CVE-2025-71221

ADVISORY - nist

Summary

In the Linux kernel, the following vulnerability has been resolved:

dmaengine: mmp_pdma: Fix race condition in mmp_pdma_residue()

Add proper locking in mmp_pdma_residue() to prevent use-after-free when accessing descriptor list and descriptor contents.

The race occurs when multiple threads call tx_status() while the tasklet on another CPU is freeing completed descriptors:

CPU 0 CPU 1


mmp_pdma_tx_status() mmp_pdma_residue() -> NO LOCK held list_for_each_entry(sw, ..) DMA interrupt dma_do_tasklet() -> spin_lock(&desc_lock) list_move(sw->node, ...) spin_unlock(&desc_lock) | dma_pool_free(sw) <- FREED! -> access sw->desc <- UAF!

This issue can be reproduced when running dmatest on the same channel with multiple threads (threads_per_chan > 1).

Fix by protecting the chain_running list iteration and descriptor access with the chan->desc_lock spinlock.

EPSS Score: 0.00095 (0.008)

Common Weakness Enumeration (CWE)

ADVISORY - nist

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')


Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.

Sign in