ghsa-95p9-9rrc-wpx4
Vulnerability from github
In the Linux kernel, the following vulnerability has been resolved:
scsi: ufs: core: Fix data race in CPU latency PM QoS request handling
The cpu_latency_qos_add/remove/update_request interfaces lack internal synchronization by design, requiring the caller to ensure thread safety. The current implementation relies on the 'pm_qos_enabled' flag, which is insufficient to prevent concurrent access and cannot serve as a proper synchronization mechanism. This has led to data races and list corruption issues.
A typical race condition call trace is:
[Thread A] ufshcd_pm_qos_exit() --> cpu_latency_qos_remove_request() --> cpu_latency_qos_apply(); --> pm_qos_update_target() --> plist_del <--(1) delete plist node --> memset(req, 0, sizeof(*req)); --> hba->pm_qos_enabled = false;
[Thread B] ufshcd_devfreq_target --> ufshcd_devfreq_scale --> ufshcd_scale_clks --> ufshcd_pm_qos_update <--(2) pm_qos_enabled is true --> cpu_latency_qos_update_request --> pm_qos_update_target --> plist_del <--(3) plist node use-after-free
Introduces a dedicated mutex to serialize PM QoS operations, preventing data races and ensuring safe access to PM QoS resources, including sysfs interface reads.
{
"affected": [],
"aliases": [
"CVE-2025-40130"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-12T11:15:42Z",
"severity": null
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: Fix data race in CPU latency PM QoS request handling\n\nThe cpu_latency_qos_add/remove/update_request interfaces lack internal\nsynchronization by design, requiring the caller to ensure thread safety.\nThe current implementation relies on the \u0027pm_qos_enabled\u0027 flag, which is\ninsufficient to prevent concurrent access and cannot serve as a proper\nsynchronization mechanism. This has led to data races and list\ncorruption issues.\n\nA typical race condition call trace is:\n\n[Thread A]\nufshcd_pm_qos_exit()\n --\u003e cpu_latency_qos_remove_request()\n --\u003e cpu_latency_qos_apply();\n --\u003e pm_qos_update_target()\n --\u003e plist_del \u003c--(1) delete plist node\n --\u003e memset(req, 0, sizeof(*req));\n --\u003e hba-\u003epm_qos_enabled = false;\n\n[Thread B]\nufshcd_devfreq_target\n --\u003e ufshcd_devfreq_scale\n --\u003e ufshcd_scale_clks\n --\u003e ufshcd_pm_qos_update \u003c--(2) pm_qos_enabled is true\n --\u003e cpu_latency_qos_update_request\n --\u003e pm_qos_update_target\n --\u003e plist_del \u003c--(3) plist node use-after-free\n\nIntroduces a dedicated mutex to serialize PM QoS operations, preventing\ndata races and ensuring safe access to PM QoS resources, including sysfs\ninterface reads.",
"id": "GHSA-95p9-9rrc-wpx4",
"modified": "2025-11-12T12:30:27Z",
"published": "2025-11-12T12:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40130"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/79dde5f7dc7c038eec903745dc1550cd4139980e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d9df61afb8d23c475f1be3c714da2c34c156ab01"
}
],
"schema_version": "1.4.0",
"severity": []
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.