DEBIAN-CVE-2025-71162

In the Linux kernel, the following vulnerability has been resolved:  dmaengine: tegra-adma: Fix use-after-free  A use-after-free bug exists in the Tegra ADMA driver when audio streams are terminated, particularly during XRUN conditions. The issue occurs when the DMA buffer is freed by tegraadmaterminateall() before the vchan completion tasklet finishes accessing it.  The race condition follows this sequence:    1. DMA transfer completes, triggering an interrupt that schedules the      completion tasklet (tasklet has not executed yet)   2. Audio playback stops, calling tegraadmaterminateall() which      frees the DMA buffer memory via kfree()   3. The scheduled tasklet finally executes, calling vchancomplete()      which attempts to access the already-freed memory  Since tasklets can execute at any time after being scheduled, there is no guarantee that the buffer will remain valid when vchancomplete() runs.  Fix this by properly synchronizing the virtual channel completion:  - Calling vchanterminatevdesc() in tegraadmastop() to mark the    descriptors as terminated instead of freeing the descriptor.  - Add the callback tegraadmasynchronize() that calls    vchansynchronize() which kills any pending tasklets and frees any    terminated descriptors.  Crash logs: [  337.427523] BUG: KASAN: use-after-free in vchancomplete+0x124/0x3b0 [  337.427544] Read of size 8 at addr ffff000132055428 by task swapper/0/0  [  337.427562] Call trace: [  337.427564]  dumpbacktrace+0x0/0x320 [  337.427571]  showstack+0x20/0x30 [  337.427575]  dumpstacklvl+0x68/0x84 [  337.427584]  printaddressdescription.constprop.0+0x74/0x2b8 [  337.427590]  kasanreport+0x1f4/0x210 [  337.427598]  asanload8+0xa0/0xd0 [  337.427603]  vchancomplete+0x124/0x3b0 [  337.427609]  taskletactioncommon.constprop.0+0x190/0x1d0 [  337.427617]  taskletaction+0x30/0x40 [  337.427623]  dosoftirq+0x1a0/0x5c4 [  337.427628]  irqexit+0x110/0x140 [  337.427633]  handledomainirq+0xa4/0xe0 [  337.427640]  gichandleirq+0x64/0x160 [  337.427644]  callonirqstack+0x20/0x4c [  337.427649]  dointerrupthandler+0x7c/0x90 [  337.427654]  el1interrupt+0x30/0x80 [  337.427659]  el1h64irqhandler+0x18/0x30 [  337.427663]  el1h64irq+0x7c/0x80 [  337.427667]  cpuidleenterstate+0xe4/0x540 [  337.427674]  cpuidleenter+0x54/0x80 [  337.427679]  doidle+0x2e0/0x380 [  337.427685]  cpustartupentry+0x2c/0x70 [  337.427690]  restinit+0x114/0x130 [  337.427695]  archcallrestinit+0x18/0x24 [  337.427702]  startkernel+0x380/0x3b4 [  337.427706]  primary_switched+0xc0/0xc8