CVE-2025-39721

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: qat - flush misc workqueue during device shutdown<br /> <br /> Repeated loading and unloading of a device specific QAT driver, for<br /> example qat_4xxx, in a tight loop can lead to a crash due to a<br /> use-after-free scenario. This occurs when a power management (PM)<br /> interrupt triggers just before the device-specific driver (e.g.,<br /> qat_4xxx.ko) is unloaded, while the core driver (intel_qat.ko) remains<br /> loaded.<br /> <br /> Since the driver uses a shared workqueue (`qat_misc_wq`) across all<br /> devices and owned by intel_qat.ko, a deferred routine from the<br /> device-specific driver may still be pending in the queue. If this<br /> routine executes after the driver is unloaded, it can dereference freed<br /> memory, resulting in a page fault and kernel crash like the following:<br /> <br /> BUG: unable to handle page fault for address: ffa000002e50a01c<br /> #PF: supervisor read access in kernel mode<br /> RIP: 0010:pm_bh_handler+0x1d2/0x250 [intel_qat]<br /> Call Trace:<br /> pm_bh_handler+0x1d2/0x250 [intel_qat]<br /> process_one_work+0x171/0x340<br /> worker_thread+0x277/0x3a0<br /> kthread+0xf0/0x120<br /> ret_from_fork+0x2d/0x50<br /> <br /> To prevent this, flush the misc workqueue during device shutdown to<br /> ensure that all pending work items are completed before the driver is<br /> unloaded.<br /> <br /> Note: This approach may slightly increase shutdown latency if the<br /> workqueue contains jobs from other devices, but it ensures correctness<br /> and stability.