[SRU][N][PATCH 1/1] HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition
Tim Whisonant
tim.whisonant at canonical.com
Thu Oct 2 23:28:56 UTC 2025
From: Kaixin Wang <kxwang23 at m.fudan.edu.cn>
In the ssi_protocol_probe() function, &ssi->work is bound with
ssip_xmit_work(), In ssip_pn_setup(), the ssip_pn_xmit() function
within the ssip_pn_ops structure is capable of starting the
work.
If we remove the module which will call ssi_protocol_remove()
to make a cleanup, it will free ssi through kfree(ssi),
while the work mentioned above will be used. The sequence
of operations that may lead to a UAF bug is as follows:
CPU0 CPU1
| ssip_xmit_work
ssi_protocol_remove |
kfree(ssi); |
| struct hsi_client *cl = ssi->cl;
| // use ssi
Fix it by ensuring that the work is canceled before proceeding
with the cleanup in ssi_protocol_remove().
Signed-off-by: Kaixin Wang <kxwang23 at m.fudan.edu.cn>
Acked-by: Andy Shevchenko <andriy.shevchenko at linux.intel.com>
Link: https://lore.kernel.org/r/20240918120749.1730-1-kxwang23@m.fudan.edu.cn
Signed-off-by: Sebastian Reichel <sebastian.reichel at collabora.com>
(cherry picked from commit e3f88665a78045fe35c7669d2926b8d97b892c11)
CVE-2025-37838
Signed-off-by: Tim Whisonant <tim.whisonant at canonical.com>
---
drivers/hsi/clients/ssi_protocol.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/hsi/clients/ssi_protocol.c b/drivers/hsi/clients/ssi_protocol.c
index da6a7abd584f7..f8ccb29c63807 100644
--- a/drivers/hsi/clients/ssi_protocol.c
+++ b/drivers/hsi/clients/ssi_protocol.c
@@ -401,6 +401,7 @@ static void ssip_reset(struct hsi_client *cl)
del_timer(&ssi->rx_wd);
del_timer(&ssi->tx_wd);
del_timer(&ssi->keep_alive);
+ cancel_work_sync(&ssi->work);
ssi->main_state = 0;
ssi->send_state = 0;
ssi->recv_state = 0;
--
2.43.0
More information about the kernel-team
mailing list