[SRU][N][PATCH 0/1] CVE-2025-37838

[Tim Whisonant]

SRU Justification:

[Impact]

HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition

In the ssi_protocol_probe() function, &ssi->work is bound with
ssip_xmit_work(), In ssip_pn_setup(), the ssip_pn_xmit() function
within the ssip_pn_ops structure is capable of starting the
work.

If we remove the module which will call ssi_protocol_remove()
to make a cleanup, it will free ssi through kfree(ssi),
while the work mentioned above will be used. The sequence
of operations that may lead to a UAF bug is as follows:

CPU0                                    CPU1

                        | ssip_xmit_work
ssi_protocol_remove     |
kfree(ssi);             |
                        | struct hsi_client *cl = ssi->cl;
                        | // use ssi

Fix it by ensuring that the work is canceled before proceeding
with the cleanup in ssi_protocol_remove().

[Fix]

Plucky:   not affected
Noble:    cherry picked from upstream
Jammy:    not affected
Focal:    submitted separately
Bionic:   patch sent to ESM ML
Xenial:   patch sent to ESM ML
Trusty:   out of scope (medium CVE)

[Test Plan]

Compile and boot tested.

[Where problems could occur]

The change affects the High Speed Synchronous Serial Interface
client driver in the ssip_reset() function. Issues would affect
the reliability of these devices.

Kaixin Wang (1):
  HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol
    Driver Due to Race Condition

 drivers/hsi/clients/ssi_protocol.c | 1 +
 1 file changed, 1 insertion(+)

-- 
2.43.0