In the Linux kernel, the following vulnerability has been resolved:

i3c: master: svc: Fix use after free vulnerability in svc_i3c_master Driver Due to Race Condition

In the svc_i3c_master_probe function, &master->hj_work is bound with
svc_i3c_master_hj_work, &master->ibi_work is bound with
svc_i3c_master_ibi_work. And svc_i3c_master_ibi_work  can start the
hj_work, svc_i3c_master_irq_handler can start the ibi_work.

If we remove the module which will call svc_i3c_master_remove to
make cleanup, it will free master->base through i3c_master_unregister
while the work mentioned above will be used. The sequence of operations
that may lead to a UAF bug is as follows:

CPU0                                         CPU1

                                    | svc_i3c_master_hj_work
svc_i3c_master_remove               |
i3c_master_unregister(&master->base)|
device_unregister(&master->dev)     |
device_release                      |
//free master->base                 |
                                    | i3c_master_do_daa(&master->base)
                                    | //use master->base

Fix it by ensuring that the work is canceled before proceeding with the
cleanup in svc_i3c_master_remove.

kernel.org https://git.kernel.org/stable/c/27b55724d3f781dd6e635e89dc6e2fd78fa81a00 [No types assigned]

kernel.org https://git.kernel.org/stable/c/4318998892bf8fe99f97bea18c37ae7b685af75a [No types assigned]

kernel.org https://git.kernel.org/stable/c/4ac637122930cc4ab7e2c22e364cf3aaf96b05b1 [No types assigned]

kernel.org https://git.kernel.org/stable/c/61850725779709369c7e907ae8c7c75dc7cec4f3 [No types assigned]