CVE-2026-43293: media: chips-media: wave5: Fix kthread worker destruction in polling mode

[Greg Kroah-Hartman <gregkh@linuxfoundation.org>]

From: Greg Kroah-Hartman <gregkh@kernel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

media: chips-media: wave5: Fix kthread worker destruction in polling mode

Fix the cleanup order in polling mode (irq < 0) to prevent kernel warnings
during module removal. Cancel the hrtimer before destroying the kthread
worker to ensure work queues are empty.

In polling mode, the driver uses hrtimer to periodically trigger
wave5_vpu_timer_callback() which queues work via kthread_queue_work().
The kthread_destroy_worker() function validates that both work queues
are empty with WARN_ON(!list_empty(&worker->work_list)) and
WARN_ON(!list_empty(&worker->delayed_work_list)).

The original code called kthread_destroy_worker() before hrtimer_cancel(),
creating a race condition where the timer could fire during worker
destruction and queue new work, triggering the WARN_ON.

This causes the following warning on every module unload in polling mode:

  ------------[ cut here ]------------
  WARNING: CPU: 2 PID: 1034 at kernel/kthread.c:1430
    kthread_destroy_worker+0x84/0x98
  Modules linked in: wave5(-) rpmsg_ctrl rpmsg_char ...
  Call trace:
   kthread_destroy_worker+0x84/0x98
   wave5_vpu_remove+0xc8/0xe0 [wave5]
   platform_remove+0x30/0x58
  ...
  ---[ end trace 0000000000000000 ]---

The Linux kernel CVE team has assigned CVE-2026-43293 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 6.10 with commit ed7276ed2fd02208bfca9f222ef1e7b2743d710d and fixed in 6.12.75 with commit 156020e889edf4593870d926d3c4a6d06baac44a
	Issue introduced in 6.10 with commit ed7276ed2fd02208bfca9f222ef1e7b2743d710d and fixed in 6.18.16 with commit cc8071b1bac6568ea09d54be2d4f74dba80e17f8
	Issue introduced in 6.10 with commit ed7276ed2fd02208bfca9f222ef1e7b2743d710d and fixed in 6.19.6 with commit 0c2e752688a0ee3b89993e6de6c496d863870c93
	Issue introduced in 6.10 with commit ed7276ed2fd02208bfca9f222ef1e7b2743d710d and fixed in 7.0 with commit 5a0c122e834b2f7f029526422c71be922960bf03

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2026-43293
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	drivers/media/platform/chips-media/wave5/wave5-vpu.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/156020e889edf4593870d926d3c4a6d06baac44a
	https://git.kernel.org/stable/c/cc8071b1bac6568ea09d54be2d4f74dba80e17f8
	https://git.kernel.org/stable/c/0c2e752688a0ee3b89993e6de6c496d863870c93
	https://git.kernel.org/stable/c/5a0c122e834b2f7f029526422c71be922960bf03