Message-ID: <2025090552-CVE-2025-39721-0b5c@gregkh>
Date: Fri,  5 Sep 2025 19:21:34 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-39721: crypto: qat - flush misc workqueue during device shutdown

From: Greg Kroah-Hartman <gregkh@...nel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

crypto: qat - flush misc workqueue during device shutdown

Repeated loading and unloading of a device specific QAT driver, for
example qat_4xxx, in a tight loop can lead to a crash due to a
use-after-free scenario. This occurs when a power management (PM)
interrupt triggers just before the device-specific driver (e.g.,
qat_4xxx.ko) is unloaded, while the core driver (intel_qat.ko) remains
loaded.

Since the driver uses a shared workqueue (`qat_misc_wq`) across all
devices and owned by intel_qat.ko, a deferred routine from the
device-specific driver may still be pending in the queue. If this
routine executes after the driver is unloaded, it can dereference freed
memory, resulting in a page fault and kernel crash like the following:

    BUG: unable to handle page fault for address: ffa000002e50a01c
    #PF: supervisor read access in kernel mode
    RIP: 0010:pm_bh_handler+0x1d2/0x250 [intel_qat]
    Call Trace:
      pm_bh_handler+0x1d2/0x250 [intel_qat]
      process_one_work+0x171/0x340
      worker_thread+0x277/0x3a0
      kthread+0xf0/0x120
      ret_from_fork+0x2d/0x50

To prevent this, flush the misc workqueue during device shutdown to
ensure that all pending work items are completed before the driver is
unloaded.

Note: This approach may slightly increase shutdown latency if the
workqueue contains jobs from other devices, but it ensures correctness
and stability.

The Linux kernel CVE team has assigned CVE-2025-39721 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 5.18 with commit e5745f34113b758b45d134dec04a7df94dc67131 and fixed in 6.6.103 with commit 5858448a6c65d8ee3f8600570d3ce19febcb33be
	Issue introduced in 5.18 with commit e5745f34113b758b45d134dec04a7df94dc67131 and fixed in 6.12.44 with commit fe546f5c50fc474daca6bee72caa7ab68a74c33d
	Issue introduced in 5.18 with commit e5745f34113b758b45d134dec04a7df94dc67131 and fixed in 6.16.4 with commit e59a52e429e13df3feb34f4853a8e36d121ed937
	Issue introduced in 5.18 with commit e5745f34113b758b45d134dec04a7df94dc67131 and fixed in 6.17-rc1 with commit 3d4df408ba9bad2b205c7fb8afc1836a6a4ca88a

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-39721
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	drivers/crypto/intel/qat/qat_common/adf_common_drv.h
	drivers/crypto/intel/qat/qat_common/adf_init.c
	drivers/crypto/intel/qat/qat_common/adf_isr.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/5858448a6c65d8ee3f8600570d3ce19febcb33be
	https://git.kernel.org/stable/c/fe546f5c50fc474daca6bee72caa7ab68a74c33d
	https://git.kernel.org/stable/c/e59a52e429e13df3feb34f4853a8e36d121ed937
	https://git.kernel.org/stable/c/3d4df408ba9bad2b205c7fb8afc1836a6a4ca88a

Powered by blists - more mailing lists