IM
IronMonkey Threat Research

CVE-2025-71221 HIGH

Published: 2026-02-14 | Last Modified: 2026-07-14 | Status: Modified

Description

In the Linux kernel, the following vulnerability has been resolved: dmaengine: mmp_pdma: Fix race condition in mmp_pdma_residue() Add proper locking in mmp_pdma_residue() to prevent use-after-free when accessing descriptor list and descriptor contents. The race occurs when multiple threads call tx_status() while the tasklet on another CPU is freeing completed descriptors: CPU 0 CPU 1 ----- ----- mmp_pdma_tx_status() mmp_pdma_residue() -> NO LOCK held list_for_each_entry(sw, ..) DMA interrupt dma_do_tasklet() -> spin_lock(&desc_lock) list_move(sw->node, ...) spin_unlock(&desc_lock) | dma_pool_free(sw) <- FREED! -> access sw->desc <- UAF! This issue can be reproduced when running dmatest on the same channel with multiple threads (threads_per_chan > 1). Fix by protecting the chain_running list iteration and descriptor access with the chan->desc_lock spinlock.

Additional Descriptions (1)

En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta: dmaengine: mmp_pdma: Corrección de condición de carrera en mmp_pdma_residue() Añadir bloqueo adecuado en mmp_pdma_residue() para prevenir uso después de liberación al acceder a la lista de descriptores y al contenido del descriptor. La condición de carrera ocurre cuando múltiples hilos llaman a tx_status() mientras el tasklet en otra CPU está liberando descriptores completados: CPU 0 CPU 1 ----- ----- mmp_pdma_tx_status() mmp_pdma_residue() -&gt; SIN BLOQUEO mantenido list_for_each_entry(sw, ..) Interrupción DMA dma_do_tasklet() -&gt; spin_lock(&amp;desc_lock) list_move(sw-&gt;node, ...) spin_unlock(&amp;desc_lock) | dma_pool_free(sw) &lt;- ¡LIBERADO! -&gt; acceso a sw-&gt;desc &lt;- ¡UAF! Este problema puede ser reproducido al ejecutar dmatest en el mismo canal con múltiples hilos (hilos_por_canal &gt; 1). Solución protegiendo la iteración de la lista chain_running y el acceso al descriptor con el spinlock chan-&gt;desc_lock.

CVSS Metrics

Base Score: 7.0 (HIGH)

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack VectorLOCAL
Attack ComplexityHIGH
Privileges RequiredLOW
User InteractionNONE
ScopeUNCHANGED
Confidentiality ImpactHIGH
Integrity ImpactHIGH
Availability ImpactHIGH

Source: [email protected]

Type: Primary

Exploitability Score: 1.0

Impact Score: 5.9

Weaknesses

Source Type Description
[email protected] Primary
en CWE-362

Affected Products

Vendor Product Version Update Type
linux linux_kernel * <built-in method update of dict object at 0x702bcc127fc0> Operating System
linux linux_kernel 6.19 <built-in method update of dict object at 0x702bde23d100> Operating System
linux linux_kernel 6.19 <built-in method update of dict object at 0x702b50174880> Operating System
linux linux_kernel 6.19 <built-in method update of dict object at 0x702b70375f80> Operating System
linux linux_kernel 6.19 <built-in method update of dict object at 0x702bcc124bc0> Operating System
linux linux_kernel 6.19 <built-in method update of dict object at 0x702bdda08380> Operating System

Affected Configurations

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
Notification
Message here