Home

Description

In the Linux kernel, the following vulnerability has been resolved: dmaengine: mmp_pdma: Fix race condition in mmp_pdma_residue() Add proper locking in mmp_pdma_residue() to prevent use-after-free when accessing descriptor list and descriptor contents. The race occurs when multiple threads call tx_status() while the tasklet on another CPU is freeing completed descriptors: CPU 0 CPU 1 ----- ----- mmp_pdma_tx_status() mmp_pdma_residue() -> NO LOCK held list_for_each_entry(sw, ..) DMA interrupt dma_do_tasklet() -> spin_lock(&desc_lock) list_move(sw->node, ...) spin_unlock(&desc_lock) | dma_pool_free(sw) <- FREED! -> access sw->desc <- UAF! This issue can be reproduced when running dmatest on the same channel with multiple threads (threads_per_chan > 1). Fix by protecting the chain_running list iteration and descriptor access with the chan->desc_lock spinlock.

PUBLISHED Reserved 2026-02-14 | Published 2026-02-14 | Updated 2026-02-16 | Assigner Linux

Product status

Default status
unaffected

1b38da264674d6a0fe26a63996b8f88b88c3da48 (git) before 9f665b3c3d9a168410251f27a5d019b7bf93185c
affected

1b38da264674d6a0fe26a63996b8f88b88c3da48 (git) before a143545855bc2c6e1330f6f57ae375ac44af00a7
affected

Default status
affected

3.16
affected

Any version before 3.16
unaffected

6.18.10 (semver)
unaffected

6.19 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/9f665b3c3d9a168410251f27a5d019b7bf93185c

git.kernel.org/...c/a143545855bc2c6e1330f6f57ae375ac44af00a7

cve.org (CVE-2025-71221)

nvd.nist.gov (CVE-2025-71221)

Download JSON