In the Linux kernel, the following vulnerability has been resolved:
dmaengine: tegra-adma: Fix use-after-free
A use-after-free bug exists in the Tegra ADMA driver when audio streams
are terminated, particularly during XRUN conditions. The issue occurs
when the DMA buffer is freed by tegra_adma_terminate_all() before the
vchan completion tasklet finishes accessing it.
The race condition follows this sequence:
1. DMA transfer completes, triggering an interrupt that schedules the
completion tasklet (tasklet has not executed yet)
2. Audio playback stops, calling tegra_adma_terminate_all() which
frees the DMA buffer memory via kfree()
3. The scheduled tasklet finally executes, calling vchan_complete()
which attempts to access the already-freed memory
Since tasklets can execute at any time after being scheduled, there is
no guarantee that the buffer will remain valid when vchan_complete()
runs.
Fix this by properly synchronizing the virtual channel completion:
- Calling vchan_terminate_vdesc() in tegra_adma_stop() to mark the
descriptors as terminated instead of freeing the descriptor.
- Add the callback tegra_adma_synchronize() that calls
vchan_synchronize() which kills any pending tasklets and frees any
terminated descriptors.
Crash logs:
[ 337.427523] BUG: KASAN: use-after-free in vchan_complete+0x124/0x3b0
[ 337.427544] Read of size 8 at addr ffff000132055428 by task swapper/0/0
[ 337.427562] Call trace:
[ 337.427564] dump_backtrace+0x0/0x320
[ 337.427571] show_stack+0x20/0x30
[ 337.427575] dump_stack_lvl+0x68/0x84
[ 337.427584] print_address_description.constprop.0+0x74/0x2b8
[ 337.427590] kasan_report+0x1f4/0x210
[ 337.427598] __asan_load8+0xa0/0xd0
[ 337.427603] vchan_complete+0x124/0x3b0
[ 337.427609] tasklet_action_common.constprop.0+0x190/0x1d0
[ 337.427617] tasklet_action+0x30/0x40
[ 337.427623] __do_softirq+0x1a0/0x5c4
[ 337.427628] irq_exit+0x110/0x140
[ 337.427633] handle_domain_irq+0xa4/0xe0
[ 337.427640] gic_handle_irq+0x64/0x160
[ 337.427644] call_on_irq_stack+0x20/0x4c
[ 337.427649] do_interrupt_handler+0x7c/0x90
[ 337.427654] el1_interrupt+0x30/0x80
[ 337.427659] el1h_64_irq_handler+0x18/0x30
[ 337.427663] el1h_64_irq+0x7c/0x80
[ 337.427667] cpuidle_enter_state+0xe4/0x540
[ 337.427674] cpuidle_enter+0x54/0x80
[ 337.427679] do_idle+0x2e0/0x380
[ 337.427685] cpu_startup_entry+0x2c/0x70
[ 337.427690] rest_init+0x114/0x130
[ 337.427695] arch_call_rest_init+0x18/0x24
[ 337.427702] start_kernel+0x380/0x3b4
[ 337.427706] __primary_switched+0xc0/0xc8
CVE-2025-71162 is a use-after-free vulnerability in the Linux kernel's Tegra ADMA (Audio DMA) driver affecting audio stream termination. The flaw occurs when DMA buffers are freed before completion tasklets finish accessing them, causing kernel crashes during XRUN conditions. While currently unexloited, this vulnerability poses a denial-of-service risk to systems using Tegra audio hardware, particularly in embedded and IoT deployments common in Saudi Arabia's smart city and industrial automation initiatives.
Immediate Actions:
1. Identify systems running Linux kernel versions 6.19-rc1 through 6.19-rc4 or affected versions with Tegra ADMA driver enabled
2. Check kernel configuration: grep -i tegra /boot/config-$(uname -r) to confirm ADMA driver is compiled
3. Monitor system logs for KASAN warnings and kernel panics related to vchan_complete
Patching Guidance:
1. Apply the official Linux kernel patch that implements vchan_terminate_vdesc() in tegra_adma_stop() function
2. Implement tegra_adma_synchronize() callback to properly handle vchan_synchronize() calls
3. Update to stable kernel versions post-6.19 that include this fix
4. For systems unable to patch immediately, disable Tegra ADMA driver if alternative audio drivers available
Compensating Controls:
1. Implement kernel module monitoring to detect unexpected crashes in dmaengine subsystem
2. Configure watchdog timers to automatically restart services on kernel panic
3. Enable KASAN (Kernel Address Sanitizer) in development/staging environments to catch similar issues
4. Implement audio stream error handling at application level to gracefully handle XRUN conditions
5. Deploy kernel crash dump collection (kdump) to analyze failures
Detection Rules:
1. Monitor for kernel panic messages containing 'vchan_complete' or 'use-after-free'
2. Alert on KASAN reports: 'BUG: KASAN: use-after-free in vchan_complete'
3. Track dmaengine subsystem errors in kernel logs: dmesg | grep -i 'tegra.*adma\|dmaengine'
4. Monitor audio device state transitions and XRUN event frequency
الإجراءات الفورية:
1. تحديد الأنظمة التي تقوم بتشغيل إصدارات نواة Linux 6.19-rc1 إلى 6.19-rc4 أو الإصدارات المتأثرة مع تفعيل برنامج تشغيل Tegra ADMA
2. التحقق من تكوين النواة: grep -i tegra /boot/config-$(uname -r) للتأكد من ترجمة برنامج التشغيل ADMA
3. مراقبة سجلات النظام للتحذيرات KASAN وأعطال النواة المتعلقة بـ vchan_complete
إرشادات التصحيح:
1. تطبيق رقعة نواة Linux الرسمية التي تطبق vchan_terminate_vdesc() في دالة tegra_adma_stop()
2. تطبيق رد نداء tegra_adma_synchronize() للتعامل بشكل صحيح مع استدعاءات vchan_synchronize()
3. التحديث إلى إصدارات النواة المستقرة بعد 6.19 التي تتضمن هذا الإصلاح
4. بالنسبة للأنظمة غير القادرة على التصحيح فوراً، قم بتعطيل برنامج تشغيل Tegra ADMA إذا كانت برامج تشغيل صوت بديلة متاحة
الضوابط التعويضية:
1. تطبيق مراقبة وحدة النواة للكشف عن الأعطال غير المتوقعة في نظام فرعي dmaengine
2. تكوين مؤقتات watchdog لإعادة تشغيل الخدمات تلقائياً عند انهيار النواة
3. تفعيل KASAN (Kernel Address Sanitizer) في بيئات التطوير/التجريب للكشف عن مشاكل مماثلة
4. تطبيق معالجة خطأ تدفق الصوت على مستوى التطبيق للتعامل بشكل سلس مع ظروف XRUN
5. نشر مجموعة تفريغ انهيار النواة (kdump) لتحليل الأعطال
قواعد الكشف:
1. مراقبة رسائل انهيار النواة التي تحتوي على 'vchan_complete' أو 'use-after-free'
2. التنبيه على تقارير KASAN: 'BUG: KASAN: use-after-free in vchan_complete'
3. تتبع أخطاء نظام فرعي dmaengine في سجلات النواة: dmesg | grep -i 'tegra.*adma\|dmaengine'
4. مراقبة انتقالات حالة جهاز الصوت وتكرار حدث XRUN