CVE-2025-71221

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dmaengine: mmp_pdma: Fix race condition in mmp_pdma_residue()<br /> <br /> Add proper locking in mmp_pdma_residue() to prevent use-after-free when<br /> accessing descriptor list and descriptor contents.<br /> <br /> The race occurs when multiple threads call tx_status() while the tasklet<br /> on another CPU is freeing completed descriptors:<br /> <br /> CPU 0 CPU 1<br /> ----- -----<br /> mmp_pdma_tx_status()<br /> mmp_pdma_residue()<br /> -&gt; NO LOCK held<br /> list_for_each_entry(sw, ..)<br /> DMA interrupt<br /> dma_do_tasklet()<br /> -&gt; spin_lock(&amp;desc_lock)<br /> list_move(sw-&gt;node, ...)<br /> spin_unlock(&amp;desc_lock)<br /> | dma_pool_free(sw) access sw-&gt;desc 1).<br /> <br /> Fix by protecting the chain_running list iteration and descriptor access<br /> with the chan-&gt;desc_lock spinlock.