CVE-2025-71162

In the Linux kernel, the following vulnerability has been resolved:

dmaengine: tegra-adma: Fix use-after-free

A use-after-free bug exists in the Tegra ADMA driver when audio streams are terminated, particularly during XRUN conditions. The issue occurs when the DMA buffer is freed by tegraadmaterminate_all() before the vchan completion tasklet finishes accessing it.

The race condition follows this sequence:

1. DMA transfer completes, triggering an interrupt that schedules the completion tasklet (tasklet has not executed yet)
2. Audio playback stops, calling tegraadmaterminate_all() which frees the DMA buffer memory via kfree()
3. The scheduled tasklet finally executes, calling vchan_complete() which attempts to access the already-freed memory

Since tasklets can execute at any time after being scheduled, there is no guarantee that the buffer will remain valid when vchan_complete() runs.

Fix this by properly synchronizing the virtual channel completion: - Calling vchanterminatevdesc() in tegraadmastop() to mark the descriptors as terminated instead of freeing the descriptor. - Add the callback tegraadmasynchronize() that calls vchan_synchronize() which kills any pending tasklets and frees any terminated descriptors.

Crash logs: [ 337.427523] BUG: KASAN: use-after-free in vchan_complete+0x124/0x3b0 [ 337.427544] Read of size 8 at addr ffff000132055428 by task swapper/0/0

[ 337.427562] Call trace: [ 337.427564] dumpbacktrace+0x0/0x320 [ 337.427571] showstack+0x20/0x30 [ 337.427575] dumpstacklvl+0x68/0x84 [ 337.427584] printaddressdescription.constprop.0+0x74/0x2b8 [ 337.427590] kasan_report+0x1f4/0x210 [ 337.427598] __asanload8+0xa0/0xd0 [ 337.427603] vchancomplete+0x124/0x3b0 [ 337.427609] taskletactioncommon.constprop.0+0x190/0x1d0 [ 337.427617] tasklet_action+0x30/0x40 [ 337.427623] __dosoftirq+0x1a0/0x5c4 [ 337.427628] irqexit+0x110/0x140 [ 337.427633] handledomainirq+0xa4/0xe0 [ 337.427640] gichandleirq+0x64/0x160 [ 337.427644] callonirqstack+0x20/0x4c [ 337.427649] dointerrupthandler+0x7c/0x90 [ 337.427654] el1interrupt+0x30/0x80 [ 337.427659] el1h64irqhandler+0x18/0x30 [ 337.427663] el1h64irq+0x7c/0x80 [ 337.427667] cpuidleenterstate+0xe4/0x540 [ 337.427674] cpuidleenter+0x54/0x80 [ 337.427679] doidle+0x2e0/0x380 [ 337.427685] cpustartupentry+0x2c/0x70 [ 337.427690] restinit+0x114/0x130 [ 337.427695] archcallrestinit+0x18/0x24 [ 337.427702] startkernel+0x380/0x3b4 [ 337.427706] _primaryswitched+0xc0/0xc8