CVE-2025-40130
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: ufs: core: Fix data race in CPU latency PM QoS request handling
The cpu_latency_qos_add/remove/update_request interfaces lack internal synchronization by design, requiring the caller to ensure thread safety. The current implementation relies on the 'pm_qos_enabled' flag, which is insufficient to prevent concurrent access and cannot serve as a proper synchronization mechanism. This has led to data races and list corruption issues.
A typical race condition call trace is:
[Thread A] ufshcd_pm_qos_exit() –> cpu_latency_qos_remove_request() –> cpu_latency_qos_apply(); –> pm_qos_update_target() –> plist_del <–(1) delete plist node –> memset(req, 0, sizeof(*req)); –> hba->pm_qos_enabled = false;
[Thread B] ufshcd_devfreq_target –> ufshcd_devfreq_scale –> ufshcd_scale_clks –> ufshcd_pm_qos_update <–(2) pm_qos_enabled is true –> cpu_latency_qos_update_request –> pm_qos_update_target –> plist_del <–(3) plist node use-after-free
Introduces a dedicated mutex to serialize PM QoS operations, preventing data races and ensuring safe access to PM QoS resources, including sysfs interface reads.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 2777e73fc154e2e87233bdcc0e2402b33815198e < d9df61afb8d23c475f1be3c714da2c34c156ab01 | affected |
| Linux | Linux | 2777e73fc154e2e87233bdcc0e2402b33815198e < 79dde5f7dc7c038eec903745dc1550cd4139980e | affected |
| Linux | Linux | 6.9 | affected |
| Linux | Linux | 0 < 6.9 | unaffected |
| Linux | Linux | 6.17.3 <= 6.17.* | unaffected |
| Linux | Linux | 6.18 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/d9df61afb8d23c475f1be3c714da2c34c156ab01
- https://git.kernel.org/stable/c/79dde5f7dc7c038eec903745dc1550cd4139980e
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.