{"id":"CVE-2025-39996","summary":"media: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove\n\nThe original code uses cancel_delayed_work() in flexcop_pci_remove(), which\ndoes not guarantee that the delayed work item irq_check_work has fully\ncompleted if it was already running. This leads to use-after-free scenarios\nwhere flexcop_pci_remove() may free the flexcop_device while irq_check_work\nis still active and attempts to dereference the device.\n\nA typical race condition is illustrated below:\n\nCPU 0 (remove)                         | CPU 1 (delayed work callback)\nflexcop_pci_remove()                   | flexcop_pci_irq_check_work()\n  cancel_delayed_work()                |\n  flexcop_device_kfree(fc_pci-\u003efc_dev) |\n                                       |   fc = fc_pci-\u003efc_dev; // UAF\n\nThis is confirmed by a KASAN report:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x7d7/0x8c0\nWrite of size 8 at addr ffff8880093aa8c8 by task bash/135\n...\nCall Trace:\n \u003cIRQ\u003e\n dump_stack_lvl+0x55/0x70\n print_report+0xcf/0x610\n ? __run_timer_base.part.0+0x7d7/0x8c0\n kasan_report+0xb8/0xf0\n ? __run_timer_base.part.0+0x7d7/0x8c0\n __run_timer_base.part.0+0x7d7/0x8c0\n ? __pfx___run_timer_base.part.0+0x10/0x10\n ? __pfx_read_tsc+0x10/0x10\n ? ktime_get+0x60/0x140\n ? lapic_next_event+0x11/0x20\n ? clockevents_program_event+0x1d4/0x2a0\n run_timer_softirq+0xd1/0x190\n handle_softirqs+0x16a/0x550\n irq_exit_rcu+0xaf/0xe0\n sysvec_apic_timer_interrupt+0x70/0x80\n \u003c/IRQ\u003e\n...\n\nAllocated by task 1:\n kasan_save_stack+0x24/0x50\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0x7f/0x90\n __kmalloc_noprof+0x1be/0x460\n flexcop_device_kmalloc+0x54/0xe0\n flexcop_pci_probe+0x1f/0x9d0\n local_pci_probe+0xdc/0x190\n pci_device_probe+0x2fe/0x470\n really_probe+0x1ca/0x5c0\n __driver_probe_device+0x248/0x310\n driver_probe_device+0x44/0x120\n __driver_attach+0xd2/0x310\n bus_for_each_dev+0xed/0x170\n bus_add_driver+0x208/0x500\n driver_register+0x132/0x460\n do_one_initcall+0x89/0x300\n kernel_init_freeable+0x40d/0x720\n kernel_init+0x1a/0x150\n ret_from_fork+0x10c/0x1a0\n ret_from_fork_asm+0x1a/0x30\n\nFreed by task 135:\n kasan_save_stack+0x24/0x50\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3a/0x60\n __kasan_slab_free+0x3f/0x50\n kfree+0x137/0x370\n flexcop_device_kfree+0x32/0x50\n pci_device_remove+0xa6/0x1d0\n device_release_driver_internal+0xf8/0x210\n pci_stop_bus_device+0x105/0x150\n pci_stop_and_remove_bus_device_locked+0x15/0x30\n remove_store+0xcc/0xe0\n kernfs_fop_write_iter+0x2c3/0x440\n vfs_write+0x871/0xd70\n ksys_write+0xee/0x1c0\n do_syscall_64+0xac/0x280\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n...\n\nReplace cancel_delayed_work() with cancel_delayed_work_sync() to ensure\nthat the delayed work item is properly canceled and any executing delayed\nwork has finished before the device memory is deallocated.\n\nThis bug was initially identified through static analysis. To reproduce\nand test it, I simulated the B2C2 FlexCop PCI device in QEMU and introduced\nartificial delays within the flexcop_pci_irq_check_work() function to\nincrease the likelihood of triggering the bug.","modified":"2026-04-16T04:32:36.892954519Z","published":"2025-10-15T07:58:21.049Z","related":["SUSE-SU-2025:21040-1","SUSE-SU-2025:21052-1","SUSE-SU-2025:21056-1","SUSE-SU-2025:21064-1","SUSE-SU-2025:21080-1","SUSE-SU-2025:21147-1","SUSE-SU-2025:21180-1","SUSE-SU-2025:4057-1","SUSE-SU-2025:4128-1","SUSE-SU-2025:4132-1","SUSE-SU-2025:4140-1","SUSE-SU-2025:4141-1","SUSE-SU-2025:4301-1","openSUSE-SU-2025:15671-1","openSUSE-SU-2025:20091-1","openSUSE-SU-2026:10301-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39996.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/01e03fb7db419d39e18d6090d4873c1bff103914"},{"type":"WEB","url":"https://git.kernel.org/stable/c/120e221b4bbe9d0f6c09b5c4dc53ca4ad91d956b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3ffabc79388e68877d9c02f724a0b7a38d519daf"},{"type":"WEB","url":"https://git.kernel.org/stable/c/514a519baa9e2be7ddc2714bd730bc5a883e1244"},{"type":"WEB","url":"https://git.kernel.org/stable/c/607010d07b8a509b01ed15ea12744acac6536a98"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6a92f5796880f5aa345f0fed53ef511e3fd6f706"},{"type":"WEB","url":"https://git.kernel.org/stable/c/bb10a9ddc8d6c5dbf098f21eb1055a652652e524"},{"type":"WEB","url":"https://git.kernel.org/stable/c/bde8173def374230226e8554efb51b271f4066ec"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d502df8a716d993fa0f9d8c00684f1190750e28e"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39996.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-39996"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"382c5546d618f24dc7d6ae7ca33412083720efbf"},{"fixed":"607010d07b8a509b01ed15ea12744acac6536a98"},{"fixed":"bde8173def374230226e8554efb51b271f4066ec"},{"fixed":"120e221b4bbe9d0f6c09b5c4dc53ca4ad91d956b"},{"fixed":"d502df8a716d993fa0f9d8c00684f1190750e28e"},{"fixed":"bb10a9ddc8d6c5dbf098f21eb1055a652652e524"},{"fixed":"514a519baa9e2be7ddc2714bd730bc5a883e1244"},{"fixed":"3ffabc79388e68877d9c02f724a0b7a38d519daf"},{"fixed":"6a92f5796880f5aa345f0fed53ef511e3fd6f706"},{"fixed":"01e03fb7db419d39e18d6090d4873c1bff103914"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-39996.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.6.29"},{"fixed":"5.4.301"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.5.0"},{"fixed":"5.10.246"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.195"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.156"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.110"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.51"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.16.11"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.17.0"},{"fixed":"6.17.1"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-39996.json"}}],"schema_version":"1.7.5"}