Linux Kernel QAT Driver Workqueue Management Vulnerability During Device Shutdown

A use-after-free vulnerability has been identified in the Linux kernel's Intel QAT (QuickAssist Technology) driver, specifically in versions prior to the latest patch. This issue arises when a power management interrupt occurs just before a device-specific QAT driver is unloaded, while the core driver remains active. The device-specific driver uses a shared workqueue managed by the core driver, which can lead to a deferred routine still being queued. If this routine runs after the driver has been unloaded, it can access freed memory, causing a page fault and crashing the kernel. This vulnerability can be reproduced by repeatedly loading and unloading the device-specific QAT driver in a tight loop, which triggers the power management interrupt at an opportune moment.

Impact

Exploitation of this vulnerability leads to a kernel crash caused by a page fault, where the kernel is unable to handle a memory access violation. This type of crash can disrupt system operations and cause a denial of service.

Reproduction

To reproduce this vulnerability, load the device-specific QAT driver, such as qat_4xxx, and then unload it. Repeat this process in a tight loop. The vulnerability is triggered when a power management interrupt occurs just before the driver is fully unloaded, while the core QAT driver remains active. This timing allows a deferred routine to execute after the driver has been unloaded, leading to a use-after-free condition.

Remediation

The vulnerability has been addressed by modifying the driver to flush the shared workqueue during the device shutdown process. This ensures that all pending work items are completed before the driver is unloaded, preventing the use-after-free scenario. Users should update to the latest version of the Linux kernel where this fix has been applied.