CVE-2025-37838: HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition

Description

In the Linux kernel, the following vulnerability has been resolved:

HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition

In the ssi_protocol_probe() function, &ssi->work is bound with
ssip_xmit_work(), In ssip_pn_setup(), the ssip_pn_xmit() function
within the ssip_pn_ops structure is capable of starting the
work.

If we remove the module which will call ssi_protocol_remove()
to make a cleanup, it will free ssi through kfree(ssi),
while the work mentioned above will be used. The sequence
of operations that may lead to a UAF bug is as follows:

CPU0 CPU1

Fix it by ensuring that the work is canceled before proceeding
with the cleanup in ssi_protocol_remove().

Classification

CVE ID: CVE-2025-37838

Affected Products

Vendor: Linux

Product: Linux

References

https://nvd.nist.gov/vuln/detail/CVE-2025-37838
https://git.kernel.org/stable/c/e3f88665a78045fe35c7669d2926b8d97b892c11

Timeline

2025-04-18 15:40:25 UTC
CVE

HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition