CVE-2025-40002

In the Linux kernel, the following vulnerability has been resolved:

thunderbolt: Fix use-after-free in tbdpdprx_work

The original code relies on canceldelayedwork() in tbdpdprxstop(), which does not ensure that the delayed work item tunnel->dprxwork has fully completed if it was already running. This leads to use-after-free scenarios where tbtunnel is deallocated by tbtunnelput(), while tunnel->dprxwork remains active and attempts to dereference tbtunnel in tbdpdprxwork().

A typical race condition is illustrated below:

CPU 0 | CPU 1 tbdptunnelactive() | tbdeactivateandfreetunnel()| tbdpdprxstart() tbtunneldeactivate() | queuedelayedwork() tbdpactivate() | tbdpdprxstop() | tbdpdprxwork() //delayed worker canceldelayedwork() | tbtunnelput(tunnel); | | tunnel = container_of(...); //UAF | tunnel-> //UAF

Replacing canceldelayedwork() with canceldelayedworksync() is not feasible as it would introduce a deadlock: both tbdpdprxwork() and the cleanup path acquire tb->lock, and canceldelayedwork_sync() would wait indefinitely for the work item that cannot proceed.

Instead, implement proper reference counting: - If canceldelayedwork() returns true (work is pending), we release the reference in the stop function. - If it returns false (work is executing or already completed), the reference is released in delayed work function itself.

This ensures the tb_tunnel remains valid during work item execution while preventing memory leaks.

This bug was found by static analysis.