DEBIAN-CVE-2025-39995

In the Linux kernel, the following vulnerability has been resolved: media: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in probe The state->timer is a cyclic timer that schedules worki2cpoll and delayedworkenablehotplug, while rearming itself. Using timerdelete() fails to guarantee the timer isn't still running when destroyed, similarly canceldelayedwork() cannot ensure delayedworkenablehotplug has terminated if already executing. During probe failure after timer initialization, these may continue running as orphans and reference the already-freed tc358743state object through tc358743irqpoll_timer. The following is the trace captured by KASAN. BUG: KASAN: slab-use-after-free in __runtimerbase.part.0+0x7d7/0x8c0 Write of size 8 at addr ffff88800ded83c8 by task swapper/1/0 ... Call Trace: <IRQ> dumpstacklvl+0x55/0x70 print_report+0xcf/0x610 ? __pfxschedbalancefindsrc_group+0x10/0x10 ? __runtimerbase.part.0+0x7d7/0x8c0 kasan_report+0xb8/0xf0 ? __runtimerbase.part.0+0x7d7/0x8c0 __runtimerbase.part.0+0x7d7/0x8c0 ? rcuschedclock_irq+0xb06/0x27d0 ? pfxruntimerbase.part.0+0x10/0x10 ? trytowakeup+0xb15/0x1960 ? tmigrupdateevents+0x280/0x740 ? rawspinlockirq+0x80/0xe0 ? pfxrawspinlockirq+0x10/0x10 tmigrhandleremoteup+0x603/0x7e0 ? __pfxtmigrhandleremoteup+0x10/0x10 ? schedbalancetrigger+0x98/0x9f0 ? schedtick+0x221/0x5a0 ? rawspinlockirq+0x80/0xe0 ? pfxrawspinlockirq+0x10/0x10 ? ticknohzhandler+0x339/0x440 ? __pfxtmigrhandleremoteup+0x10/0x10 __walkgroups.isra.0+0x42/0x150 tmigrhandle_remote+0x1f4/0x2e0 ? __pfxtmigrhandle_remote+0x10/0x10 ? ktimeget+0x60/0x140 ? lapicnextevent+0x11/0x20 ? clockeventsprogramevent+0x1d4/0x2a0 ? hrtimerinterrupt+0x322/0x780 handlesoftirqs+0x16a/0x550 irqexitrcu+0xaf/0xe0 sysvecapictimerinterrupt+0x70/0x80 </IRQ> ... Allocated by task 141: kasansavestack+0x24/0x50 kasansavetrack+0x14/0x30 __kasan_kmalloc+0x7f/0x90 __kmallocnodetrackcallernoprof+0x198/0x430 devm_kmalloc+0x7b/0x1e0 tc358743probe+0xb7/0x610 i2cdeviceprobe+0x51d/0x880 reallyprobe+0x1ca/0x5c0 __driverprobedevice+0x248/0x310 driverprobedevice+0x44/0x120 __deviceattachdriver+0x174/0x220 busforeach_drv+0x100/0x190 __deviceattach+0x206/0x370 busprobedevice+0x123/0x170 deviceadd+0xd25/0x1470 i2cnewclientdevice+0x7a0/0xcd0 dooneinitcall+0x89/0x300 doinitmodule+0x29d/0x7f0 loadmodule+0x4f48/0x69e0 initmodulefromfile+0xe4/0x150 idempotentinit_module+0x320/0x670 __x64sysfinitmodule+0xbd/0x120 dosyscall64+0xac/0x280 entrySYSCALL64afterhwframe+0x77/0x7f Freed by task 141: kasansavestack+0x24/0x50 kasansavetrack+0x14/0x30 kasansavefreeinfo+0x3a/0x60 __kasanslabfree+0x3f/0x50 kfree+0x137/0x370 releasenodes+0xa4/0x100 devresreleasegroup+0x1b2/0x380 i2cdeviceprobe+0x694/0x880 reallyprobe+0x1ca/0x5c0 __driverprobedevice+0x248/0x310 driverprobedevice+0x44/0x120 __deviceattachdriver+0x174/0x220 bus_foreachdrv+0x100/0x190 __deviceattach+0x206/0x370 busprobe_device+0x123/0x170 deviceadd+0xd25/0x1470 i2cnewclientdevice+0x7a0/0xcd0 dooneinitcall+0x89/0x300 doinitmodule+0x29d/0x7f0 loadmodule+0x4f48/0x69e0 initmodulefromfile+0xe4/0x150 idempotentinitmodule+0x320/0x670 _x64sysfinitmodule+0xbd/0x120 dosyscall64+0xac/0x280 entrySYSCALL64afterhwframe+0x77/0x7f ... Replace timerdelete() with timerdeletesync() and canceldelayedwork() with canceldelayedworksync() to ensure proper termination of timer and work items before resource cleanup. This bug was initially identified through static analysis. For reproduction and testing, I created a functional emulation of the tc358743 device via a kernel module and introduced faults through the debugfs interface.