Linux Kernel Kthread Worker Destruction Race Condition Vulnerability in Chips-Media Wave5 Driver

A race condition vulnerability has been identified in the Linux kernel's chips-media wave5 driver, specifically in the handling of kthread workers during module removal. This issue arises in polling mode when the interrupt request (irq) is less than zero. The driver utilizes a high-resolution timer (hrtimer) to periodically trigger a callback that queues work for processing. However, the original cleanup sequence canceled the timer after initiating the destruction of the kthread worker. This flaw allowed the timer to potentially fire during the worker's removal, leading to new work being queued and causing kernel warnings. The vulnerability has been addressed by adjusting the cleanup order to ensure that work queues are empty before the kthread worker is destroyed.

Impact

The vulnerability can cause kernel warnings during the module removal process, indicating a problem with the management of work queues for kthread workers.

Reproduction

To reproduce this vulnerability, load the wave5 VPU module in an environment where the IRQ is less than zero. Once the module is loaded, remove it. During the removal process, the kernel will issue warnings about the kthread worker destruction, indicating that the work queues were not empty. This warning can be seen in the kernel log, providing a clear indication that the vulnerability has been triggered.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version where this issue has been addressed.