CVE-2025-71221
Use-After-Free Race Condition in Linux Kernel dmaengine mmp_pdma
Publication date: 2026-02-14
Last updated on: 2026-03-25
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | From 3.16 (inc) to 6.18.10 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-362 | The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can lead to use-after-free memory access in the Linux kernel's dmaengine subsystem, which may cause system instability, crashes, or potential kernel memory corruption.
Such memory corruption issues can be exploited to cause denial of service or potentially escalate privileges if an attacker can trigger the race condition, especially in environments where multiple threads run dmatest on the same channel.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's dmaengine subsystem, specifically in the mmp_pdma driver. It is a race condition in the function mmp_pdma_residue() where multiple threads calling tx_status() can access freed memory (use-after-free) due to lack of proper locking.
The issue occurs when one CPU is running mmp_pdma_tx_status() and iterating over a descriptor list without holding a lock, while another CPU's tasklet is freeing completed descriptors under a spinlock. This leads to a situation where the first CPU accesses descriptor contents that have already been freed, causing a use-after-free error.
The fix involves adding proper locking (using chan->desc_lock spinlock) to protect the iteration over the descriptor list and access to descriptor contents, preventing the race condition.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a race condition in the Linux kernel's dmaengine mmp_pdma driver, specifically in the mmp_pdma_residue() function. It can be reproduced by running dmatest on the same channel with multiple threads (threads_per_chan > 1).
To detect this issue on your system, you can run the dmatest kernel module with multiple threads on the affected channel to observe if the race condition occurs.
- Use the dmatest module with multiple threads enabled: modprobe dmatest threads_per_chan=2
- Monitor kernel logs (e.g., using dmesg) for any error messages or warnings related to dmaengine or mmp_pdma.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed by adding proper locking in the mmp_pdma_residue() function to prevent use-after-free conditions. Immediate mitigation involves updating the Linux kernel to a version that includes this fix.
Until the kernel is updated, avoid running workloads that trigger multiple concurrent calls to tx_status() on the same DMA channel, such as running dmatest with multiple threads on the same channel.