CVE-2025-71162 (GCVE-0-2025-71162)

Vulnerability from cvelistv5 – Published: 2026-01-25 14:36 – Updated: 2026-01-25 14:36
VLAI?
Title
dmaengine: tegra-adma: Fix use-after-free
Summary
In the Linux kernel, the following vulnerability has been resolved: dmaengine: tegra-adma: Fix use-after-free A use-after-free bug exists in the Tegra ADMA driver when audio streams are terminated, particularly during XRUN conditions. The issue occurs when the DMA buffer is freed by tegra_adma_terminate_all() before the vchan completion tasklet finishes accessing it. The race condition follows this sequence: 1. DMA transfer completes, triggering an interrupt that schedules the completion tasklet (tasklet has not executed yet) 2. Audio playback stops, calling tegra_adma_terminate_all() which frees the DMA buffer memory via kfree() 3. The scheduled tasklet finally executes, calling vchan_complete() which attempts to access the already-freed memory Since tasklets can execute at any time after being scheduled, there is no guarantee that the buffer will remain valid when vchan_complete() runs. Fix this by properly synchronizing the virtual channel completion: - Calling vchan_terminate_vdesc() in tegra_adma_stop() to mark the descriptors as terminated instead of freeing the descriptor. - Add the callback tegra_adma_synchronize() that calls vchan_synchronize() which kills any pending tasklets and frees any terminated descriptors. Crash logs: [ 337.427523] BUG: KASAN: use-after-free in vchan_complete+0x124/0x3b0 [ 337.427544] Read of size 8 at addr ffff000132055428 by task swapper/0/0 [ 337.427562] Call trace: [ 337.427564] dump_backtrace+0x0/0x320 [ 337.427571] show_stack+0x20/0x30 [ 337.427575] dump_stack_lvl+0x68/0x84 [ 337.427584] print_address_description.constprop.0+0x74/0x2b8 [ 337.427590] kasan_report+0x1f4/0x210 [ 337.427598] __asan_load8+0xa0/0xd0 [ 337.427603] vchan_complete+0x124/0x3b0 [ 337.427609] tasklet_action_common.constprop.0+0x190/0x1d0 [ 337.427617] tasklet_action+0x30/0x40 [ 337.427623] __do_softirq+0x1a0/0x5c4 [ 337.427628] irq_exit+0x110/0x140 [ 337.427633] handle_domain_irq+0xa4/0xe0 [ 337.427640] gic_handle_irq+0x64/0x160 [ 337.427644] call_on_irq_stack+0x20/0x4c [ 337.427649] do_interrupt_handler+0x7c/0x90 [ 337.427654] el1_interrupt+0x30/0x80 [ 337.427659] el1h_64_irq_handler+0x18/0x30 [ 337.427663] el1h_64_irq+0x7c/0x80 [ 337.427667] cpuidle_enter_state+0xe4/0x540 [ 337.427674] cpuidle_enter+0x54/0x80 [ 337.427679] do_idle+0x2e0/0x380 [ 337.427685] cpu_startup_entry+0x2c/0x70 [ 337.427690] rest_init+0x114/0x130 [ 337.427695] arch_call_rest_init+0x18/0x24 [ 337.427702] start_kernel+0x380/0x3b4 [ 337.427706] __primary_switched+0xc0/0xc8
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: f46b195799b5cb05338e7c44cb3617eacb56d755 , < cb2c9c4bb1322cc3c9984ad17db8cdd2663879ca (git)
Affected: f46b195799b5cb05338e7c44cb3617eacb56d755 , < be655c3736b3546f39bc8116ffbf2a3b6cac96c4 (git)
Affected: f46b195799b5cb05338e7c44cb3617eacb56d755 , < 2efd07a7c36949e6fa36a69183df24d368bf9e96 (git)
Create a notification for this product.
