CVE-2025-71187 Overview
A device reference leak vulnerability has been identified in the Linux kernel's DMA engine subsystem, specifically within the Renesas RZ DMA controller (rz-dmac) driver. The vulnerability occurs when the driver fails to properly release device references during probe failures, such as during probe deferral scenarios. This Memory Leak vulnerability can lead to resource exhaustion in systems utilizing the affected DMA controller driver.
Critical Impact
Systems using the Renesas RZ DMA controller driver may experience resource leakage when device probe operations fail, potentially leading to system instability or denial of service conditions over time.
Affected Products
- Linux kernel with dmaengine: sh: rz-dmac driver enabled
- Systems utilizing Renesas RZ series SoCs with DMA controller
- Embedded Linux deployments using ICU device lookups
Discovery Timeline
- 2026-01-31 - CVE CVE-2025-71187 published to NVD
- 2026-02-03 - Last updated in NVD database
Technical Details for CVE-2025-71187
Vulnerability Analysis
This vulnerability represents a Memory Leak issue in the Linux kernel's DMA engine subsystem. The rz-dmac driver acquires a reference to the ICU (Interrupt Controller Unit) device during its probe function but fails to release this reference when the probe operation encounters an error and needs to abort.
When the kernel attempts to initialize the RZ DMA controller, it looks up and obtains a reference to the associated ICU device. Under normal successful probe conditions, this reference is managed properly throughout the driver's lifecycle. However, when probe failures occur—particularly during probe deferral scenarios where a dependency isn't yet available—the error handling path does not include the necessary put_device() call to drop the reference that was acquired.
Root Cause
The root cause of this vulnerability is improper resource cleanup in the error handling paths of the rz-dmac driver's probe function. When the driver performs a device lookup for the ICU device using functions like of_find_device_by_node() or similar, it increments the reference count on the target device. The error paths in the probe function fail to decrement this reference count before returning, resulting in a leaked device reference.
This type of bug is common in kernel drivers where complex initialization sequences require multiple resource acquisitions, and error handling must carefully reverse each successful acquisition step.
Attack Vector
The attack vector for this vulnerability is primarily local, requiring the attacker to have the ability to trigger probe failures or probe deferrals on the affected system. While direct exploitation for code execution is unlikely, the vulnerability can be leveraged for:
- Resource Exhaustion: Repeated triggering of probe failures can cause accumulated device reference leaks, potentially exhausting kernel memory resources
- System Destabilization: In embedded systems with limited resources, the memory leak could lead to system instability or crashes
- Denial of Service: An attacker with local access could potentially force repeated module load/unload cycles to accelerate resource exhaustion
The vulnerability requires local system access and the presence of the affected driver in the kernel configuration.
Detection Methods for CVE-2025-71187
Indicators of Compromise
- Unexpected increase in kernel memory usage over time on systems using RZ DMA controllers
- Device reference count anomalies visible in /sys/devices/ filesystem
- Kernel log messages indicating probe deferral for rz-dmac devices
Detection Strategies
- Monitor kernel memory allocation patterns for gradual unexplained growth
- Implement kernel debugging options like CONFIG_DEBUG_KOBJECT to track object reference counts
- Review dmesg output for repeated rz-dmac probe deferral messages
Monitoring Recommendations
- Enable kernel memory leak detection tools such as kmemleak when debugging suspected systems
- Track device reference counts through sysfs interfaces on production systems
- Configure alerting for abnormal memory consumption patterns in embedded deployments
How to Mitigate CVE-2025-71187
Immediate Actions Required
- Update the Linux kernel to a version containing the fix patches
- Review systems using Renesas RZ series SoCs for exposure to this vulnerability
- Monitor affected systems for signs of memory exhaustion until patches can be applied
Patch Information
The vulnerability has been resolved in the Linux kernel through patches that ensure the device reference acquired during ICU device lookup is properly dropped in all probe failure scenarios.
The fix has been committed to the stable kernel tree. Administrators should apply the patches referenced in the following commits:
- Linux Kernel Patch - commit 926d1666420c
- Linux Kernel Commit Update - commit 9fb490323997
Workarounds
- Disable the rz-dmac driver if not required for system operation by blacklisting the module
- Ensure all driver dependencies are available to minimize probe deferral occurrences
- Implement periodic system reboots on affected embedded systems until patching is possible
# Blacklist the rz-dmac driver if not needed
echo "blacklist rz-dmac" >> /etc/modprobe.d/blacklist-rz-dmac.conf
# Update initramfs after blacklisting
update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
