CVE-2025-21727

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.6.0

Description A use-after-free bug was found in the Linux kernel, specifically in the padata reorder function. This issue can be triggered when the padata find next function is called after the pd object has been freed, leading to a slab-use-after-free error. The bug was identified when running the ltp test, which caused a KASAN error. The issue arises when the padata reorder function loops and the alg is deleted, causing the reference count to decrease to 0 before entering padata find next. To address this issue, it is necessary to ensure that the do serial function is called with BHs disabled and under RCU protection.

Recommendations For Linux kernel versions prior to 6.6.0, to resolve this issue, add synchronize rcu() in the padata free shell function to wait for all do serial calls to finish, ensuring that the pd object is not freed prematurely. As a temporary workaround, consider adding a delay, such as mdelay(10), before calling padata find next in the padata reorder function to reduce the likelihood of the issue occurring. However, this is not a permanent fix and should be replaced with the proper synchronization mechanism.