    Linux Linux Affected: 4.7
Unaffected: 0 , < 4.7 (semver)
Unaffected: 6.12.67 , ≤ 6.12.* (semver)
Unaffected: 6.18.7 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc6 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/dma/tegra210-adma.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "cb2c9c4bb1322cc3c9984ad17db8cdd2663879ca",
              "status": "affected",
              "version": "f46b195799b5cb05338e7c44cb3617eacb56d755",
              "versionType": "git"
            },
            {
              "lessThan": "be655c3736b3546f39bc8116ffbf2a3b6cac96c4",
              "status": "affected",
              "version": "f46b195799b5cb05338e7c44cb3617eacb56d755",
              "versionType": "git"
            },
            {
              "lessThan": "2efd07a7c36949e6fa36a69183df24d368bf9e96",
              "status": "affected",
              "version": "f46b195799b5cb05338e7c44cb3617eacb56d755",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/dma/tegra210-adma.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.7"
            },
            {
              "lessThan": "4.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.67",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc6",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.67",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.7",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc6",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: tegra-adma: Fix use-after-free\n\nA use-after-free bug exists in the Tegra ADMA driver when audio streams\nare terminated, particularly during XRUN conditions. The issue occurs\nwhen the DMA buffer is freed by tegra_adma_terminate_all() before the\nvchan completion tasklet finishes accessing it.\n\nThe race condition follows this sequence:\n\n  1. DMA transfer completes, triggering an interrupt that schedules the\n     completion tasklet (tasklet has not executed yet)\n  2. Audio playback stops, calling tegra_adma_terminate_all() which\n     frees the DMA buffer memory via kfree()\n  3. The scheduled tasklet finally executes, calling vchan_complete()\n     which attempts to access the already-freed memory\n\nSince tasklets can execute at any time after being scheduled, there is\nno guarantee that the buffer will remain valid when vchan_complete()\nruns.\n\nFix this by properly synchronizing the virtual channel completion:\n - Calling vchan_terminate_vdesc() in tegra_adma_stop() to mark the\n   descriptors as terminated instead of freeing the descriptor.\n - Add the callback tegra_adma_synchronize() that calls\n   vchan_synchronize() which kills any pending tasklets and frees any\n   terminated descriptors.\n\nCrash logs:\n[  337.427523] BUG: KASAN: use-after-free in vchan_complete+0x124/0x3b0\n[  337.427544] Read of size 8 at addr ffff000132055428 by task swapper/0/0\n\n[  337.427562] Call trace:\n[  337.427564]  dump_backtrace+0x0/0x320\n[  337.427571]  show_stack+0x20/0x30\n[  337.427575]  dump_stack_lvl+0x68/0x84\n[  337.427584]  print_address_description.constprop.0+0x74/0x2b8\n[  337.427590]  kasan_report+0x1f4/0x210\n[  337.427598]  __asan_load8+0xa0/0xd0\n[  337.427603]  vchan_complete+0x124/0x3b0\n[  337.427609]  tasklet_action_common.constprop.0+0x190/0x1d0\n[  337.427617]  tasklet_action+0x30/0x40\n[  337.427623]  __do_softirq+0x1a0/0x5c4\n[  337.427628]  irq_exit+0x110/0x140\n[  337.427633]  handle_domain_irq+0xa4/0xe0\n[  337.427640]  gic_handle_irq+0x64/0x160\n[  337.427644]  call_on_irq_stack+0x20/0x4c\n[  337.427649]  do_interrupt_handler+0x7c/0x90\n[  337.427654]  el1_interrupt+0x30/0x80\n[  337.427659]  el1h_64_irq_handler+0x18/0x30\n[  337.427663]  el1h_64_irq+0x7c/0x80\n[  337.427667]  cpuidle_enter_state+0xe4/0x540\n[  337.427674]  cpuidle_enter+0x54/0x80\n[  337.427679]  do_idle+0x2e0/0x380\n[  337.427685]  cpu_startup_entry+0x2c/0x70\n[  337.427690]  rest_init+0x114/0x130\n[  337.427695]  arch_call_rest_init+0x18/0x24\n[  337.427702]  start_kernel+0x380/0x3b4\n[  337.427706]  __primary_switched+0xc0/0xc8"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-25T14:36:09.029Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/cb2c9c4bb1322cc3c9984ad17db8cdd2663879ca"
