CVE-2025-39995

In the Linux kernel, the following vulnerability has been resolved:

media: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in probe

The state->timer is a cyclic timer that schedules worki2cpoll and delayedworkenablehotplug, while rearming itself. Using timerdelete() fails to guarantee the timer isn't still running when destroyed, similarly canceldelayedwork() cannot ensure delayedworkenablehotplug has terminated if already executing. During probe failure after timer initialization, these may continue running as orphans and reference the already-freed tc358743state object through tc358743irqpoll_timer.

The following is the trace captured by KASAN.

BUG: KASAN: slab-use-after-free in runtimerbase.part.0+0x7d7/0x8c0 Write of size 8 at addr ffff88800ded83c8 by task swapper/1/0 ... Call Trace: <IRQ> dumpstacklvl+0x55/0x70 printreport+0xcf/0x610 ? _pfxschedbalancefindsrcgroup+0x10/0x10 ? _runtimerbase.part.0+0x7d7/0x8c0 kasanreport+0xb8/0xf0 ? _runtimerbase.part.0+0x7d7/0x8c0 _runtimerbase.part.0+0x7d7/0x8c0 ? rcuschedclockirq+0xb06/0x27d0 ? _pfxruntimerbase.part.0+0x10/0x10 ? trytowakeup+0xb15/0x1960 ? tmigrupdateevents+0x280/0x740 ? _rawspinlockirq+0x80/0xe0 ? pfxrawspinlockirq+0x10/0x10 tmigrhandleremoteup+0x603/0x7e0 ? pfxtmigrhandleremoteup+0x10/0x10 ? schedbalancetrigger+0x98/0x9f0 ? schedtick+0x221/0x5a0 ? _rawspinlockirq+0x80/0xe0 ? _pfxrawspinlockirq+0x10/0x10 ? ticknohzhandler+0x339/0x440 ? _pfxtmigrhandleremoteup+0x10/0x10 _walkgroups.isra.0+0x42/0x150 tmigrhandleremote+0x1f4/0x2e0 ? _pfxtmigrhandleremote+0x10/0x10 ? ktimeget+0x60/0x140 ? lapicnextevent+0x11/0x20 ? clockeventsprogramevent+0x1d4/0x2a0 ? hrtimerinterrupt+0x322/0x780 handlesoftirqs+0x16a/0x550 irqexitrcu+0xaf/0xe0 sysvecapictimer_interrupt+0x70/0x80 </IRQ> ...

Allocated by task 141: kasansavestack+0x24/0x50 kasansavetrack+0x14/0x30 _kasankmalloc+0x7f/0x90 _kmallocnodetrackcallernoprof+0x198/0x430 devmkmalloc+0x7b/0x1e0 tc358743probe+0xb7/0x610 i2cdeviceprobe+0x51d/0x880 reallyprobe+0x1ca/0x5c0 _driverprobedevice+0x248/0x310 driverprobedevice+0x44/0x120 _deviceattachdriver+0x174/0x220 busforeachdrv+0x100/0x190 _deviceattach+0x206/0x370 busprobedevice+0x123/0x170 deviceadd+0xd25/0x1470 i2cnewclientdevice+0x7a0/0xcd0 dooneinitcall+0x89/0x300 doinitmodule+0x29d/0x7f0 loadmodule+0x4f48/0x69e0 initmodulefromfile+0xe4/0x150 idempotentinitmodule+0x320/0x670 _x64sysfinitmodule+0xbd/0x120 dosyscall64+0xac/0x280 entrySYSCALL64after_hwframe+0x77/0x7f

Freed by task 141: kasansavestack+0x24/0x50 kasansavetrack+0x14/0x30 kasansavefreeinfo+0x3a/0x60 _kasanslabfree+0x3f/0x50 kfree+0x137/0x370 releasenodes+0xa4/0x100 devresreleasegroup+0x1b2/0x380 i2cdeviceprobe+0x694/0x880 reallyprobe+0x1ca/0x5c0 _driverprobedevice+0x248/0x310 driverprobedevice+0x44/0x120 _deviceattachdriver+0x174/0x220 busforeachdrv+0x100/0x190 _deviceattach+0x206/0x370 busprobedevice+0x123/0x170 deviceadd+0xd25/0x1470 i2cnewclientdevice+0x7a0/0xcd0 dooneinitcall+0x89/0x300 doinitmodule+0x29d/0x7f0 loadmodule+0x4f48/0x69e0 initmodulefromfile+0xe4/0x150 idempotentinitmodule+0x320/0x670 _x64sysfinitmodule+0xbd/0x120 dosyscall64+0xac/0x280 entrySYSCALL64after_hwframe+0x77/0x7f ...

Replace timerdelete() with timerdeletesync() and canceldelayedwork() with canceldelayedworksync() to ensure proper termination of timer and work items before resource cleanup.

This bug was initially identified through static analysis. For reproduction and testing, I created a functional emulation of the tc358743 device via a kernel module and introduced faults through the debugfs interface.