Wind River Support Network

Description

In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]media: tuner: xc5000: Fix use-after-free in xc5000_release[EOL][EOL]The original code uses cancel_delayed_work() in xc5000_release(), which[EOL]does not guarantee that the delayed work item timer_sleep has fully[EOL]completed if it was already running. This leads to use-after-free scenarios[EOL]where xc5000_release() may free the xc5000_priv while timer_sleep is still[EOL]active and attempts to dereference the xc5000_priv.[EOL][EOL]A typical race condition is illustrated below:[EOL][EOL]CPU 0 (release thread)                  ( CPU 1 (delayed work callback)[EOL)xc5000_release()                       | xc5000_do_timer_sleep()EOL]  cancel_delayed_work()                 ([EOL)  hybrid_tuner_release_state(priv)     |EOL]    kfree(priv)                         ([EOL)                                       |   priv = container_of() // UAF[EOL][EOL]Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure[EOL]that the timer_sleep is properly canceled before the xc5000_priv memory[EOL]is deallocated.[EOL][EOL]A deadlock concern was considered: xc5000_release() is called in a process[EOL]context and is not holding any locks that the timer_sleep work item might[EOL]also need. Therefore, the use of the _sync() variant is safe here.[EOL][EOL]This bug was initially identified through static analysis.[EOL][EOL][hverkuil: fix typo in Subject: tunner -> tuner]