{"id":"CVE-2026-43293","summary":"media: chips-media: wave5: Fix kthread worker destruction in polling mode","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: chips-media: wave5: Fix kthread worker destruction in polling mode\n\nFix the cleanup order in polling mode (irq \u003c 0) to prevent kernel warnings\nduring module removal. Cancel the hrtimer before destroying the kthread\nworker to ensure work queues are empty.\n\nIn polling mode, the driver uses hrtimer to periodically trigger\nwave5_vpu_timer_callback() which queues work via kthread_queue_work().\nThe kthread_destroy_worker() function validates that both work queues\nare empty with WARN_ON(!list_empty(&worker-\u003ework_list)) and\nWARN_ON(!list_empty(&worker-\u003edelayed_work_list)).\n\nThe original code called kthread_destroy_worker() before hrtimer_cancel(),\ncreating a race condition where the timer could fire during worker\ndestruction and queue new work, triggering the WARN_ON.\n\nThis causes the following warning on every module unload in polling mode:\n\n  ------------[ cut here ]------------\n  WARNING: CPU: 2 PID: 1034 at kernel/kthread.c:1430\n    kthread_destroy_worker+0x84/0x98\n  Modules linked in: wave5(-) rpmsg_ctrl rpmsg_char ...\n  Call trace:\n   kthread_destroy_worker+0x84/0x98\n   wave5_vpu_remove+0xc8/0xe0 [wave5]\n   platform_remove+0x30/0x58\n  ...\n  ---[ end trace 0000000000000000 ]---","modified":"2026-07-08T08:13:28.149610702Z","published":"2026-05-08T13:11:16.812Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43293.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0c2e752688a0ee3b89993e6de6c496d863870c93"},{"type":"WEB","url":"https://git.kernel.org/stable/c/156020e889edf4593870d926d3c4a6d06baac44a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5a0c122e834b2f7f029526422c71be922960bf03"},{"type":"WEB","url":"https://git.kernel.org/stable/c/cc8071b1bac6568ea09d54be2d4f74dba80e17f8"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43293.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43293"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"ed7276ed2fd02208bfca9f222ef1e7b2743d710d"},{"fixed":"156020e889edf4593870d926d3c4a6d06baac44a"},{"fixed":"cc8071b1bac6568ea09d54be2d4f74dba80e17f8"},{"fixed":"0c2e752688a0ee3b89993e6de6c496d863870c93"},{"fixed":"5a0c122e834b2f7f029526422c71be922960bf03"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43293.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.10.0"},{"fixed":"6.12.75"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.16"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.6"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43293.json"}}],"schema_version":"1.7.5"}