{"id":"CVE-2022-48795","summary":"parisc: Fix data TLB miss in sba_unmap_sg","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nparisc: Fix data TLB miss in sba_unmap_sg\n\nRolf Eike Beer reported the following bug:\n\n[1274934.746891] Bad Address (null pointer deref?): Code=15 (Data TLB miss fault) at addr 0000004140000018\n[1274934.746891] CPU: 3 PID: 5549 Comm: cmake Not tainted 5.15.4-gentoo-parisc64 #4\n[1274934.746891] Hardware name: 9000/785/C8000\n[1274934.746891]\n[1274934.746891]      YZrvWESTHLNXBCVMcbcbcbcbOGFRQPDI\n[1274934.746891] PSW: 00001000000001001111111000001110 Not tainted\n[1274934.746891] r00-03  000000ff0804fe0e 0000000040bc9bc0 00000000406760e4 0000004140000000\n[1274934.746891] r04-07  0000000040b693c0 0000004140000000 000000004a2b08b0 0000000000000001\n[1274934.746891] r08-11  0000000041f98810 0000000000000000 000000004a0a7000 0000000000000001\n[1274934.746891] r12-15  0000000040bddbc0 0000000040c0cbc0 0000000040bddbc0 0000000040bddbc0\n[1274934.746891] r16-19  0000000040bde3c0 0000000040bddbc0 0000000040bde3c0 0000000000000007\n[1274934.746891] r20-23  0000000000000006 000000004a368950 0000000000000000 0000000000000001\n[1274934.746891] r24-27  0000000000001fff 000000000800000e 000000004a1710f0 0000000040b693c0\n[1274934.746891] r28-31  0000000000000001 0000000041f988b0 0000000041f98840 000000004a171118\n[1274934.746891] sr00-03  00000000066e5800 0000000000000000 0000000000000000 00000000066e5800\n[1274934.746891] sr04-07  0000000000000000 0000000000000000 0000000000000000 0000000000000000\n[1274934.746891]\n[1274934.746891] IASQ: 0000000000000000 0000000000000000 IAOQ: 00000000406760e8 00000000406760ec\n[1274934.746891]  IIR: 48780030    ISR: 0000000000000000  IOR: 0000004140000018\n[1274934.746891]  CPU:        3   CR30: 00000040e3a9c000 CR31: ffffffffffffffff\n[1274934.746891]  ORIG_R28: 0000000040acdd58\n[1274934.746891]  IAOQ[0]: sba_unmap_sg+0xb0/0x118\n[1274934.746891]  IAOQ[1]: sba_unmap_sg+0xb4/0x118\n[1274934.746891]  RP(r2): sba_unmap_sg+0xac/0x118\n[1274934.746891] Backtrace:\n[1274934.746891]  [\u003c00000000402740cc\u003e] dma_unmap_sg_attrs+0x6c/0x70\n[1274934.746891]  [\u003c000000004074d6bc\u003e] scsi_dma_unmap+0x54/0x60\n[1274934.746891]  [\u003c00000000407a3488\u003e] mptscsih_io_done+0x150/0xd70\n[1274934.746891]  [\u003c0000000040798600\u003e] mpt_interrupt+0x168/0xa68\n[1274934.746891]  [\u003c0000000040255a48\u003e] __handle_irq_event_percpu+0xc8/0x278\n[1274934.746891]  [\u003c0000000040255c34\u003e] handle_irq_event_percpu+0x3c/0xd8\n[1274934.746891]  [\u003c000000004025ecb4\u003e] handle_percpu_irq+0xb4/0xf0\n[1274934.746891]  [\u003c00000000402548e0\u003e] generic_handle_irq+0x50/0x70\n[1274934.746891]  [\u003c000000004019a254\u003e] call_on_stack+0x18/0x24\n[1274934.746891]\n[1274934.746891] Kernel panic - not syncing: Bad Address (null pointer deref?)\n\nThe bug is caused by overrunning the sglist and incorrectly testing\nsg_dma_len(sglist) before nents. Normally this doesn't cause a crash,\nbut in this case sglist crossed a page boundary. This occurs in the\nfollowing code:\n\n\twhile (sg_dma_len(sglist) && nents--) {\n\nThe fix is simply to test nents first and move the decrement of nents\ninto the loop.","modified":"2026-04-02T08:27:01.122471Z","published":"2024-07-16T11:43:50.129Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/48xxx/CVE-2022-48795.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/867e50231c7605547d9334904d70a181f39f2d9e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8c8e949ae81e7f5ab58f9f9f8e9b573b93173dd2"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b7d6f44a0fa716a82969725516dc0b16bc7cd514"},{"type":"WEB","url":"https://git.kernel.org/stable/c/de75676ee99bf9f25b1124ff301b3f7b8ba597d4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e40ae3133ed87d6d526f3c8fc6a5f9a2d72dcdbf"},{"type":"WEB","url":"https://git.kernel.org/stable/c/efccc9b0c7e28d0eb7918a236e59f60dc23db4c3"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f23f0444ead4d941165aa82ce2fcbb997dc00e97"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f8f519d7df66c334b5e08f896ac70ee3b53add3b"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/48xxx/CVE-2022-48795.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-48795"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2"},{"fixed":"f23f0444ead4d941165aa82ce2fcbb997dc00e97"},{"fixed":"de75676ee99bf9f25b1124ff301b3f7b8ba597d4"},{"fixed":"867e50231c7605547d9334904d70a181f39f2d9e"},{"fixed":"efccc9b0c7e28d0eb7918a236e59f60dc23db4c3"},{"fixed":"f8f519d7df66c334b5e08f896ac70ee3b53add3b"},{"fixed":"8c8e949ae81e7f5ab58f9f9f8e9b573b93173dd2"},{"fixed":"e40ae3133ed87d6d526f3c8fc6a5f9a2d72dcdbf"},{"fixed":"b7d6f44a0fa716a82969725516dc0b16bc7cd514"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-48795.json"}}],"schema_version":"1.7.5"}