CVE-2025-71162 in Linux
Summary
by MITRE • 01/25/2026
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: tegra-adma: Fix use-after-free
A use-after-free bug exists in the Tegra ADMA driver when audio streams are terminated, particularly during XRUN conditions. The issue occurs when the DMA buffer is freed by tegra_adma_terminate_all() before the vchan completion tasklet finishes accessing it.
The race condition follows this sequence:
1. DMA transfer completes, triggering an interrupt that schedules the completion tasklet (tasklet has not executed yet) 2. Audio playback stops, calling tegra_adma_terminate_all() which frees the DMA buffer memory via kfree() 3. The scheduled tasklet finally executes, calling vchan_complete() which attempts to access the already-freed memory
Since tasklets can execute at any time after being scheduled, there is no guarantee that the buffer will remain valid when vchan_complete() runs.
Fix this by properly synchronizing the virtual channel completion: - Calling vchan_terminate_vdesc() in tegra_adma_stop() to mark the descriptors as terminated instead of freeing the descriptor. - Add the callback tegra_adma_synchronize() that calls vchan_synchronize() which kills any pending tasklets and frees any terminated descriptors.
Crash logs: [ 337.427523] BUG: KASAN: use-after-free in vchan_complete+0x124/0x3b0
[ 337.427544] Read of size 8 at addr ffff000132055428 by task swapper/0/0
[ 337.427562] Call trace:
[ 337.427564] dump_backtrace+0x0/0x320
[ 337.427571] show_stack+0x20/0x30
[ 337.427575] dump_stack_lvl+0x68/0x84
[ 337.427584] print_address_description.constprop.0+0x74/0x2b8
[ 337.427590] kasan_report+0x1f4/0x210
[ 337.427598] __asan_load8+0xa0/0xd0
[ 337.427603] vchan_complete+0x124/0x3b0
[ 337.427609] tasklet_action_common.constprop.0+0x190/0x1d0
[ 337.427617] tasklet_action+0x30/0x40
[ 337.427623] __do_softirq+0x1a0/0x5c4
[ 337.427628] irq_exit+0x110/0x140
[ 337.427633] handle_domain_irq+0xa4/0xe0
[ 337.427640] gic_handle_irq+0x64/0x160
[ 337.427644] call_on_irq_stack+0x20/0x4c
[ 337.427649] do_interrupt_handler+0x7c/0x90
[ 337.427654] el1_interrupt+0x30/0x80
[ 337.427659] el1h_64_irq_handler+0x18/0x30
[ 337.427663] el1h_64_irq+0x7c/0x80
[ 337.427667] cpuidle_enter_state+0xe4/0x540
[ 337.427674] cpuidle_enter+0x54/0x80
[ 337.427679] do_idle+0x2e0/0x380
[ 337.427685] cpu_startup_entry+0x2c/0x70
[ 337.427690] rest_init+0x114/0x130
[ 337.427695] arch_call_rest_init+0x18/0x24
[ 337.427702] start_kernel+0x380/0x3b4
[ 337.427706] __primary_switched+0xc0/0xc8
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 05/17/2026
The vulnerability identified as CVE-2025-71162 represents a critical use-after-free condition within the Tegra ADMA driver of the Linux kernel, specifically affecting audio stream termination operations under XRUN conditions. This flaw occurs when the DMA buffer memory is freed prematurely by the tegra_adma_terminate_all() function before the virtual channel completion tasklet has finished accessing it, creating a race condition that can lead to system instability and potential security exploitation. The issue manifests when audio playback is stopped while DMA transfers are still in progress, particularly during error states where the system attempts to handle audio underruns or overruns. The root cause lies in the improper synchronization between the DMA subsystem's termination logic and the asynchronous tasklet execution model used for completing virtual channel operations.
The technical implementation of this vulnerability follows a well-defined sequence of events that exposes the race condition inherent in the driver's design. When a DMA transfer completes, an interrupt is generated that schedules a completion tasklet for execution, but this tasklet has not yet executed when the audio stream termination process begins. The tegra_adma_stop() function calls tegra_adma_terminate_all() which immediately frees the DMA buffer memory through kfree() operations, while the scheduled tasklet eventually executes and attempts to access the freed memory in the vchan_complete() function. This asynchronous execution model combined with the lack of proper synchronization mechanisms creates a window where memory access violations can occur, as tasklets can execute at any time after being scheduled without guaranteeing that the referenced memory remains valid.
The operational impact of this vulnerability extends beyond simple system crashes to potentially compromise the integrity of the entire audio subsystem and underlying kernel memory management. The use-after-free condition reported by KASAN indicates that the system attempts to read an 8-byte value from address 0xffff000132055428, which has already been freed by the memory allocator. This type of memory corruption can lead to unpredictable behavior including system panics, audio glitches, or more sinister exploitation where an attacker might leverage the corrupted memory state to execute arbitrary code. The crash logs show that the fault occurs in vchan_complete() function which is part of the DMA engine's virtual channel handling mechanism, indicating that the vulnerability affects the fundamental operation of the audio DMA subsystem rather than being a peripheral issue.
The fix implemented for this vulnerability addresses the core synchronization problem by introducing proper coordination between the termination process and tasklet execution. The solution involves modifying the tegra_adma_stop() function to call vchan_terminate_vdesc() instead of directly freeing descriptors, which marks the descriptors as terminated without immediate memory deallocation. Additionally, a new callback function tegra_adma_synchronize() was added that calls vchan_synchronize() to properly handle pending tasklets and ensure that any terminated descriptors are safely freed only after all pending operations have completed. This approach aligns with established security practices for preventing use-after-free vulnerabilities and follows the principle of proper resource management in concurrent systems. The fix addresses the underlying CWE-416 vulnerability category related to use-after-free conditions and provides a robust solution that prevents the race condition between asynchronous tasklet execution and memory deallocation. This mitigation strategy ensures that the DMA subsystem maintains memory integrity during audio stream termination operations and prevents potential exploitation scenarios that could arise from improper synchronization between kernel components.
The vulnerability demonstrates a classic example of improper concurrency control in kernel drivers and highlights the importance of careful memory management when dealing with asynchronous operations. The fix implementation specifically addresses the ATT&CK technique T1059.007 for kernel exploits by ensuring proper memory lifecycle management and preventing the conditions that could lead to memory corruption. The Tegra ADMA driver's design flaw underscores the critical need for kernel developers to consider all possible execution paths when implementing DMA operations, particularly when dealing with hardware interrupts and asynchronous tasklet processing. This vulnerability serves as a reminder that even well-established kernel subsystems can contain subtle race conditions that become exploitable under specific operational conditions, emphasizing the necessity of comprehensive testing and code review processes for security-critical kernel components.