CVE-2025-40130
Description
In the Linux kernel, the following vulnerability has been resolved:
scsi: ufs: core: Fix data race in CPU latency PM QoS request handling
The cpu_latency_qos_add/remove/update_request interfaces lack internal synchronization by design, requiring the caller to ensure thread safety. The current implementation relies on the 'pm_qos_enabled' flag, which is insufficient to prevent concurrent access and cannot serve as a proper synchronization mechanism. This has led to data races and list corruption issues.
A typical race condition call trace is:
[Thread A] ufshcd_pm_qos_exit() --> cpu_latency_qos_remove_request() --> cpu_latency_qos_apply(); --> pm_qos_update_target() --> plist_del <--(1) delete plist node --> memset(req, 0, sizeof(*req)); --> hba->pm_qos_enabled = false;
[Thread B] ufshcd_devfreq_target --> ufshcd_devfreq_scale --> ufshcd_scale_clks --> ufshcd_pm_qos_update <--(2) pm_qos_enabled is true --> cpu_latency_qos_update_request --> pm_qos_update_target --> plist_del <--(3) plist node use-after-free
Introduces a dedicated mutex to serialize PM QoS operations, preventing data races and ensuring safe access to PM QoS resources, including sysfs interface reads.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A data race in the Linux kernel's UFS driver PM QoS request handling can cause list corruption and use-after-free.
Vulnerability
Description
The Linux kernel's UFS (Universal Flash Storage) core driver contains a data race vulnerability in its CPU latency PM QoS request handling. The cpu_latency_qos_add/remove/update_request interfaces are intentionally unsynchronized, requiring callers to manage thread safety. However, the UFS driver relied solely on a pm_qos_enabled flag, which is insufficient to prevent concurrent access to PM QoS resources [1]. This leads to situations where one thread may remove and zero out a request structure while another thread attempts to update it, causing list corruption and use-after-free [1].
Exploitation
Scenario
An attacker would need to trigger a race condition between two kernel threads: one calling ufshcd_pm_qos_exit() (which removes a PM QoS request and sets pm_qos_enabled = false), and another calling ufshcd_devfreq_target → ufshcd_pm_qos_update (which checks pm_qos_enabled and then attempts to update the request) [1]. The window is small, but successful exploitation could allow the attacker to corrupt kernel memory. No special privileges beyond basic system access are required, as the driver is accessible when the UFS device is in use.
Impact
A successful data race can cause a use-after-free or double-free condition in the plist node used for PM QoS management. This may lead to system crashes (denial of service) or, in more severe cases, memory corruption that could be leveraged for privilege escalation [1]. The integrity of the kernel's PM QoS subsystem is compromised, potentially affecting device power management and performance.
Mitigation
The fix introduces a dedicated mutex to serialize all PM QoS operations in the UFS driver, preventing concurrent accesses [1]. This patch has been applied to the Linux kernel stable tree. Users should update to a kernel version that includes commit d9df61afb8d23c475f1be3c714da2c34c156ab01. No workarounds are available for unpatched kernels.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3Patches
2d9df61afb8d279dde5f7dc7cVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.