CVE-2026-53097

In the Linux kernel, the following vulnerability has been resolved:

wifi: mt76: mt7996: fix use-after-free bugs in mt7996 mac dump work()

When the mt7996 pci chip is detaching, the mt7996 crash data is released in mt7996 coredump unregister(). However, the work item dump work may still be running or pending, leading to UAF bugs when the already freed crash data is dereferenced again in mt7996 mac dump work().

The race condition can occur as follows:

CPU 0 (removal path) | CPU 1 (workqueue) mt7996 pci remove() | mt7996 sys recovery set() mt7996 unregister device() | mt7996 reset() mt7996 coredump unregister() | queue work() vfree(dev->coredump.crash data) | mt7996 mac dump work() | crash data-> // UAF

Fix this by ensuring dump work is properly canceled before the crash data is deallocated. Add cancel work sync() in mt7996 unregister device() to synchronize with any pending or executing dump work.