_funcs' and pp_odn_edit_dpm_table() to 'enum PP_OD_DPM_TABLE_COMMAND', which cleans up the warning.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Linux kernel AMD GPU driver had a type mismatch in odn_edit_dpm_table() that could cause CFI failures; fixed by correcting the second parameter type to enum PP_OD_DPM_TABLE_COMMAND.
Vulnerability
In the Linux kernel's AMD GPU driver (amdgpu), the odn_edit_dpm_table callback in struct amd_pm_funcs had an incompatible function pointer type. The prototype defined the second parameter as u32, but both implementations (smu_od_edit_dpm_table and pp_odn_edit_dpm_table) expected an enum PP_OD_DPM_TABLE_COMMAND. This mismatch triggered runtime failures when Control Flow Integrity (kCFI) was enabled via CONFIG_CFI_CLANG, as the indirect call targets did not match the expected signature [1][2].
Exploitation
An attacker with local access and the ability to trigger the odn_edit_dpm_table callback (e.g., via sysfs or debugfs interfaces for overclocking/dynamic power management) could cause a kernel panic or thread termination. No special privileges beyond user access to AMD GPU control interfaces are required, but the vulnerability is only exploitable on kernels built with CONFIG_CFI_CLANG.
Impact
Successful exploitation leads to a denial of service (kernel panic or arbitrary thread kill), potentially allowing an attacker to crash the system or disrupt critical processes. The vulnerability does not directly enable privilege escalation or code execution, but the resulting instability can be leveraged in further attacks.
Mitigation
Patches are available in the Linux kernel stable tree, with commits identified in references [1] and [2]. Users should apply the relevant update or use a kernel version containing the fix. No workaround exists for systems running affected kernels with CFI enabled.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
4f9084e9930db24cba9d8651536217f676b55e4d0ef752081Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.