CVE-2025-37838

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition<br /> <br /> In the ssi_protocol_probe() function, &amp;ssi-&gt;work is bound with<br /> ssip_xmit_work(), In ssip_pn_setup(), the ssip_pn_xmit() function<br /> within the ssip_pn_ops structure is capable of starting the<br /> work.<br /> <br /> If we remove the module which will call ssi_protocol_remove()<br /> to make a cleanup, it will free ssi through kfree(ssi),<br /> while the work mentioned above will be used. The sequence<br /> of operations that may lead to a UAF bug is as follows:<br /> <br /> CPU0 CPU1<br /> <br /> | ssip_xmit_work<br /> ssi_protocol_remove |<br /> kfree(ssi); |<br /> | struct hsi_client *cl = ssi-&gt;cl;<br /> | // use ssi<br /> <br /> Fix it by ensuring that the work is canceled before proceeding<br /> with the cleanup in ssi_protocol_remove().