On Fri, Jul 11, 2025 at 01:27:43PM +0100, Giovanni Cabiddu wrote:
> Repeated loading and unloading of a device specific QAT driver, for
> example qat_4xxx, in a tight loop can lead to a crash due to a
> use-after-free scenario. This occurs when a power management (PM)
> interrupt triggers just before the device-specific driver (e.g.,
> qat_4xxx.ko) is unloaded, while the core driver (intel_qat.ko) remains
> loaded.
>
> Since the driver uses a shared workqueue (`qat_misc_wq`) across all
> devices and owned by intel_qat.ko, a deferred routine from the
> device-specific driver may still be pending in the queue. If this
> routine executes after the driver is unloaded, it can dereference freed
> memory, resulting in a page fault and kernel crash like the following:
>
> BUG: unable to handle page fault for address: ffa000002e50a01c
> #PF: supervisor read access in kernel mode
> RIP: 0010:pm_bh_handler+0x1d2/0x250 [intel_qat]
> Call Trace:
> pm_bh_handler+0x1d2/0x250 [intel_qat]
> process_one_work+0x171/0x340
> worker_thread+0x277/0x3a0
> kthread+0xf0/0x120
> ret_from_fork+0x2d/0x50
>
> To prevent this, flush the misc workqueue during device shutdown to
> ensure that all pending work items are completed before the driver is
> unloaded.
>
> Note: This approach may slightly increase shutdown latency if the
> workqueue contains jobs from other devices, but it ensures correctness
> and stability.
>
> Fixes: e5745f34113b ("crypto: qat - enable power management for QAT GEN4")
> Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@xxxxxxxxx>
> Cc: stable@xxxxxxxxxxxxxxx
> Reviewed-by: Ahsan Atta <ahsan.atta@xxxxxxxxx>
> ---
> drivers/crypto/intel/qat/qat_common/adf_common_drv.h | 1 +
> drivers/crypto/intel/qat/qat_common/adf_init.c | 1 +
> drivers/crypto/intel/qat/qat_common/adf_isr.c | 5 +++++
> 3 files changed, 7 insertions(+)
Patch applied. Thanks.
--
Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
