CVE-2025-71221
- Source
- https://cve.org/CVERecord?id=CVE-2025-71221
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-71221.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-71221
- Downstream
- Published
- 2026-02-14T16:27:04.631Z
- Modified
- 2026-03-11T05:51:37.432736Z
- Summary
- dmaengine: mmp_pdma: Fix race condition in mmp_pdma_residue()
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: mmppdma: Fix race condition in mmppdma_residue()
Add proper locking in mmppdmaresidue() to prevent use-after-free when accessing descriptor list and descriptor contents.
The race occurs when multiple threads call tx_status() while the tasklet on another CPU is freeing completed descriptors:
CPU 0 CPU 1 ----- ----- mmppdmatxstatus() mmppdmaresidue() -> NO LOCK held listforeachentry(sw, ..) DMA interrupt dmadotasklet() -> spinlock(&desclock) listmove(sw->node, ...) spinunlock(&desclock) | dmapool_free(sw) <- FREED! -> access sw->desc <- UAF!
This issue can be reproduced when running dmatest on the same channel with multiple threads (threadsperchan > 1).
Fix by protecting the chainrunning list iteration and descriptor access with the chan->desclock spinlock.
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/71xxx/CVE-2025-71221.json" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/9f665b3c3d9a168410251f27a5d019b7bf93185c
- https://git.kernel.org/stable/c/a143545855bc2c6e1330f6f57ae375ac44af00a7
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/71xxx/CVE-2025-71221.json
- https://nvd.nist.gov/vuln/detail/CVE-2025-71221