HIGH
dmaengine MMP PDMA Residue UAF
CVE-2025-71221
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.0HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: dmaengine: mmp_pdma: Fix race condition in mmp_pdma_residue() Add proper locking in mmp_pdma_residue() to prevent use-after-free when accessing descriptor list and descriptor contents. The race occurs when multiple threads call tx_status() while the tasklet on another CPU is freeing completed descriptors: CPU 0 CPU 1 ----- ----- mmp_pdma_tx_status() mmp_pdma_residue() -> NO LOCK held list_for_each_entry(sw, ..) DMA interrupt dma_do_tasklet() -> spin_lock(&desc_lock) list_move(sw->node, ...) spin_unlock(&desc_lock) | dma_pool_free(sw) <- FREED! -> access sw->desc <- UAF! This issue can be reproduced when running dmatest on the same channel with multiple threads (threads_per_chan > 1). Fix by protecting the chain_running list iteration and descriptor access with the chan->desc_lock spinlock.
02KernelScan AI Analysis
Risk summary
A race condition in the MMP PDMA driver allows concurrent access to DMA descriptor lists, potentially causing kernel crashes or memory corruption when multiple threads check DMA transfer status while interrupts are processing completed transfers. This affects embedded systems using MMP PDMA hardware and could lead to system instability or potential privilege escalation through kernel memory corruption.
Vulnerability analysis
Root Cause: The mmp_pdma_residue() function iterates over the chain_running descriptor list without holding the desc_lock spinlock. This creates a race condition where the DMA interrupt tasklet on another CPU can free descriptors (via dma_pool_free) while the residue function is still accessing them, leading to use-after-free when dereferencing the freed descriptor structure.
Attack Surface: This vulnerability requires local access to trigger DMA operations with multiple threads on the same channel. It affects systems using the MMP PDMA controller and can be reproduced through the dmatest kernel module with threads_per_chan > 1. The vulnerability is hardware-specific to platforms with MMP PDMA controllers.
Fix Mechanism: The patch adds proper locking by acquiring chan->desc_lock with spin_lock_irqsave() before iterating the descriptor list and releasing it with spin_unlock_irqrestore() after completing the iteration or when returning early. This ensures exclusive access to the descriptor list and prevents concurrent freeing of descriptors during traversal.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.15 | 5.15.209 | 3f0e0e2d9e75 |
| 6.1 | 6.1.167 | dfb5e0522774 |
| 6.12 | 6.12.78 | fc023b8fab05 |
| 6.18 | 6.18.10 | 9f665b3c3d9a |
| 6.6 | 6.6.130 | eba0c75670c0 |
| mainline | 6.19 | a143545855bc |