What is GHSA-959m-9w2w-7jxc?

GHSA-959m-9w2w-7jxc is a security advisory published by GitHub Security Advisories with High severity. In the Linux kernel, the following vulnerability has been resolved: dmaengine: mmp_pdma: Fix...

Which CVE IDs does GHSA-959m-9w2w-7jxc cover?

GHSA-959m-9w2w-7jxc covers the following CVE IDs: CVE-2025-71221. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-959m-9w2w-7jxc?

GHSA-959m-9w2w-7jxc has a CVSS v3 base score of 7.0, published by GitHub Security Advisories.

GHSA-959m-9w2w-7jxcHighCVSS 7.0

In the Linux kernel, the following vulnerability has been resolved: dmaengine: mmp_pdma: Fix...

Vendor

GitHub Security Advisories

Published

February 14, 2026

Last Modified

June 1, 2026

🔗 CVE IDs covered (1)

CVE-2025-71221 →

📋 Description

In the Linux kernel, the following vulnerability has been resolved:

dmaengine: mmp_pdma: Fix race condition in mmp_pdma_residue()

Add proper locking in mmp_pdma_residue() to prevent use-after-free when accessing descriptor list and descriptor contents.

The race occurs when multiple threads call tx_status() while the tasklet on another CPU is freeing completed descriptors:

CPU 0 CPU 1

mmp_pdma_tx_status() mmp_pdma_residue() -> NO LOCK held list_for_each_entry(sw, ..) DMA interrupt dma_do_tasklet() -> spin_lock(&desc_lock) list_move(sw->node, ...) spin_unlock(&desc_lock) | dma_pool_free(sw) <- FREED! -> access sw->desc <- UAF!

This issue can be reproduced when running dmatest on the same channel with multiple threads (threads_per_chan > 1).

Fix by protecting the chain_running list iteration and descriptor access with the chan->desc_lock spinlock.

🔗 CVE IDs covered (1)

📋 Description

🔗 References (8)