CVE-2023-1855: 
Linux Kernel vulnerability analysis and mitigation

A use-after-free flaw was found in xgenehwmonremove in drivers/hwmon/xgene-hwmon.c in the Hardware Monitoring Linux Kernel Driver (xgene-hwmon). This vulnerability was discovered by Zheng Wang and assigned CVE-2023-1855. The issue was disclosed on April 5, 2023, affecting the Linux Kernel's hardware monitoring subsystem (CVE Mitre, NVD).

The vulnerability stems from a race condition in the xgenehwmonremove function. In xgenehwmonprobe, &ctx->workq is bound with xgenehwmonevtwork and started. When removing the driver through xgenehwmonremove, there may be unfinished work leading to a use-after-free condition. The issue occurs when kfifofree(&ctx->asyncmsgfifo) is called while kfifooutspinlocked is still using &ctx->asyncmsgfifo (GitHub Commit).

The vulnerability could allow a local attacker to crash the system due to a race problem. Additionally, this vulnerability could potentially lead to a kernel information leak problem (Ubuntu Security).

The issue has been fixed in various Linux distributions through security updates. For example, Ubuntu has released fixes for multiple versions including 23.04 (6.2.0-23.23), 22.04 LTS (5.15.0-79.86), and 20.04 LTS (5.4.0-156.173). Debian has also addressed this in version 5.10.178-3~deb10u1 for Debian 10 buster (Debian LTS).