CVE-2025-71221
Severity CVSS v4.0:
Pending analysis
Type:
CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Publication date:
14/02/2026
Last modified:
18/03/2026
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
dmaengine: mmp_pdma: Fix race condition in mmp_pdma_residue()<br />
<br />
Add proper locking in mmp_pdma_residue() to prevent use-after-free when<br />
accessing descriptor list and descriptor contents.<br />
<br />
The race occurs when multiple threads call tx_status() while the tasklet<br />
on another CPU is freeing completed descriptors:<br />
<br />
CPU 0 CPU 1<br />
----- -----<br />
mmp_pdma_tx_status()<br />
mmp_pdma_residue()<br />
-> NO LOCK held<br />
list_for_each_entry(sw, ..)<br />
DMA interrupt<br />
dma_do_tasklet()<br />
-> spin_lock(&desc_lock)<br />
list_move(sw->node, ...)<br />
spin_unlock(&desc_lock)<br />
| dma_pool_free(sw) access sw->desc 1).<br />
<br />
Fix by protecting the chain_running list iteration and descriptor access<br />
with the chan->desc_lock spinlock.
Impact
Base Score 3.x
7.00
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 3.16 (including) | 6.18.10 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page