* [PATCH] crypto: qat - fix Use-After-Free in adf_ctl_ioctl_dev_start()
@ 2026-05-08 2:35 w15303746062
2026-05-10 14:16 ` kernel test robot
2026-05-11 12:22 ` kernel test robot
0 siblings, 2 replies; 3+ messages in thread
From: w15303746062 @ 2026-05-08 2:35 UTC (permalink / raw)
To: giovanni.cabiddu, herbert, davem
Cc: thorsten.blum, kees, qat-linux, linux-crypto, linux-kernel,
Mingyu Wang
From: Mingyu Wang <25181214217@stu.xidian.edu.cn>
A severe Use-After-Free (UAF) vulnerability, which KASAN detects as a
slab-out-of-bounds access, was identified in the QAT driver's ioctl path.
When handling commands like IOCTL_START_ACCEL_DEV, various functions
retrieve the acceleration device using adf_devmgr_get_dev_by_id().
Currently, this lookup function iterates over the accel_table under
the table_lock. However, once the target device is found, the lock is
dropped and a bare pointer is returned without bumping the device's
reference count.
This creates a critical race condition. If a concurrent thread removes
the device (e.g., via device stop operations or PCIe hotplug) by calling
adf_devmgr_rm_dev(), the device is removed from the list and its memory
is subsequently freed. When the original ioctl thread resumes and attempts
to acquire accel_dev->state_lock inside adf_dev_up(), it triggers a
KASAN panic.
Fix this by acquiring the reference count inside adf_devmgr_get_dev_by_id()
via adf_dev_get() while the table_lock is still held. If adf_dev_get()
fails (e.g., the module is unloading), we safely break the loop and treat
the device as not found. All callers of adf_devmgr_get_dev_by_id() are then
updated to properly release the reference using adf_dev_put() when done.
Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn>
---
.../crypto/intel/qat/qat_common/adf_ctl_drv.c | 16 ++++++++++++++++
.../crypto/intel/qat/qat_common/adf_dev_mgr.c | 18 +++++++++++++++---
2 files changed, 31 insertions(+), 3 deletions(-)
diff --git a/drivers/crypto/intel/qat/qat_common/adf_ctl_drv.c b/drivers/crypto/intel/qat/qat_common/adf_ctl_drv.c
index c2e6f0cb7480..0519cc02e634 100644
--- a/drivers/crypto/intel/qat/qat_common/adf_ctl_drv.c
+++ b/drivers/crypto/intel/qat/qat_common/adf_ctl_drv.c
@@ -201,6 +201,10 @@ static int adf_ctl_ioctl_dev_config(struct file *fp, unsigned int cmd,
}
set_bit(ADF_STATUS_CONFIGURED, &accel_dev->status);
out:
+ /* Release the reference acquired by adf_devmgr_get_dev_by_id() */
+ if (accel_dev)
+ adf_dev_put(accel_dev);
+
kfree(ctl_data);
return ret;
}
@@ -278,6 +282,10 @@ static int adf_ctl_ioctl_dev_stop(struct file *fp, unsigned int cmd,
adf_ctl_stop_devices(ctl_data->device_id);
out:
+ /* Release the reference acquired by adf_devmgr_get_dev_by_id() */
+ if (accel_dev)
+ adf_dev_put(accel_dev);
+
kfree(ctl_data);
return ret;
}
@@ -310,6 +318,10 @@ static int adf_ctl_ioctl_dev_start(struct file *fp, unsigned int cmd,
adf_dev_down(accel_dev);
}
out:
+ /* Release the reference acquired by adf_devmgr_get_dev_by_id() */
+ if (accel_dev)
+ adf_dev_put(accel_dev);
+
kfree(ctl_data);
return ret;
}
@@ -360,8 +372,12 @@ static int adf_ctl_ioctl_get_status(struct file *fp, unsigned int cmd,
if (copy_to_user((void __user *)arg, &dev_info,
sizeof(struct adf_dev_status_info))) {
dev_err(&GET_DEV(accel_dev), "failed to copy status.\n");
+ adf_dev_put(accel_dev);
return -EFAULT;
}
+ /* Release the reference acquired by adf_devmgr_get_dev_by_id() */
+ adf_dev_put(accel_dev);
+
return 0;
}
diff --git a/drivers/crypto/intel/qat/qat_common/adf_dev_mgr.c b/drivers/crypto/intel/qat/qat_common/adf_dev_mgr.c
index e050de16ab5d..5e9313d8bacf 100644
--- a/drivers/crypto/intel/qat/qat_common/adf_dev_mgr.c
+++ b/drivers/crypto/intel/qat/qat_common/adf_dev_mgr.c
@@ -320,8 +320,14 @@ struct adf_accel_dev *adf_devmgr_get_dev_by_id(u32 id)
struct adf_accel_dev *ptr =
list_entry(itr, struct adf_accel_dev, list);
if (ptr->accel_id == id) {
- mutex_unlock(&table_lock);
- return ptr;
+ /* Increment refcount to prevent UAF during removal.
