PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-71221 Linux CVE debrief

A race condition in the Linux kernel's MMP PDMA (Peripheral DMA) engine driver can lead to use-after-free when multiple threads query DMA transaction status while a tasklet frees completed descriptors on another CPU. The vulnerability exists in mmp_pdma_residue(), which iterates the chain_running descriptor list without holding the channel's desc_lock spinlock. An interrupt-driven tasklet can concurrently move and free a descriptor between the list iteration and member access, resulting in a use-after-free. The issue is reproducible under dmatest with threads_per_chan > 1. The fix adds proper spinlock protection around the list iteration and descriptor access in mmp_pdma_residue().

Vendor
Linux
Product
Unknown
CVSS
HIGH 7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-02-14
Original CVE updated
2026-06-01
Advisory published
2026-02-14
Advisory updated
2026-06-01

Who should care

Linux kernel maintainers, embedded systems vendors using Marvell MMP (PXA) SoCs with PDMA, security teams tracking kernel DMA subsystem vulnerabilities, and organizations running untrusted or multi-threaded DMA workloads on affected kernels.

Technical summary

The MMP PDMA driver in the Linux kernel contains a race condition in mmp_pdma_residue(), called via the dmaengine tx_status() path. The function iterates the chain_running list and accesses descriptor members without acquiring chan->desc_lock. Concurrently, a DMA interrupt tasklet on another CPU may acquire desc_lock, move the descriptor to a completed list, free it via dma_pool_free(), and release the lock. The tx_status() path then accesses the freed descriptor, causing a use-after-free. The fix protects the list iteration and descriptor access with the existing desc_lock spinlock. The vulnerability requires local access and a multi-threaded DMA workload to trigger, with high attack complexity.

Defensive priority

HIGH

Recommended defensive actions

  • Apply the upstream kernel patches that add desc_lock spinlock protection in mmp_pdma_residue() for affected kernel versions (3.16 through 6.18.10 and 6.19-rc1 through 6.19-rc5).
  • If patching is not immediately feasible, avoid running multi-threaded DMA tests or workloads with threads_per_chan > 1 on MMP PDMA channels, as this is the reported reproduction condition.
  • Monitor vendor kernel security updates for backported fixes to stable and long-term support branches.
  • Review custom or out-of-tree DMA engine drivers for similar missing locking around descriptor list iteration and access patterns.

Evidence notes

The vulnerability description and fix were published on 2026-02-14 and modified on 2026-06-01 per NVD. The race condition is documented with a CPU interleaving diagram showing the missing lock in mmp_pdma_residue() versus the tasklet's desc_lock-protected list_move and dma_pool_free. Two commits are tagged as Patch in the NVD references. Affected versions span Linux kernel 3.16 through 6.18.10 and 6.19-rc1 through 6.19-rc5 per CPE criteria. CVSS 3.1 vector AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H yields a base score of 7.0 (HIGH). CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization) is assigned.

Official resources

2026-02-14