{"id":"CVE-2025-71162","summary":"dmaengine: tegra-adma: Fix use-after-free","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: tegra-adma: Fix use-after-free\n\nA use-after-free bug exists in the Tegra ADMA driver when audio streams\nare terminated, particularly during XRUN conditions. The issue occurs\nwhen the DMA buffer is freed by tegra_adma_terminate_all() before the\nvchan completion tasklet finishes accessing it.\n\nThe race condition follows this sequence:\n\n  1. DMA transfer completes, triggering an interrupt that schedules the\n     completion tasklet (tasklet has not executed yet)\n  2. Audio playback stops, calling tegra_adma_terminate_all() which\n     frees the DMA buffer memory via kfree()\n  3. The scheduled tasklet finally executes, calling vchan_complete()\n     which attempts to access the already-freed memory\n\nSince tasklets can execute at any time after being scheduled, there is\nno guarantee that the buffer will remain valid when vchan_complete()\nruns.\n\nFix this by properly synchronizing the virtual channel completion:\n - Calling vchan_terminate_vdesc() in tegra_adma_stop() to mark the\n   descriptors as terminated instead of freeing the descriptor.\n - Add the callback tegra_adma_synchronize() that calls\n   vchan_synchronize() which kills any pending tasklets and frees any\n   terminated descriptors.\n\nCrash logs:\n[  337.427523] BUG: KASAN: use-after-free in vchan_complete+0x124/0x3b0\n[  337.427544] Read of size 8 at addr ffff000132055428 by task swapper/0/0\n\n[  337.427562] Call trace:\n[  337.427564]  dump_backtrace+0x0/0x320\n[  337.427571]  show_stack+0x20/0x30\n[  337.427575]  dump_stack_lvl+0x68/0x84\n[  337.427584]  print_address_description.constprop.0+0x74/0x2b8\n[  337.427590]  kasan_report+0x1f4/0x210\n[  337.427598]  __asan_load8+0xa0/0xd0\n[  337.427603]  vchan_complete+0x124/0x3b0\n[  337.427609]  tasklet_action_common.constprop.0+0x190/0x1d0\n[  337.427617]  tasklet_action+0x30/0x40\n[  337.427623]  __do_softirq+0x1a0/0x5c4\n[  337.427628]  irq_exit+0x110/0x140\n[  337.427633]  handle_domain_irq+0xa4/0xe0\n[  337.427640]  gic_handle_irq+0x64/0x160\n[  337.427644]  call_on_irq_stack+0x20/0x4c\n[  337.427649]  do_interrupt_handler+0x7c/0x90\n[  337.427654]  el1_interrupt+0x30/0x80\n[  337.427659]  el1h_64_irq_handler+0x18/0x30\n[  337.427663]  el1h_64_irq+0x7c/0x80\n[  337.427667]  cpuidle_enter_state+0xe4/0x540\n[  337.427674]  cpuidle_enter+0x54/0x80\n[  337.427679]  do_idle+0x2e0/0x380\n[  337.427685]  cpu_startup_entry+0x2c/0x70\n[  337.427690]  rest_init+0x114/0x130\n[  337.427695]  arch_call_rest_init+0x18/0x24\n[  337.427702]  start_kernel+0x380/0x3b4\n[  337.427706]  __primary_switched+0xc0/0xc8","modified":"2026-03-31T17:29:56.413961Z","published":"2026-01-25T14:36:09.029Z","related":["SUSE-SU-2026:0447-1","SUSE-SU-2026:0472-1","SUSE-SU-2026:0587-1","SUSE-SU-2026:20477-1","SUSE-SU-2026:20498-1","SUSE-SU-2026:20555-1","SUSE-SU-2026:20599-1","SUSE-SU-2026:20615-1","SUSE-SU-2026:20845-1","SUSE-SU-2026:20876-1","openSUSE-SU-2026:20287-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/71xxx/CVE-2025-71162.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/2efd07a7c36949e6fa36a69183df24d368bf9e96"},{"type":"WEB","url":"https://git.kernel.org/stable/c/59cb421b0902fbef2b9512ae8ba198a20f26b41f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5f8d1d66a952d0396671e1f21ff8127a4d14fb4e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/76992310f80776b4d1f7f8915f59b92883a3e44c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ae3eed72de682ddbba507ed2d6b848c21a6b721e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/be655c3736b3546f39bc8116ffbf2a3b6cac96c4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/cb2c9c4bb1322cc3c9984ad17db8cdd2663879ca"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/71xxx/CVE-2025-71162.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-71162"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"f46b195799b5cb05338e7c44cb3617eacb56d755"},{"fixed":"5f8d1d66a952d0396671e1f21ff8127a4d14fb4e"},{"fixed":"76992310f80776b4d1f7f8915f59b92883a3e44c"},{"fixed":"ae3eed72de682ddbba507ed2d6b848c21a6b721e"},{"fixed":"59cb421b0902fbef2b9512ae8ba198a20f26b41f"},{"fixed":"cb2c9c4bb1322cc3c9984ad17db8cdd2663879ca"},{"fixed":"be655c3736b3546f39bc8116ffbf2a3b6cac96c4"},{"fixed":"2efd07a7c36949e6fa36a69183df24d368bf9e96"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-71162.json"}}],"schema_version":"1.7.5"}