APPLIED: [SRU][N][PATCH 0/1] CVE-2025-37838

Edoardo Canepa edoardo.canepa at canonical.com
Fri Oct 10 10:52:37 UTC 2025 

Applied to noble/master-next. Thanks.

On 10/3/25 01:28, Tim Whisonant wrote:
> SRU Justification:
>
> [Impact]
>
> HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition
>
> In the ssi_protocol_probe() function, &ssi->work is bound with
> ssip_xmit_work(), In ssip_pn_setup(), the ssip_pn_xmit() function
> within the ssip_pn_ops structure is capable of starting the
> work.
>
> If we remove the module which will call ssi_protocol_remove()
> to make a cleanup, it will free ssi through kfree(ssi),
> while the work mentioned above will be used. The sequence
> of operations that may lead to a UAF bug is as follows:
>
> CPU0                                    CPU1
>
>                          | ssip_xmit_work
> ssi_protocol_remove     |
> kfree(ssi);             |
>                          | struct hsi_client *cl = ssi->cl;
>                          | // use ssi
>
> Fix it by ensuring that the work is canceled before proceeding
> with the cleanup in ssi_protocol_remove().
>
> [Fix]
>
> Plucky:   not affected
> Noble:    cherry picked from upstream
> Jammy:    not affected
> Focal:    submitted separately
> Bionic:   patch sent to ESM ML
> Xenial:   patch sent to ESM ML
> Trusty:   out of scope (medium CVE)
>
> [Test Plan]
>
> Compile and boot tested.
>
> [Where problems could occur]
>
> The change affects the High Speed Synchronous Serial Interface
> client driver in the ssip_reset() function. Issues would affect
> the reliability of these devices.
>
> Kaixin Wang (1):
>    HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol
>      Driver Due to Race Condition
>
>   drivers/hsi/clients/ssi_protocol.c | 1 +
>   1 file changed, 1 insertion(+)
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x20F88172E14F6784.asc
Type: application/pgp-keys
Size: 3167 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20251010/428a1aa9/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20251010/428a1aa9/attachment-0001.sig>

More information about the kernel-team mailing list