CVE-2024-49874

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> i3c: master: svc: Fix use after free vulnerability in svc_i3c_master Driver Due to Race Condition<br /> <br /> In the svc_i3c_master_probe function, &amp;master-&gt;hj_work is bound with<br /> svc_i3c_master_hj_work, &amp;master-&gt;ibi_work is bound with<br /> svc_i3c_master_ibi_work. And svc_i3c_master_ibi_work can start the<br /> hj_work, svc_i3c_master_irq_handler can start the ibi_work.<br /> <br /> If we remove the module which will call svc_i3c_master_remove to<br /> make cleanup, it will free master-&gt;base through i3c_master_unregister<br /> while the work mentioned above will be used. The sequence of operations<br /> that may lead to a UAF bug is as follows:<br /> <br /> CPU0 CPU1<br /> <br /> | svc_i3c_master_hj_work<br /> svc_i3c_master_remove |<br /> i3c_master_unregister(&amp;master-&gt;base)|<br /> device_unregister(&amp;master-&gt;dev) |<br /> device_release |<br /> //free master-&gt;base |<br /> | i3c_master_do_daa(&amp;master-&gt;base)<br /> | //use master-&gt;base<br /> <br /> Fix it by ensuring that the work is canceled before proceeding with the<br /> cleanup in svc_i3c_master_remove.