CVE-2024-49874

In the Linux kernel, the following vulnerability has been resolved:

i3c: master: svc: Fix use after free vulnerability in svci3cmaster Driver Due to Race Condition

In the svci3cmasterprobe function, &master->hjwork is bound with svci3cmasterhjwork, &master->ibiwork is bound with svci3cmasteribiwork. And svci3cmasteribiwork can start the hjwork, svci3cmasterirqhandler can start the ibi_work.

If we remove the module which will call svci3cmasterremove to make cleanup, it will free master->base through i3cmaster_unregister while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows:

CPU0 CPU1

                                | svc_i3c_master_hj_work

svci3cmasterremove | i3cmasterunregister(&master->base)| deviceunregister(&master->dev) | devicerelease | //free master->base | | i3cmasterdodaa(&master->base) | //use master->base

Fix it by ensuring that the work is canceled before proceeding with the cleanup in svci3cmaster_remove.