DEBIAN-CVE-2025-39944

In the Linux kernel, the following vulnerability has been resolved: octeontx2-pf: Fix use-after-free bugs in otx2synctstamp() The original code relies on canceldelayedwork() in otx2ptpdestroy(), which does not ensure that the delayed work item synctstampwork has fully completed if it was already running. This leads to use-after-free scenarios where otx2ptp is deallocated by otx2ptpdestroy(), while synctstampwork remains active and attempts to dereference otx2ptp in otx2synctstamp(). Furthermore, the synctstampwork is cyclic, the likelihood of triggering the bug is nonnegligible. A typical race condition is illustrated below: CPU 0 (cleanup) | CPU 1 (delayed work callback) otx2remove() | otx2ptpdestroy() | otx2synctstamp() canceldelayedwork() | kfree(ptp) | | ptp = containerof(...); //UAF | ptp-> //UAF This is confirmed by a KASAN report: BUG: KASAN: slab-use-after-free in runtimerbase.part.0+0x7d7/0x8c0 Write of size 8 at addr ffff88800aa09a18 by task bash/136 ... Call Trace: <IRQ> dumpstacklvl+0x55/0x70 printreport+0xcf/0x610 ? _runtimerbase.part.0+0x7d7/0x8c0 kasanreport+0xb8/0xf0 ? _runtimerbase.part.0+0x7d7/0x8c0 _runtimerbase.part.0+0x7d7/0x8c0 ? _pfxruntimerbase.part.0+0x10/0x10 ? _pfxreadtsc+0x10/0x10 ? ktimeget+0x60/0x140 ? lapicnextevent+0x11/0x20 ? clockeventsprogramevent+0x1d4/0x2a0 runtimersoftirq+0xd1/0x190 handlesoftirqs+0x16a/0x550 irqexitrcu+0xaf/0xe0 sysvecapictimerinterrupt+0x70/0x80 </IRQ> ... Allocated by task 1: kasansavestack+0x24/0x50 kasansavetrack+0x14/0x30 _kasankmalloc+0x7f/0x90 otx2ptpinit+0xb1/0x860 otx2probe+0x4eb/0xc30 localpciprobe+0xdc/0x190 pcideviceprobe+0x2fe/0x470 reallyprobe+0x1ca/0x5c0 _driverprobedevice+0x248/0x310 driverprobedevice+0x44/0x120 _driverattach+0xd2/0x310 busforeachdev+0xed/0x170 busadddriver+0x208/0x500 driverregister+0x132/0x460 dooneinitcall+0x89/0x300 kernelinitfreeable+0x40d/0x720 kernelinit+0x1a/0x150 retfromfork+0x10c/0x1a0 retfromforkasm+0x1a/0x30 Freed by task 136: kasansavestack+0x24/0x50 kasansavetrack+0x14/0x30 kasansavefreeinfo+0x3a/0x60 _kasanslabfree+0x3f/0x50 kfree+0x137/0x370 otx2ptpdestroy+0x38/0x80 otx2remove+0x10d/0x4c0 pcideviceremove+0xa6/0x1d0 devicereleasedriverinternal+0xf8/0x210 pcistopbusdevice+0x105/0x150 pcistopandremovebusdevicelocked+0x15/0x30 removestore+0xcc/0xe0 kernfsfopwriteiter+0x2c3/0x440 vfswrite+0x871/0xd70 ksyswrite+0xee/0x1c0 dosyscall64+0xac/0x280 entrySYSCALL64afterhwframe+0x77/0x7f ... Replace canceldelayedwork() with canceldelayedworksync() to ensure that the delayed work item is properly canceled before the otx2ptp is deallocated. This bug was initially identified through static analysis. To reproduce and test it, I simulated the OcteonTX2 PCI device in QEMU and introduced artificial delays within the otx2synctstamp() function to increase the likelihood of triggering the bug.