CVE-2025-71162

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dmaengine: tegra-adma: Fix use-after-free<br /> <br /> A use-after-free bug exists in the Tegra ADMA driver when audio streams<br /> are terminated, particularly during XRUN conditions. The issue occurs<br /> when the DMA buffer is freed by tegra_adma_terminate_all() before the<br /> vchan completion tasklet finishes accessing it.<br /> <br /> The race condition follows this sequence:<br /> <br /> 1. DMA transfer completes, triggering an interrupt that schedules the<br /> completion tasklet (tasklet has not executed yet)<br /> 2. Audio playback stops, calling tegra_adma_terminate_all() which<br /> frees the DMA buffer memory via kfree()<br /> 3. The scheduled tasklet finally executes, calling vchan_complete()<br /> which attempts to access the already-freed memory<br /> <br /> Since tasklets can execute at any time after being scheduled, there is<br /> no guarantee that the buffer will remain valid when vchan_complete()<br /> runs.<br /> <br /> Fix this by properly synchronizing the virtual channel completion:<br /> - Calling vchan_terminate_vdesc() in tegra_adma_stop() to mark the<br /> descriptors as terminated instead of freeing the descriptor.<br /> - Add the callback tegra_adma_synchronize() that calls<br /> vchan_synchronize() which kills any pending tasklets and frees any<br /> terminated descriptors.<br /> <br /> Crash logs:<br /> [ 337.427523] BUG: KASAN: use-after-free in vchan_complete+0x124/0x3b0<br /> [ 337.427544] Read of size 8 at addr ffff000132055428 by task swapper/0/0<br /> <br /> [ 337.427562] Call trace:<br /> [ 337.427564] dump_backtrace+0x0/0x320<br /> [ 337.427571] show_stack+0x20/0x30<br /> [ 337.427575] dump_stack_lvl+0x68/0x84<br /> [ 337.427584] print_address_description.constprop.0+0x74/0x2b8<br /> [ 337.427590] kasan_report+0x1f4/0x210<br /> [ 337.427598] __asan_load8+0xa0/0xd0<br /> [ 337.427603] vchan_complete+0x124/0x3b0<br /> [ 337.427609] tasklet_action_common.constprop.0+0x190/0x1d0<br /> [ 337.427617] tasklet_action+0x30/0x40<br /> [ 337.427623] __do_softirq+0x1a0/0x5c4<br /> [ 337.427628] irq_exit+0x110/0x140<br /> [ 337.427633] handle_domain_irq+0xa4/0xe0<br /> [ 337.427640] gic_handle_irq+0x64/0x160<br /> [ 337.427644] call_on_irq_stack+0x20/0x4c<br /> [ 337.427649] do_interrupt_handler+0x7c/0x90<br /> [ 337.427654] el1_interrupt+0x30/0x80<br /> [ 337.427659] el1h_64_irq_handler+0x18/0x30<br /> [ 337.427663] el1h_64_irq+0x7c/0x80<br /> [ 337.427667] cpuidle_enter_state+0xe4/0x540<br /> [ 337.427674] cpuidle_enter+0x54/0x80<br /> [ 337.427679] do_idle+0x2e0/0x380<br /> [ 337.427685] cpu_startup_entry+0x2c/0x70<br /> [ 337.427690] rest_init+0x114/0x130<br /> [ 337.427695] arch_call_rest_init+0x18/0x24<br /> [ 337.427702] start_kernel+0x380/0x3b4<br /> [ 337.427706] __primary_switched+0xc0/0xc8