CVE-2025-39994

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: tuner: xc5000: Fix use-after-free in xc5000_release<br /> <br /> The original code uses cancel_delayed_work() in xc5000_release(), which<br /> does not guarantee that the delayed work item timer_sleep has fully<br /> completed if it was already running. This leads to use-after-free scenarios<br /> where xc5000_release() may free the xc5000_priv while timer_sleep is still<br /> active and attempts to dereference the xc5000_priv.<br /> <br /> A typical race condition is illustrated below:<br /> <br /> CPU 0 (release thread) | CPU 1 (delayed work callback)<br /> xc5000_release() | xc5000_do_timer_sleep()<br /> cancel_delayed_work() |<br /> hybrid_tuner_release_state(priv) |<br /> kfree(priv) |<br /> | priv = container_of() // UAF<br /> <br /> Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure<br /> that the timer_sleep is properly canceled before the xc5000_priv memory<br /> is deallocated.<br /> <br /> A deadlock concern was considered: xc5000_release() is called in a process<br /> context and is not holding any locks that the timer_sleep work item might<br /> also need. Therefore, the use of the _sync() variant is safe here.<br /> <br /> This bug was initially identified through static analysis.<br /> <br /> [hverkuil: fix typo in Subject: tunner -&gt; tuner]