In the Linux kernel, the following vulnerability has been resolved: i3c: master: cdns: Fix use after free vulnerability in cdnsi3cmaster Driver Due to Race Condition In the cdnsi3cmasterprobe function, &master->hjwork is bound with cdnsi3cmasterhj. And cdnsi3cmasterinterrupt can call cndsi3cmasterdemuxibis function to start the work. If we remove the module which will call cdnsi3cmasterremove to make cleanup, it will free master->base through i3cmasterunregister while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | cdnsi3cmasterhj cdnsi3cmasterremove | i3cmasterunregister(&master->base) | deviceunregister(&master->dev) | devicerelease | //free master->base | | i3cmasterdodaa(&master->base) | //use master->base Fix it by ensuring that the work is canceled before proceeding with the cleanup in cdnsi3cmaster_remove.