        },
        {
          "url": "https://git.kernel.org/stable/c/be655c3736b3546f39bc8116ffbf2a3b6cac96c4"
        },
        {
          "url": "https://git.kernel.org/stable/c/2efd07a7c36949e6fa36a69183df24d368bf9e96"
        }
      ],
      "title": "dmaengine: tegra-adma: Fix use-after-free",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-71162",
    "datePublished": "2026-01-25T14:36:09.029Z",
    "dateReserved": "2026-01-13T15:30:19.666Z",
    "dateUpdated": "2026-01-25T14:36:09.029Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-71162\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-01-25T15:15:53.947\",\"lastModified\":\"2026-01-26T15:03:33.357\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndmaengine: tegra-adma: Fix use-after-free\\n\\nA use-after-free bug exists in the Tegra ADMA driver when audio streams\\nare terminated, particularly during XRUN conditions. The issue occurs\\nwhen the DMA buffer is freed by tegra_adma_terminate_all() before the\\nvchan completion tasklet finishes accessing it.\\n\\nThe race condition follows this sequence:\\n\\n  1. DMA transfer completes, triggering an interrupt that schedules the\\n     completion tasklet (tasklet has not executed yet)\\n  2. Audio playback stops, calling tegra_adma_terminate_all() which\\n     frees the DMA buffer memory via kfree()\\n  3. The scheduled tasklet finally executes, calling vchan_complete()\\n     which attempts to access the already-freed memory\\n\\nSince tasklets can execute at any time after being scheduled, there is\\nno guarantee that the buffer will remain valid when vchan_complete()\\nruns.\\n\\nFix this by properly synchronizing the virtual channel completion:\\n - Calling vchan_terminate_vdesc() in tegra_adma_stop() to mark the\\n   descriptors as terminated instead of freeing the descriptor.\\n - Add the callback tegra_adma_synchronize() that calls\\n   vchan_synchronize() which kills any pending tasklets and frees any\\n   terminated descriptors.\\n\\nCrash logs:\\n[  337.427523] BUG: KASAN: use-after-free in vchan_complete+0x124/0x3b0\\n[  337.427544] Read of size 8 at addr ffff000132055428 by task swapper/0/0\\n\\n[  337.427562] Call trace:\\n[  337.427564]  dump_backtrace+0x0/0x320\\n[  337.427571]  show_stack+0x20/0x30\\n[  337.427575]  dump_stack_lvl+0x68/0x84\\n[  337.427584]  print_address_description.constprop.0+0x74/0x2b8\\n[  337.427590]  kasan_report+0x1f4/0x210\\n[  337.427598]  __asan_load8+0xa0/0xd0\\n[  337.427603]  vchan_complete+0x124/0x3b0\\n[  337.427609]  tasklet_action_common.constprop.0+0x190/0x1d0\\n[  337.427617]  tasklet_action+0x30/0x40\\n[  337.427623]  __do_softirq+0x1a0/0x5c4\\n[  337.427628]  irq_exit+0x110/0x140\\n[  337.427633]  handle_domain_irq+0xa4/0xe0\\n[  337.427640]  gic_handle_irq+0x64/0x160\\n[  337.427644]  call_on_irq_stack+0x20/0x4c\\n[  337.427649]  do_interrupt_handler+0x7c/0x90\\n[  337.427654]  el1_interrupt+0x30/0x80\\n[  337.427659]  el1h_64_irq_handler+0x18/0x30\\n[  337.427663]  el1h_64_irq+0x7c/0x80\\n[  337.427667]  cpuidle_enter_state+0xe4/0x540\\n[  337.427674]  cpuidle_enter+0x54/0x80\\n[  337.427679]  do_idle+0x2e0/0x380\\n[  337.427685]  cpu_startup_entry+0x2c/0x70\\n[  337.427690]  rest_init+0x114/0x130\\n[  337.427695]  arch_call_rest_init+0x18/0x24\\n[  337.427702]  start_kernel+0x380/0x3b4\\n[  337.427706]  __primary_switched+0xc0/0xc8\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/2efd07a7c36949e6fa36a69183df24d368bf9e96\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/be655c3736b3546f39bc8116ffbf2a3b6cac96c4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/cb2c9c4bb1322cc3c9984ad17db8cdd2663879ca\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.