{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-71162","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-01-13T15:30:19.666Z","datePublished":"2026-01-25T14:36:09.029Z","dateUpdated":"2026-05-11T21:56:10.084Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:56:10.084Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: tegra-adma: Fix use-after-free\n\nA use-after-free bug exists in the Tegra ADMA driver when audio streams\nare terminated, particularly during XRUN conditions. The issue occurs\nwhen the DMA buffer is freed by tegra_adma_terminate_all() before the\nvchan completion tasklet finishes accessing it.\n\nThe race condition follows this sequence:\n\n  1. DMA transfer completes, triggering an interrupt that schedules the\n     completion tasklet (tasklet has not executed yet)\n  2. Audio playback stops, calling tegra_adma_terminate_all() which\n     frees the DMA buffer memory via kfree()\n  3. The scheduled tasklet finally executes, calling vchan_complete()\n     which attempts to access the already-freed memory\n\nSince tasklets can execute at any time after being scheduled, there is\nno guarantee that the buffer will remain valid when vchan_complete()\nruns.\n\nFix this by properly synchronizing the virtual channel completion:\n - Calling vchan_terminate_vdesc() in tegra_adma_stop() to mark the\n   descriptors as terminated instead of freeing the descriptor.\n - Add the callback tegra_adma_synchronize() that calls\n   vchan_synchronize() which kills any pending tasklets and frees any\n   terminated descriptors.\n\nCrash logs:\n[  337.427523] BUG: KASAN: use-after-free in vchan_complete+0x124/0x3b0\n[  337.427544] Read of size 8 at addr ffff000132055428 by task swapper/0/0\n\n[  337.427562] Call trace:\n[  337.427564]  dump_backtrace+0x0/0x320\n[  337.427571]  show_stack+0x20/0x30\n[  337.427575]  dump_stack_lvl+0x68/0x84\n[  337.427584]  print_address_description.constprop.0+0x74/0x2b8\n[  337.427590]  kasan_report+0x1f4/0x210\n[  337.427598]  __asan_load8+0xa0/0xd0\n[  337.427603]  vchan_complete+0x124/0x3b0\n[  337.427609]  tasklet_action_common.constprop.0+0x190/0x1d0\n[  337.427617]  tasklet_action+0x30/0x40\n[  337.427623]  __do_softirq+0x1a0/0x5c4\n[  337.427628]  irq_exit+0x110/0x140\n[  337.427633]  handle_domain_irq+0xa4/0xe0\n[  337.427640]  gic_handle_irq+0x64/0x160\n[  337.427644]  call_on_irq_stack+0x20/0x4c\n[  337.427649]  do_interrupt_handler+0x7c/0x90\n[  337.427654]  el1_interrupt+0x30/0x80\n[  337.427659]  el1h_64_irq_handler+0x18/0x30\n[  337.427663]  el1h_64_irq+0x7c/0x80\n[  337.427667]  cpuidle_enter_state+0xe4/0x540\n[  337.427674]  cpuidle_enter+0x54/0x80\n[  337.427679]  do_idle+0x2e0/0x380\n[  337.427685]  cpu_startup_entry+0x2c/0x70\n[  337.427690]  rest_init+0x114/0x130\n[  337.427695]  arch_call_rest_init+0x18/0x24\n[  337.427702]  start_kernel+0x380/0x3b4\n[  337.427706]  __primary_switched+0xc0/0xc8"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/dma/tegra210-adma.c"],"versions":[{"version":"f46b195799b5cb05338e7c44cb3617eacb56d755","lessThan":"5f8d1d66a952d0396671e1f21ff8127a4d14fb4e","status":"affected","versionType":"git"},{"version":"f46b195799b5cb05338e7c44cb3617eacb56d755","lessThan":"76992310f80776b4d1f7f8915f59b92883a3e44c","status":"affected","versionType":"git"},{"version":"f46b195799b5cb05338e7c44cb3617eacb56d755","lessThan":"ae3eed72de682ddbba507ed2d6b848c21a6b721e","status":"affected","versionType":"git"},{"version":"f46b195799b5cb05338e7c44cb3617eacb56d755","lessThan":"59cb421b0902fbef2b9512ae8ba198a20f26b41f","status":"affected","versionType":"git"},{"version":"f46b195799b5cb05338e7c44cb3617eacb56d755","lessThan":"cb2c9c4bb1322cc3c9984ad17db8cdd2663879ca","status":"affected","versionType":"git"},{"version":"f46b195799b5cb05338e7c44cb3617eacb56d755","lessThan":"be655c3736b3546f39bc8116ffbf2a3b6cac96c4","status":"affected","versionType":"git"},{"version":"f46b195799b5cb05338e7c44cb3617eacb56d755","lessThan":"2efd07a7c36949e6fa36a69183df24d368bf9e96","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/dma/tegra210-adma.c"],"versions":[{"version":"4.7","status":"affected"},{"version":"0","lessThan":"4.7","status":"unaffected","versionType":"semver"},{"version":"5.10.249","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.199","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.162","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.122","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.67","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.7","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.7","versionEndExcluding":"5.10.249"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.7","versionEndExcluding":"5.15.199"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.7","versionEndExcluding":"6.1.162"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.7","versionEndExcluding":"6.6.122"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.7","versionEndExcluding":"6.12.67"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.7","versionEndExcluding":"6.18.7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.7","versionEndExcluding":"6.19"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/5f8d1d66a952d0396671e1f21ff8127a4d14fb4e"},{"url":"https://git.kernel.org/stable/c/76992310f80776b4d1f7f8915f59b92883a3e44c"},{"url":"https://git.kernel.org/stable/c/ae3eed72de682ddbba507ed2d6b848c21a6b721e"},{"url":"https://git.kernel.org/stable/c/59cb421b0902fbef2b9512ae8ba198a20f26b41f"},{"url":"https://git.kernel.org/stable/c/cb2c9c4bb1322cc3c9984ad17db8cdd2663879ca"},{"url":"https://git.kernel.org/stable/c/be655c3736b3546f39bc8116ffbf2a3b6cac96c4"},{"url":"https://git.kernel.org/stable/c/2efd07a7c36949e6fa36a69183df24d368bf9e96"}],"title":"dmaengine: tegra-adma: Fix use-after-free","x_generator":{"engine":"bippy-1.2.0"}}}}