CVE-2025-21726

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> padata: avoid UAF for reorder_work<br /> <br /> Although the previous patch can avoid ps and ps UAF for _do_serial, it<br /> can not avoid potential UAF issue for reorder_work. This issue can<br /> happen just as below:<br /> <br /> crypto_request crypto_request crypto_del_alg<br /> padata_do_serial<br /> ...<br /> padata_reorder<br /> // processes all remaining<br /> // requests then breaks<br /> while (1) {<br /> if (!padata)<br /> break;<br /> ...<br /> }<br /> <br /> padata_do_serial<br /> // new request added<br /> list_add<br /> // sees the new request<br /> queue_work(reorder_work)<br /> padata_reorder<br /> queue_work_on(squeue-&gt;work)<br /> ...<br /> <br /> <br /> padata_serial_worker<br /> // completes new request,<br /> // no more outstanding<br /> // requests<br /> <br /> crypto_del_alg<br /> // free pd<br /> <br /> <br /> invoke_padata_reorder<br /> // UAF of pd<br /> <br /> To avoid UAF for &amp;#39;reorder_work&amp;#39;, get &amp;#39;pd&amp;#39; ref before put &amp;#39;reorder_work&amp;#39;<br /> into the &amp;#39;serial_wq&amp;#39; and put &amp;#39;pd&amp;#39; ref until the &amp;#39;serial_wq&amp;#39; finish.