+ * If adf_dev_get() fails, the module is unloading.
+ */
+ if (adf_dev_get(ptr) == 0) {
+ mutex_unlock(&table_lock);
+ return ptr;
+ }
+ break;
}
}
unlock:
@@ -331,11 +337,17 @@ struct adf_accel_dev *adf_devmgr_get_dev_by_id(u32 id)
int adf_devmgr_verify_id(u32 id)
{
+ struct adf_accel_dev *accel_dev;
+
if (id == ADF_CFG_ALL_DEVICES)
return 0;
- if (adf_devmgr_get_dev_by_id(id))
+ accel_dev = adf_devmgr_get_dev_by_id(id);
+ if (accel_dev) {
+ /* Release the reference immediately as we only verify existence */
+ adf_dev_put(accel_dev);
return 0;
+ }
return -ENODEV;
}
--
2.34.1
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH] crypto: qat - fix Use-After-Free in adf_ctl_ioctl_dev_start()
2026-05-08 2:35 [PATCH] crypto: qat - fix Use-After-Free in adf_ctl_ioctl_dev_start() w15303746062
@ 2026-05-10 14:16 ` kernel test robot
2026-05-11 12:22 ` kernel test robot
1 sibling, 0 replies; 3+ messages in thread
From: kernel test robot @ 2026-05-10 14:16 UTC (permalink / raw)
To: w15303746062, giovanni.cabiddu, herbert, davem
Cc: oe-kbuild-all, thorsten.blum, kees, qat-linux, linux-crypto,
linux-kernel, Mingyu Wang
Hi,
kernel test robot noticed the following build errors:
[auto build test ERROR on herbert-cryptodev-2.6/master]
[also build test ERROR on herbert-crypto-2.6/master linus/master v7.1-rc2 next-20260508]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/w15303746062-163-com/crypto-qat-fix-Use-After-Free-in-adf_ctl_ioctl_dev_start/20260510-110441
base: https://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git master
patch link: https://lore.kernel.org/r/20260508023542.256299-1-w15303746062%40163.com
patch subject: [PATCH] crypto: qat - fix Use-After-Free in adf_ctl_ioctl_dev_start()
config: alpha-allyesconfig (https://download.01.org/0day-ci/archive/20260510/202605102206.HtfQ4iA9-lkp@intel.com/config)
compiler: alpha-linux-gcc (GCC) 15.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260510/202605102206.HtfQ4iA9-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202605102206.HtfQ4iA9-lkp@intel.com/
All errors (new ones prefixed by >>):
drivers/crypto/intel/qat/qat_common/adf_ctl_drv.c: In function 'adf_ctl_ioctl_dev_stop':
>> drivers/crypto/intel/qat/qat_common/adf_ctl_drv.c:286:13: error: 'accel_dev' undeclared (first use in this function); did you mean 'adf_accel_dev'?
