DEBIAN-CVE-2025-71221
In the Linux kernel, the following vulnerability has been resolved: dmaengine: mmp_pdma: Fix race condition in mmp_pdma_residue() Add proper locking in mmp_pdma_residue() to prevent use-after-free when accessing descriptor list and descriptor contents. The race occurs when multiple threads call tx_status() while the tasklet on another CPU is freeing completed descriptors: CPU 0 CPU 1 ----- ----- mmp_pdma_tx_status() mmp_pdma_residue() -> NO LOCK held list_for_each_entry(sw, ..) DMA interrupt dma_do_tasklet() -> spin_lock(&desc_lock) list_move(sw->node, ...) spin_unlock(&desc_lock) | dma_pool_free(sw) <- FREED! -> access sw->desc <- UAF! This issue can be reproduced when running dmatest on the same channel with multiple threads (threads_per_chan > 1). Fix by protecting the chain_running list iteration and descriptor access with the chan->desc_lock spinlock.
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:11 | linux-6.1 | 0, 6.1.164-1, 6.1.162-1 |
| Debian:11 | linux | 6.16.12-2, 6.1~rc6-1~exp1, 6.1~rc8-1~exp1 |
| Debian:12 | linux | 6.9.10-1~bpo12+1, 6.13.9-1~exp1, 6.13~rc7-1~exp1 |
| Debian:13 | linux | 6.12.73-1~bpo12+1, 6.12.74-1, 6.12.74-2 |
| Debian:14 | linux | 6.17.13-1~bpo13+1, 6.17.5-1~exp1, 6.17.7-1 |
Timeline
- Feb 14, 2026 CVE Published
- May 2, 2026 CVE Updated