CVE-2025-40130

Summary

In the Linux kernel, the following vulnerability has been resolved:

scsi: ufs: core: Fix data race in CPU latency PM QoS request handling

The cpu_latency_qos_add/remove/update_request interfaces lack internal synchronization by design, requiring the caller to ensure thread safety. The current implementation relies on the 'pm_qos_enabled' flag, which is insufficient to prevent concurrent access and cannot serve as a proper synchronization mechanism. This has led to data races and list corruption issues.

A typical race condition call trace is:

[Thread A] ufshcd_pm_qos_exit() –> cpu_latency_qos_remove_request() –> cpu_latency_qos_apply(); –> pm_qos_update_target() –> plist_del <–(1) delete plist node –> memset(req, 0, sizeof(*req)); –> hba->pm_qos_enabled = false;

[Thread B] ufshcd_devfreq_target –> ufshcd_devfreq_scale –> ufshcd_scale_clks –> ufshcd_pm_qos_update <–(2) pm_qos_enabled is true –> cpu_latency_qos_update_request –> pm_qos_update_target –> plist_del <–(3) plist node use-after-free

Introduces a dedicated mutex to serialize PM QoS operations, preventing data races and ensuring safe access to PM QoS resources, including sysfs interface reads.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux2777e73fc154e2e87233bdcc0e2402b33815198e < d9df61afb8d23c475f1be3c714da2c34c156ab01affected
LinuxLinux2777e73fc154e2e87233bdcc0e2402b33815198e < 79dde5f7dc7c038eec903745dc1550cd4139980eaffected
LinuxLinux6.9affected
LinuxLinux0 < 6.9unaffected
LinuxLinux6.17.3 <= 6.17.*unaffected
LinuxLinux6.18 <= *unaffected

Weaknesses

References