286 | if (accel_dev)
| ^~~~~~~~~
| adf_accel_dev
drivers/crypto/intel/qat/qat_common/adf_ctl_drv.c:286:13: note: each undeclared identifier is reported only once for each function it appears in
vim +286 drivers/crypto/intel/qat/qat_common/adf_ctl_drv.c
255
256 static int adf_ctl_ioctl_dev_stop(struct file *fp, unsigned int cmd,
257 unsigned long arg)
258 {
259 int ret;
260 struct adf_user_cfg_ctl_data *ctl_data;
261
262 ctl_data = adf_ctl_alloc_resources(arg);
263 if (IS_ERR(ctl_data))
264 return PTR_ERR(ctl_data);
265
266 if (adf_devmgr_verify_id(ctl_data->device_id)) {
267 pr_err("QAT: Device %d not found\n", ctl_data->device_id);
268 ret = -ENODEV;
269 goto out;
270 }
271
272 ret = adf_ctl_is_device_in_use(ctl_data->device_id);
273 if (ret)
274 goto out;
275
276 if (ctl_data->device_id == ADF_CFG_ALL_DEVICES)
277 pr_info("QAT: Stopping all acceleration devices.\n");
278 else
279 pr_info("QAT: Stopping acceleration device qat_dev%d.\n",
280 ctl_data->device_id);
281
282 adf_ctl_stop_devices(ctl_data->device_id);
283
284 out:
285 /* Release the reference acquired by adf_devmgr_get_dev_by_id() */
> 286 if (accel_dev)
287 adf_dev_put(accel_dev);
288
289 kfree(ctl_data);
290 return ret;
291 }
292
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [PATCH] crypto: qat - fix Use-After-Free in adf_ctl_ioctl_dev_start()
2026-05-08 2:35 [PATCH] crypto: qat - fix Use-After-Free in adf_ctl_ioctl_dev_start() w15303746062
2026-05-10 14:16 ` kernel test robot
@ 2026-05-11 12:22 ` kernel test robot
1 sibling, 0 replies; 3+ messages in thread
From: kernel test robot @ 2026-05-11 12:22 UTC (permalink / raw)
To: w15303746062, giovanni.cabiddu, herbert, davem
Cc: llvm, oe-kbuild-all, thorsten.blum, kees, qat-linux, linux-crypto,
linux-kernel, Mingyu Wang
Hi,
kernel test robot noticed the following build errors:
[auto build test ERROR on herbert-cryptodev-2.6/master]
[also build test ERROR on herbert-crypto-2.6/master linus/master v7.1-rc3 next-20260508]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/w15303746062-163-com/crypto-qat-fix-Use-After-Free-in-adf_ctl_ioctl_dev_start/20260510-110441
base: https://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git master
patch link: https://lore.kernel.org/r/20260508023542.256299-1-w15303746062%40163.com
patch subject: [PATCH] crypto: qat - fix Use-After-Free in adf_ctl_ioctl_dev_start()
config: loongarch-randconfig-001-20260510 (https://download.01.org/0day-ci/archive/20260511/202605112040.jcfTlYZH-lkp@intel.com/config)
compiler: clang version 23.0.0git (https://github.com/llvm/llvm-project 5bac06718f502014fade905512f1d26d578a18f3)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260511/202605112040.jcfTlYZH-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202605112040.jcfTlYZH-lkp@intel.com/
All errors (new ones prefixed by >>):
>> drivers/crypto/intel/qat/qat_common/adf_ctl_drv.c:286:6: error: use of undeclared identifier 'accel_dev'
286 | if (accel_dev)
| ^~~~~~~~~
drivers/crypto/intel/qat/qat_common/adf_ctl_drv.c:287:15: error: use of undeclared identifier 'accel_dev'
287 | adf_dev_put(accel_dev);
| ^~~~~~~~~
2 errors generated.
vim +/accel_dev +286 drivers/crypto/intel/qat/qat_common/adf_ctl_drv.c
255
256 static int adf_ctl_ioctl_dev_stop(struct file *fp, unsigned int cmd,
257 unsigned long arg)
258 {
259 int ret;
260 struct adf_user_cfg_ctl_data *ctl_data;
261
262 ctl_data = adf_ctl_alloc_resources(arg);
263 if (IS_ERR(ctl_data))
264 return PTR_ERR(ctl_data);
265
266 if (adf_devmgr_verify_id(ctl_data->device_id)) {
267 pr_err("QAT: Device %d not found\n", ctl_data->device_id);
268 ret = -ENODEV;
269 goto out;
270 }
271
272 ret = adf_ctl_is_device_in_use(ctl_data->device_id);
273 if (ret)
274 goto out;
275
276 if (ctl_data->device_id == ADF_CFG_ALL_DEVICES)
277 pr_info("QAT: Stopping all acceleration devices.\n");
278 else
279 pr_info("QAT: Stopping acceleration device qat_dev%d.\n",
280 ctl_data->device_id);
281
282 adf_ctl_stop_devices(ctl_data->device_id);
283
284 out:
285 /* Release the reference acquired by adf_devmgr_get_dev_by_id() */
> 286 if (accel_dev)
287 adf_dev_put(accel_dev);
288
289 kfree(ctl_data);
290 return ret;
291 }
292
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-05-11 12:23 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-08 2:35 [PATCH] crypto: qat - fix Use-After-Free in adf_ctl_ioctl_dev_start() w15303746062
2026-05-10 14:16 ` kernel test robot
2026-05-11 12:22 ` kernel test robot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox