CVE-2025-39721
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: qat - flush misc workqueue during device shutdown
Repeated loading and unloading of a device specific QAT driver, for example qat_4xxx, in a tight loop can lead to a crash due to a use-after-free scenario. This occurs when a power management (PM) interrupt triggers just before the device-specific driver (e.g., qat_4xxx.ko) is unloaded, while the core driver (intel_qat.ko) remains loaded.
Since the driver uses a shared workqueue (qat_misc_wq) across all
devices and owned by intel_qat.ko, a deferred routine from the
device-specific driver may still be pending in the queue. If this
routine executes after the driver is unloaded, it can dereference freed
memory, resulting in a page fault and kernel crash like the following:
BUG: unable to handle page fault for address: ffa000002e50a01c
#PF: supervisor read access in kernel mode
RIP: 0010:pm_bh_handler+0x1d2/0x250 [intel_qat]
Call Trace:
pm_bh_handler+0x1d2/0x250 [intel_qat]
process_one_work+0x171/0x340
worker_thread+0x277/0x3a0
kthread+0xf0/0x120
ret_from_fork+0x2d/0x50
To prevent this, flush the misc workqueue during device shutdown to ensure that all pending work items are completed before the driver is unloaded.
Note: This approach may slightly increase shutdown latency if the workqueue contains jobs from other devices, but it ensures correctness and stability.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | e5745f34113b758b45d134dec04a7df94dc67131 < fa4c14a82747886d333d8baef0d26da86ba1ccf7 | affected |
| Linux | Linux | e5745f34113b758b45d134dec04a7df94dc67131 < 5858448a6c65d8ee3f8600570d3ce19febcb33be | affected |
| Linux | Linux | e5745f34113b758b45d134dec04a7df94dc67131 < fe546f5c50fc474daca6bee72caa7ab68a74c33d | affected |
| Linux | Linux | e5745f34113b758b45d134dec04a7df94dc67131 < e59a52e429e13df3feb34f4853a8e36d121ed937 | affected |
| Linux | Linux | e5745f34113b758b45d134dec04a7df94dc67131 < 3d4df408ba9bad2b205c7fb8afc1836a6a4ca88a | affected |
| Linux | Linux | 5.18 | affected |
| Linux | Linux | 0 < 5.18 | unaffected |
| Linux | Linux | 6.1.162 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.103 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.44 <= 6.12.* | unaffected |
| Linux | Linux | 6.16.4 <= 6.16.* | unaffected |
| Linux | Linux | 6.17 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/fa4c14a82747886d333d8baef0d26da86ba1ccf7
- https://git.kernel.org/stable/c/5858448a6c65d8ee3f8600570d3ce19febcb33be
- https://git.kernel.org/stable/c/fe546f5c50fc474daca6bee72caa7ab68a74c33d
- https://git.kernel.org/stable/c/e59a52e429e13df3feb34f4853a8e36d121ed937
- https://git.kernel.org/stable/c/3d4df408ba9bad2b205c7fb8afc1836a6a4ca88a
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.