CVE-2024-57984

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> i3c: dw: Fix use-after-free in dw_i3c_master driver due to race condition<br /> <br /> In dw_i3c_common_probe, &amp;master-&gt;hj_work is bound with<br /> dw_i3c_hj_work. And dw_i3c_master_irq_handler can call<br /> dw_i3c_master_irq_handle_ibis function to start the work.<br /> <br /> If we remove the module which will call dw_i3c_common_remove to<br /> make cleanup, it will free master-&gt;base through i3c_master_unregister<br /> while the work mentioned above will be used. The sequence of operations<br /> that may lead to a UAF bug is as follows:<br /> <br /> CPU0 CPU1<br /> <br /> | dw_i3c_hj_work<br /> dw_i3c_common_remove |<br /> i3c_master_unregister(&amp;master-&gt;base) |<br /> device_unregister(&amp;master-&gt;dev) |<br /> device_release |<br /> //free master-&gt;base |<br /> | i3c_master_do_daa(&amp;master-&gt;base)<br /> | //use master-&gt;base<br /> <br /> Fix it by ensuring that the work is canceled before proceeding with<br /> the cleanup in dw_i3c_common_remove.