DEBIAN-CVE-2025-40002

In the Linux kernel, the following vulnerability has been resolved: thunderbolt: Fix use-after-free in tbdpdprxwork The original code relies on canceldelayedwork() in tbdpdprxstop(), which does not ensure that the delayed work item tunnel->dprxwork has fully completed if it was already running. This leads to use-after-free scenarios where tbtunnel is deallocated by tbtunnelput(), while tunnel->dprxwork remains active and attempts to dereference tbtunnel in tbdpdprxwork(). A typical race condition is illustrated below: CPU 0 | CPU 1 tbdptunnelactive() | tbdeactivateandfreetunnel()| tbdpdprxstart() tbtunneldeactivate() | queuedelayedwork() tbdpactivate() | tbdpdprxstop() | tbdpdprxwork() //delayed worker canceldelayedwork() | tbtunnelput(tunnel); | | tunnel = containerof(...); //UAF | tunnel-> //UAF Replacing canceldelayedwork() with canceldelayedworksync() is not feasible as it would introduce a deadlock: both tbdpdprxwork() and the cleanup path acquire tb->lock, and canceldelayedworksync() would wait indefinitely for the work item that cannot proceed. Instead, implement proper reference counting: - If canceldelayedwork() returns true (work is pending), we release the reference in the stop function. - If it returns false (work is executing or already completed), the reference is released in delayed work function itself. This ensures the tbtunnel remains valid during work item execution while preventing memory leaks. This bug was found by static analysis.