CVE-2025-39945

In the Linux kernel, the following vulnerability has been resolved:

cnic: Fix use-after-free bugs in cnicdeletetask

The original code uses canceldelayedwork() in cniccmstopbnx2xhw(), which does not guarantee that the delayed work item 'deletetask' has fully completed if it was already running. Additionally, the delayed work item is cyclic, the flushworkqueue() in cniccmstopbnx2xhw() only blocks and waits for work items that were already queued to the workqueue prior to its invocation. Any work items submitted after flushworkqueue() is called are not included in the set of tasks that the flush operation awaits. This means that after the cyclic work items have finished executing, a delayed work item may still exist in the workqueue. This leads to use-after-free scenarios where the cnicdev is deallocated by cnicfreedev(), while deletetask remains active and attempt to dereference cnicdev in cnicdeletetask().

A typical race condition is illustrated below:

CPU 0 (cleanup) | CPU 1 (delayed work callback) cnicnetdevevent() | cnicstophw() | cnicdeletetask() cniccmstopbnx2xhw() | ... canceldelayedwork() | /* the queuedelayedwork() flushworkqueue() | executes after flushworkqueue()*/ | queuedelayedwork() cnicfreedev(dev)//free | cnicdeletetask() //new instance | dev = cp->dev; //use

Replace canceldelayedwork() with canceldelayedworksync() to ensure that the cyclic delayed work item is properly canceled and that any ongoing execution of the work item completes before the cnicdev is deallocated. Furthermore, since canceldelayedworksync() uses _flushwork(work, true) to synchronously wait for any currently executing instance of the work item to finish, the flushworkqueue() becomes redundant and should be removed.

This bug was identified through static analysis. To reproduce the issue and validate the fix, I simulated the cnic PCI device in QEMU and introduced intentional delays — such as inserting calls to ssleep() within the cnicdeletetask() function — to increase the likelihood of triggering the bug.