dmaengine: mmp_pdma: Fix race condition in mmp_pdma_residue()

Summary

CVECVE-2025-71221
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-02-14 17:15:54 UTC
Updated2026-06-01 17:16:38 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: dmaengine: mmp_pdma: Fix race condition in mmp_pdma_residue() Add proper locking in mmp_pdma_residue() to prevent use-after-free when accessing descriptor list and descriptor contents. The race occurs when multiple threads call tx_status() while the tasklet on another CPU is freeing completed descriptors: CPU 0 CPU 1 ----- ----- mmp_pdma_tx_status() mmp_pdma_residue() -> NO LOCK held list_for_each_entry(sw, ..) DMA interrupt dma_do_tasklet() -> spin_lock(&desc_lock) list_move(sw->node, ...) spin_unlock(&desc_lock) | dma_pool_free(sw) <- FREED! -> access sw->desc <- UAF! This issue can be reproduced when running dmatest on the same channel with multiple threads (threads_per_chan > 1). Fix by protecting the chain_running list iteration and descriptor access with the chan->desc_lock spinlock.

Risk And Classification

Primary CVSS: v3.1 7 HIGH from [email protected]

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS: 0.000140000 probability, percentile 0.026180000 (date 2026-06-04)

Problem Types: CWE-362

CVSS v3.1 Breakdown

Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Operating System Linux Linux Kernel All All All All
Operating System Linux Linux Kernel 6.19 rc1 All All
Operating System Linux Linux Kernel 6.19 rc2 All All
Operating System Linux Linux Kernel 6.19 rc3 All All
Operating System Linux Linux Kernel 6.19 rc4 All All
Operating System Linux Linux Kernel 6.19 rc5 All All

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected 1b38da264674d6a0fe26a63996b8f88b88c3da48 3f0e0e2d9e752570041e95fd04635e2580097819 git Not specified
CNA Linux Linux affected 1b38da264674d6a0fe26a63996b8f88b88c3da48 dfb5e05227745de43b7fd589721817a4337c970d git Not specified
CNA Linux Linux affected 1b38da264674d6a0fe26a63996b8f88b88c3da48 eba0c75670c022cb1f948600db972524bcfe8166 git Not specified
CNA Linux Linux affected 1b38da264674d6a0fe26a63996b8f88b88c3da48 fc023b8fab057f0c910856ff36d3e12a30b7af4a git Not specified
CNA Linux Linux affected 1b38da264674d6a0fe26a63996b8f88b88c3da48 9f665b3c3d9a168410251f27a5d019b7bf93185c git Not specified
CNA Linux Linux affected 1b38da264674d6a0fe26a63996b8f88b88c3da48 a143545855bc2c6e1330f6f57ae375ac44af00a7 git Not specified
CNA Linux Linux affected 3.16 Not specified
CNA Linux Linux unaffected 3.16 semver Not specified
CNA Linux Linux unaffected 5.15.209 5.15.* semver Not specified
CNA Linux Linux unaffected 6.1.167 6.1.* semver Not specified
CNA Linux Linux unaffected 6.6.130 6.6.* semver Not specified
CNA Linux Linux unaffected 6.12.78 6.12.* semver Not specified
CNA Linux Linux unaffected 6.18.10 6.18.* semver Not specified
CNA Linux Linux unaffected 6.19 * original_commit_for_fix Not specified

References

ReferenceSourceLinkTags
git.kernel.org/stable/c/9f665b3c3d9a168410251f27a5d019b7bf93185c 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/dfb5e05227745de43b7fd589721817a4337c970d 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/eba0c75670c022cb1f948600db972524bcfe8166 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/fc023b8fab057f0c910856ff36d3e12a30b7af4a 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/3f0e0e2d9e752570041e95fd04635e2580097819 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/a143545855bc2c6e1330f6f57ae375ac44af00a7 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report