CVE-2024-50061

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> i3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition<br /> <br /> In the cdns_i3c_master_probe function, &amp;master-&gt;hj_work is bound with<br /> cdns_i3c_master_hj. And cdns_i3c_master_interrupt can call<br /> cnds_i3c_master_demux_ibis function to start the work.<br /> <br /> If we remove the module which will call cdns_i3c_master_remove to<br /> make cleanup, it will free master-&gt;base through i3c_master_unregister<br /> while the work mentioned above will be used. The sequence of operations<br /> that may lead to a UAF bug is as follows:<br /> <br /> CPU0 CPU1<br /> <br /> | cdns_i3c_master_hj<br /> cdns_i3c_master_remove |<br /> i3c_master_unregister(&amp;master-&gt;base) |<br /> device_unregister(&amp;master-&gt;dev) |<br /> device_release |<br /> //free master-&gt;base |<br /> | i3c_master_do_daa(&amp;master-&gt;base)<br /> | //use master-&gt;base<br /> <br /> Fix it by ensuring that the work is canceled before proceeding with<br /> the cleanup in cdns_i3c_master_remove.