From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E06053DDDDB for ; Fri, 8 May 2026 13:14:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778246041; cv=none; b=jwvlnH59n3wK3cCiwgahMnOTWt3we400mPIAK0DfwSVGV0yxoXJDP85UW9/SpOMxJ7yokGQ+K1BI3n6uqWz7ZskcQkre3d5SOQFpDqKlZyarMX9KhGvOsCjL8VzZ+SKYiAnZcIvVJnbCdgGAOZyfroEGRpr9jA/SIKBvzx+DZfQ= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778246041; c=relaxed/simple; bh=aCRZMOym46hY7wZt25ech6D+XRP0CPwQsWXb0on+UEQ=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=hBwnFtPVKSE5OKyNakm620jlNSwOxfXlsCAXBn+aYKkt/8uuyjF0/Y7OsWdGzSBWw4tjBHrMm0P0z/1ucUYnycel72ZFl7QVhdOX7kf50UMFJd8/py36L6EGjp6FV8YeZpFWq8dYb6sgAH0d4rOHwS+Klba1Y8LjRz1dBQZz6Cs= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=pQW6N+an; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="pQW6N+an" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 19BCCC2BCC7; Fri, 8 May 2026 13:13:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1778246040; bh=aCRZMOym46hY7wZt25ech6D+XRP0CPwQsWXb0on+UEQ=; h=From:To:Cc:Subject:Date:Reply-To:From; b=pQW6N+anj9NmEiJGcSO9Z2CwigmHHtNksKonUuwezdDiVcT6o/kWkfLX8rYzUV1Cj ZG02jJhtwGU/SgVSy8CoTkFJh3xEE132UXbJGtUrmHurpDJ+SSkpHS+e6GX3hQqwiz bHA/iF0czN9X/Q7n97VuQRHVHYEQai/MSdPRfVsc= From: Greg Kroah-Hartman To: linux-cve-announce@vger.kernel.org Cc: Greg Kroah-Hartman Subject: CVE-2026-43293: media: chips-media: wave5: Fix kthread worker destruction in polling mode Date: Fri, 8 May 2026 15:11:58 +0200 Message-ID: <2026050853-CVE-2026-43293-ade7@gregkh> X-Mailer: git-send-email 2.54.0 Reply-To: , Precedence: bulk X-Mailing-List: linux-cve-announce@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=3416; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=n5UuTrUDTETYrfsWjb8fyEzmN/c+Fv4A/UQi92kDb+A=; b=owGbwMvMwCRo6H6F97bub03G02pJDJl/H0qmVrnvzuhd/IWvIXJ3s6HiLBbD47P/7TsW92OO/ JyT3qcmdsSyMAgyMciKKbJ82cZzdH/FIUUvQ9vTMHNYmUCGMHBxCsBE0lsYFsyJ8uRdJfx9l5pm ffwumTkcE94Z9TMs2HuD2fPyNI8DKeom4RvkPPX2vQo6DQA= X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 Content-Transfer-Encoding: 8bit From: Greg Kroah-Hartman Description =========== In the Linux kernel, the following vulnerability has been resolved: media: chips-media: wave5: Fix kthread worker destruction in polling mode Fix the cleanup order in polling mode (irq < 0) to prevent kernel warnings during module removal. Cancel the hrtimer before destroying the kthread worker to ensure work queues are empty. In polling mode, the driver uses hrtimer to periodically trigger wave5_vpu_timer_callback() which queues work via kthread_queue_work(). The kthread_destroy_worker() function validates that both work queues are empty with WARN_ON(!list_empty(&worker->work_list)) and WARN_ON(!list_empty(&worker->delayed_work_list)). The original code called kthread_destroy_worker() before hrtimer_cancel(), creating a race condition where the timer could fire during worker destruction and queue new work, triggering the WARN_ON. This causes the following warning on every module unload in polling mode: ------------[ cut here ]------------ WARNING: CPU: 2 PID: 1034 at kernel/kthread.c:1430 kthread_destroy_worker+0x84/0x98 Modules linked in: wave5(-) rpmsg_ctrl rpmsg_char ... Call trace: kthread_destroy_worker+0x84/0x98 wave5_vpu_remove+0xc8/0xe0 [wave5] platform_remove+0x30/0x58 ... ---[ end trace 0000000000000000 ]--- The Linux kernel CVE team has assigned CVE-2026-43293 to this issue. Affected and fixed versions =========================== Issue introduced in 6.10 with commit ed7276ed2fd02208bfca9f222ef1e7b2743d710d and fixed in 6.12.75 with commit 156020e889edf4593870d926d3c4a6d06baac44a Issue introduced in 6.10 with commit ed7276ed2fd02208bfca9f222ef1e7b2743d710d and fixed in 6.18.16 with commit cc8071b1bac6568ea09d54be2d4f74dba80e17f8 Issue introduced in 6.10 with commit ed7276ed2fd02208bfca9f222ef1e7b2743d710d and fixed in 6.19.6 with commit 0c2e752688a0ee3b89993e6de6c496d863870c93 Issue introduced in 6.10 with commit ed7276ed2fd02208bfca9f222ef1e7b2743d710d and fixed in 7.0 with commit 5a0c122e834b2f7f029526422c71be922960bf03 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2026-43293 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/media/platform/chips-media/wave5/wave5-vpu.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/156020e889edf4593870d926d3c4a6d06baac44a https://git.kernel.org/stable/c/cc8071b1bac6568ea09d54be2d4f74dba80e17f8 https://git.kernel.org/stable/c/0c2e752688a0ee3b89993e6de6c496d863870c93 https://git.kernel.org/stable/c/5a0c122e834b2f7f029526422c71be922960bf03