CVE-2025-39996

In the Linux kernel, the following vulnerability has been resolved:

media: b2c2: Fix use-after-free causing by irqcheckwork in flexcoppciremove

The original code uses canceldelayedwork() in flexcoppciremove(), which does not guarantee that the delayed work item irqcheckwork has fully completed if it was already running. This leads to use-after-free scenarios where flexcoppciremove() may free the flexcopdevice while irqcheck_work is still active and attempts to dereference the device.

A typical race condition is illustrated below:

CPU 0 (remove) | CPU 1 (delayed work callback) flexcoppciremove() | flexcoppciirqcheckwork() canceldelayedwork() | flexcopdevicekfree(fcpci->fcdev) | | fc = fcpci->fcdev; // UAF

This is confirmed by a KASAN report:

================================================================== BUG: KASAN: slab-use-after-free in runtimerbase.part.0+0x7d7/0x8c0 Write of size 8 at addr ffff8880093aa8c8 by task bash/135 ... Call Trace: <IRQ> dumpstacklvl+0x55/0x70 printreport+0xcf/0x610 ? _runtimerbase.part.0+0x7d7/0x8c0 kasanreport+0xb8/0xf0 ? _runtimerbase.part.0+0x7d7/0x8c0 _runtimerbase.part.0+0x7d7/0x8c0 ? _pfxruntimerbase.part.0+0x10/0x10 ? _pfxreadtsc+0x10/0x10 ? ktimeget+0x60/0x140 ? lapicnextevent+0x11/0x20 ? clockeventsprogramevent+0x1d4/0x2a0 runtimersoftirq+0xd1/0x190 handlesoftirqs+0x16a/0x550 irqexitrcu+0xaf/0xe0 sysvecapictimer_interrupt+0x70/0x80 </IRQ> ...

Allocated by task 1: kasansavestack+0x24/0x50 kasansavetrack+0x14/0x30 _kasankmalloc+0x7f/0x90 _kmallocnoprof+0x1be/0x460 flexcopdevicekmalloc+0x54/0xe0 flexcoppciprobe+0x1f/0x9d0 localpciprobe+0xdc/0x190 pcideviceprobe+0x2fe/0x470 reallyprobe+0x1ca/0x5c0 _driverprobedevice+0x248/0x310 driverprobedevice+0x44/0x120 _driverattach+0xd2/0x310 busforeachdev+0xed/0x170 busadddriver+0x208/0x500 driverregister+0x132/0x460 dooneinitcall+0x89/0x300 kernelinitfreeable+0x40d/0x720 kernelinit+0x1a/0x150 retfromfork+0x10c/0x1a0 retfromforkasm+0x1a/0x30

Freed by task 135: kasansavestack+0x24/0x50 kasansavetrack+0x14/0x30 kasansavefreeinfo+0x3a/0x60 _kasanslabfree+0x3f/0x50 kfree+0x137/0x370 flexcopdevicekfree+0x32/0x50 pcideviceremove+0xa6/0x1d0 devicereleasedriverinternal+0xf8/0x210 pcistopbusdevice+0x105/0x150 pcistopandremovebusdevicelocked+0x15/0x30 removestore+0xcc/0xe0 kernfsfopwriteiter+0x2c3/0x440 vfswrite+0x871/0xd70 ksyswrite+0xee/0x1c0 dosyscall64+0xac/0x280 entrySYSCALL64afterhwframe+0x77/0x7f ...

Replace canceldelayedwork() with canceldelayedwork_sync() to ensure that the delayed work item is properly canceled and any executing delayed work has finished before the device memory is deallocated.

This bug was initially identified through static analysis. To reproduce and test it, I simulated the B2C2 FlexCop PCI device in QEMU and introduced artificial delays within the flexcoppciirqcheckwork() function to increase the likelihood of triggering the bug.