CVE-2025-71162

Source
https://cve.org/CVERecord?id=CVE-2025-71162
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-71162.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-71162
Downstream
Related
Published
2026-01-25T14:36:09.029Z
Modified
2026-07-11T03:53:21.067088644Z
Summary
dmaengine: tegra-adma: Fix use-after-free
Details

In the Linux kernel, the following vulnerability has been resolved:

dmaengine: tegra-adma: Fix use-after-free

A use-after-free bug exists in the Tegra ADMA driver when audio streams are terminated, particularly during XRUN conditions. The issue occurs when the DMA buffer is freed by tegraadmaterminate_all() before the vchan completion tasklet finishes accessing it.

The race condition follows this sequence:

  1. DMA transfer completes, triggering an interrupt that schedules the completion tasklet (tasklet has not executed yet)
  2. Audio playback stops, calling tegraadmaterminate_all() which frees the DMA buffer memory via kfree()
  3. The scheduled tasklet finally executes, calling vchan_complete() which attempts to access the already-freed memory

Since tasklets can execute at any time after being scheduled, there is no guarantee that the buffer will remain valid when vchan_complete() runs.

Fix this by properly synchronizing the virtual channel completion: - Calling vchanterminatevdesc() in tegraadmastop() to mark the descriptors as terminated instead of freeing the descriptor. - Add the callback tegraadmasynchronize() that calls vchan_synchronize() which kills any pending tasklets and frees any terminated descriptors.

Crash logs: [ 337.427523] BUG: KASAN: use-after-free in vchan_complete+0x124/0x3b0 [ 337.427544] Read of size 8 at addr ffff000132055428 by task swapper/0/0

[ 337.427562] Call trace: [ 337.427564] dumpbacktrace+0x0/0x320 [ 337.427571] showstack+0x20/0x30 [ 337.427575] dumpstacklvl+0x68/0x84 [ 337.427584] printaddressdescription.constprop.0+0x74/0x2b8 [ 337.427590] kasan_report+0x1f4/0x210 [ 337.427598] __asanload8+0xa0/0xd0 [ 337.427603] vchancomplete+0x124/0x3b0 [ 337.427609] taskletactioncommon.constprop.0+0x190/0x1d0 [ 337.427617] tasklet_action+0x30/0x40 [ 337.427623] __dosoftirq+0x1a0/0x5c4 [ 337.427628] irqexit+0x110/0x140 [ 337.427633] handledomainirq+0xa4/0xe0 [ 337.427640] gichandleirq+0x64/0x160 [ 337.427644] callonirqstack+0x20/0x4c [ 337.427649] dointerrupthandler+0x7c/0x90 [ 337.427654] el1interrupt+0x30/0x80 [ 337.427659] el1h64irqhandler+0x18/0x30 [ 337.427663] el1h64irq+0x7c/0x80 [ 337.427667] cpuidleenterstate+0xe4/0x540 [ 337.427674] cpuidleenter+0x54/0x80 [ 337.427679] doidle+0x2e0/0x380 [ 337.427685] cpustartupentry+0x2c/0x70 [ 337.427690] restinit+0x114/0x130 [ 337.427695] archcallrestinit+0x18/0x24 [ 337.427702] startkernel+0x380/0x3b4 [ 337.427706] _primaryswitched+0xc0/0xc8

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/71xxx/CVE-2025-71162.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
f46b195799b5cb05338e7c44cb3617eacb56d755
Fixed
5f8d1d66a952d0396671e1f21ff8127a4d14fb4e
Fixed
76992310f80776b4d1f7f8915f59b92883a3e44c
Fixed
ae3eed72de682ddbba507ed2d6b848c21a6b721e
Fixed
59cb421b0902fbef2b9512ae8ba198a20f26b41f
Fixed
cb2c9c4bb1322cc3c9984ad17db8cdd2663879ca
Fixed
be655c3736b3546f39bc8116ffbf2a3b6cac96c4
Fixed
2efd07a7c36949e6fa36a69183df24d368bf9e96

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-71162.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.7.0
Fixed
5.10.249
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.199
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.162
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.122
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.67
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.7

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-71162.json"