ACK: [SRU][N][PATCH 0/1] CVE-2025-37838

Manuel Diewald manuel.diewald at canonical.com
Tue Oct 7 09:25:47 UTC 2025 

On Thu, Oct 02, 2025 at 04:28:55PM -0700, Tim Whisonant wrote:
> SRU Justification:
> 
> [Impact]
> 
> HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition
> 
> In the ssi_protocol_probe() function, &ssi->work is bound with
> ssip_xmit_work(), In ssip_pn_setup(), the ssip_pn_xmit() function
> within the ssip_pn_ops structure is capable of starting the
> work.
> 
> If we remove the module which will call ssi_protocol_remove()
> to make a cleanup, it will free ssi through kfree(ssi),
> while the work mentioned above will be used. The sequence
> of operations that may lead to a UAF bug is as follows:
> 
> CPU0                                    CPU1
> 
>                         | ssip_xmit_work
> ssi_protocol_remove     |
> kfree(ssi);             |
>                         | struct hsi_client *cl = ssi->cl;
>                         | // use ssi
> 
> Fix it by ensuring that the work is canceled before proceeding
> with the cleanup in ssi_protocol_remove().
> 
> [Fix]
> 
> Plucky:   not affected
> Noble:    cherry picked from upstream
> Jammy:    not affected
> Focal:    submitted separately
> Bionic:   patch sent to ESM ML
> Xenial:   patch sent to ESM ML
> Trusty:   out of scope (medium CVE)
> 
> [Test Plan]
> 
> Compile and boot tested.
> 
> [Where problems could occur]
> 
> The change affects the High Speed Synchronous Serial Interface
> client driver in the ssip_reset() function. Issues would affect
> the reliability of these devices.
> 
> Kaixin Wang (1):
>   HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol
>     Driver Due to Race Condition
> 
>  drivers/hsi/clients/ssi_protocol.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> -- 
> 2.43.0
> 
> 
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

Acked-by: Manuel Diewald <manuel.diewald at canonical.com>

-- 
 Manuel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20251007/8ae7cd0a/attachment.sig>

More information about the kernel-team mailing list