From: w15303746062@163.com
To: giovanni.cabiddu@intel.com, herbert@gondor.apana.org.au,
davem@davemloft.net
Cc: thorsten.blum@linux.dev, kees@kernel.org, qat-linux@intel.com,
linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org,
Mingyu Wang <25181214217@stu.xidian.edu.cn>
Subject: [PATCH] crypto: qat - fix Use-After-Free in adf_ctl_ioctl_dev_start()
Date: Fri, 8 May 2026 10:35:42 +0800 [thread overview]
Message-ID: <20260508023542.256299-1-w15303746062@163.com> (raw)
From: Mingyu Wang <25181214217@stu.xidian.edu.cn>
A severe Use-After-Free (UAF) vulnerability, which KASAN detects as a
slab-out-of-bounds access, was identified in the QAT driver's ioctl path.
When handling commands like IOCTL_START_ACCEL_DEV, various functions
retrieve the acceleration device using adf_devmgr_get_dev_by_id().
Currently, this lookup function iterates over the accel_table under
the table_lock. However, once the target device is found, the lock is
dropped and a bare pointer is returned without bumping the device's
reference count.
This creates a critical race condition. If a concurrent thread removes
the device (e.g., via device stop operations or PCIe hotplug) by calling
adf_devmgr_rm_dev(), the device is removed from the list and its memory
is subsequently freed. When the original ioctl thread resumes and attempts
to acquire accel_dev->state_lock inside adf_dev_up(), it triggers a
KASAN panic.
Fix this by acquiring the reference count inside adf_devmgr_get_dev_by_id()
via adf_dev_get() while the table_lock is still held. If adf_dev_get()
fails (e.g., the module is unloading), we safely break the loop and treat
the device as not found. All callers of adf_devmgr_get_dev_by_id() are then
updated to properly release the reference using adf_dev_put() when done.
Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn>
---
.../crypto/intel/qat/qat_common/adf_ctl_drv.c | 16 ++++++++++++++++
.../crypto/intel/qat/qat_common/adf_dev_mgr.c | 18 +++++++++++++++---
2 files changed, 31 insertions(+), 3 deletions(-)
diff --git a/drivers/crypto/intel/qat/qat_common/adf_ctl_drv.c b/drivers/crypto/intel/qat/qat_common/adf_ctl_drv.c
index c2e6f0cb7480..0519cc02e634 100644
--- a/drivers/crypto/intel/qat/qat_common/adf_ctl_drv.c
+++ b/drivers/crypto/intel/qat/qat_common/adf_ctl_drv.c
@@ -201,6 +201,10 @@ static int adf_ctl_ioctl_dev_config(struct file *fp, unsigned int cmd,
}
set_bit(ADF_STATUS_CONFIGURED, &accel_dev->status);
out:
+ /* Release the reference acquired by adf_devmgr_get_dev_by_id() */
+ if (accel_dev)
+ adf_dev_put(accel_dev);
+
kfree(ctl_data);
return ret;
}
@@ -278,6 +282,10 @@ static int adf_ctl_ioctl_dev_stop(struct file *fp, unsigned int cmd,
adf_ctl_stop_devices(ctl_data->device_id);
out:
+ /* Release the reference acquired by adf_devmgr_get_dev_by_id() */
+ if (accel_dev)
+ adf_dev_put(accel_dev);
+
kfree(ctl_data);
return ret;
}
@@ -310,6 +318,10 @@ static int adf_ctl_ioctl_dev_start(struct file *fp, unsigned int cmd,
adf_dev_down(accel_dev);
}
out:
+ /* Release the reference acquired by adf_devmgr_get_dev_by_id() */
+ if (accel_dev)
+ adf_dev_put(accel_dev);
+
kfree(ctl_data);
return ret;
}
@@ -360,8 +372,12 @@ static int adf_ctl_ioctl_get_status(struct file *fp, unsigned int cmd,
if (copy_to_user((void __user *)arg, &dev_info,
sizeof(struct adf_dev_status_info))) {
dev_err(&GET_DEV(accel_dev), "failed to copy status.\n");
+ adf_dev_put(accel_dev);
return -EFAULT;
}
+ /* Release the reference acquired by adf_devmgr_get_dev_by_id() */
+ adf_dev_put(accel_dev);
+
return 0;
}
diff --git a/drivers/crypto/intel/qat/qat_common/adf_dev_mgr.c b/drivers/crypto/intel/qat/qat_common/adf_dev_mgr.c
index e050de16ab5d..5e9313d8bacf 100644
--- a/drivers/crypto/intel/qat/qat_common/adf_dev_mgr.c
+++ b/drivers/crypto/intel/qat/qat_common/adf_dev_mgr.c
@@ -320,8 +320,14 @@ struct adf_accel_dev *adf_devmgr_get_dev_by_id(u32 id)
struct adf_accel_dev *ptr =
list_entry(itr, struct adf_accel_dev, list);
if (ptr->accel_id == id) {
- mutex_unlock(&table_lock);
- return ptr;
+ /* Increment refcount to prevent UAF during removal.
+ * If adf_dev_get() fails, the module is unloading.
+ */
+ if (adf_dev_get(ptr) == 0) {
+ mutex_unlock(&table_lock);
+ return ptr;
+ }
+ break;
}
}
unlock:
@@ -331,11 +337,17 @@ struct adf_accel_dev *adf_devmgr_get_dev_by_id(u32 id)
int adf_devmgr_verify_id(u32 id)
{
+ struct adf_accel_dev *accel_dev;
+
if (id == ADF_CFG_ALL_DEVICES)
return 0;
- if (adf_devmgr_get_dev_by_id(id))
+ accel_dev = adf_devmgr_get_dev_by_id(id);
+ if (accel_dev) {
+ /* Release the reference immediately as we only verify existence */
+ adf_dev_put(accel_dev);
return 0;
+ }
return -ENODEV;
}
--
2.34.1
next reply other threads:[~2026-05-08 2:36 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-08 2:35 w15303746062 [this message]
2026-05-10 14:16 ` [PATCH] crypto: qat - fix Use-After-Free in adf_ctl_ioctl_dev_start() kernel test robot
2026-05-11 12:22 ` kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260508023542.256299-1-w15303746062@163.com \
--to=w15303746062@163.com \
--cc=25181214217@stu.xidian.edu.cn \
--cc=davem@davemloft.net \
--cc=giovanni.cabiddu@intel.com \
--cc=herbert@gondor.apana.org.au \
--cc=kees@kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=qat-linux@intel.com \
--cc=thorsten.blum@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox