CVE-2025-71221
Published: Feb 14, 2026
Modified: Jun 1, 2026
Description
In the Linux kernel, the following vulnerability has been resolved: dmaengine: mmp_pdma: Fix race condition in mmp_pdma_residue() Add proper locking in mmp_pdma_residue() to prevent use-after-free when accessing descriptor list and descriptor contents. The race occurs when multiple threads call tx_status() while the tasklet on another CPU is freeing completed descriptors: CPU 0 CPU 1 ----- ----- mmp_pdma_tx_status() mmp_pdma_residue() -> NO LOCK held list_for_each_entry(sw, ..) DMA interrupt dma_do_tasklet() -> spin_lock(&desc_lock) list_move(sw->node, ...) spin_unlock(&desc_lock) | dma_pool_free(sw) <- FREED! -> access sw->desc <- UAF! This issue can be reproduced when running dmatest on the same channel with multiple threads (threads_per_chan > 1). Fix by protecting the chain_running list iteration and descriptor access with the chan->desc_lock spinlock.
| Vendor | Product | Versions |
|---|---|---|
Linux | Linux | affected 1b38da264674d6a0fe26a63996b8f88b88c3da48 - < 3f0e0e2d9e752570041e95fd04635e2580097819affected 1b38da264674d6a0fe26a63996b8f88b88c3da48 - < dfb5e05227745de43b7fd589721817a4337c970daffected 1b38da264674d6a0fe26a63996b8f88b88c3da48 - < eba0c75670c022cb1f948600db972524bcfe8166affected 1b38da264674d6a0fe26a63996b8f88b88c3da48 - < fc023b8fab057f0c910856ff36d3e12a30b7af4aaffected 1b38da264674d6a0fe26a63996b8f88b88c3da48 - < 9f665b3c3d9a168410251f27a5d019b7bf93185c+1 more versions |
Linux | Linux | affected 3.16unaffected 0 - < 3.16unaffected 5.15.209 - <= 5.15.*unaffected 6.1.167 - <= 6.1.*unaffected 6.6.130 - <= 6.6.*+3 more versions |
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now