In the Linux kernel, the following vulnerability has been resolved:
scsi: ufs: core: Fix data race in CPU latency PM QoS request handling
The cpu_latency_qos_add/remove/update_request interfaces lack internal synchronization by design, requiring the caller to ensure thread safety. The current implementation relies on the pm_qos_enabled flag, which is insufficient to prevent concurrent access and cannot serve as a proper synchronization mechanism. This has led to data races and list corruption issues.
A typical race condition call trace is:
[Thread A] ufshcd_pm_qos_exit() –> cpu_latency_qos_remove_request() –> cpu_latency_qos_apply(); –> pm_qos_update_target() –> plist_del <–(1) delete plist node –> memset(req, 0, sizeof(*req)); –> hba->pm_qos_enabled = false;
[Thread B] ufshcd_devfreq_target –> ufshcd_devfreq_scale –> ufshcd_scale_clks –> ufshcd_pm_qos_update <–(2) pm_qos_enabled is true –> cpu_latency_qos_update_request –> pm_qos_update_target –> plist_del <–(3) plist node use-after-free
Introduces a dedicated mutex to serialize PM QoS operations, preventing data races and ensuring safe access to PM QoS resources, including sysfs interface reads.