CVE-2025-71221
Modified Modified - Updated After Analysis
Use-After-Free Race Condition in Linux Kernel dmaengine mmp_pdma

Publication date: 2026-02-14

Last updated on: 2026-06-01

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: dmaengine: mmp_pdma: Fix race condition in mmp_pdma_residue() Add proper locking in mmp_pdma_residue() to prevent use-after-free when accessing descriptor list and descriptor contents. The race occurs when multiple threads call tx_status() while the tasklet on another CPU is freeing completed descriptors: CPU 0 CPU 1 ----- ----- mmp_pdma_tx_status() mmp_pdma_residue() -> NO LOCK held list_for_each_entry(sw, ..) DMA interrupt dma_do_tasklet() -> spin_lock(&desc_lock) list_move(sw->node, ...) spin_unlock(&desc_lock) | dma_pool_free(sw) <- FREED! -> access sw->desc <- UAF! This issue can be reproduced when running dmatest on the same channel with multiple threads (threads_per_chan > 1). Fix by protecting the chain_running list iteration and descriptor access with the chan->desc_lock spinlock.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-14
Last Modified
2026-06-01
Generated
2026-06-16
AI Q&A
2026-02-14
EPSS Evaluated
2026-06-15
NVD
CVE-2025-71221
EUVD
EUVD-2025-206989
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel From 3.16 (inc) to 6.18.10 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can lead to use-after-free memory access in the Linux kernel's dmaengine subsystem, which may cause system instability, crashes, or potential kernel memory corruption.

Such memory corruption issues can be exploited to cause denial of service or potentially escalate privileges if an attacker can trigger the race condition, especially in environments where multiple threads run dmatest on the same channel.

Compliance Impact

I don't know

Executive Summary

This vulnerability exists in the Linux kernel's dmaengine subsystem, specifically in the mmp_pdma driver. It is a race condition in the function mmp_pdma_residue() where multiple threads calling tx_status() can access freed memory (use-after-free) due to lack of proper locking.

The issue occurs when one CPU is running mmp_pdma_tx_status() and iterating over a descriptor list without holding a lock, while another CPU's tasklet is freeing completed descriptors under a spinlock. This leads to a situation where the first CPU accesses descriptor contents that have already been freed, causing a use-after-free error.

The fix involves adding proper locking (using chan->desc_lock spinlock) to protect the iteration over the descriptor list and access to descriptor contents, preventing the race condition.

Detection Guidance

This vulnerability involves a race condition in the Linux kernel's dmaengine mmp_pdma driver, specifically in the mmp_pdma_residue() function. It can be reproduced by running dmatest on the same channel with multiple threads (threads_per_chan > 1).

To detect this issue on your system, you can run the dmatest kernel module with multiple threads on the affected channel to observe if the race condition occurs.

  • Use the dmatest module with multiple threads enabled: modprobe dmatest threads_per_chan=2
  • Monitor kernel logs (e.g., using dmesg) for any error messages or warnings related to dmaengine or mmp_pdma.
Mitigation Strategies

The vulnerability is fixed by adding proper locking in the mmp_pdma_residue() function to prevent use-after-free conditions. Immediate mitigation involves updating the Linux kernel to a version that includes this fix.

Until the kernel is updated, avoid running workloads that trigger multiple concurrent calls to tx_status() on the same DMA channel, such as running dmatest with multiple threads on the same channel.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-71221. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart