CVE-2025-40130

In the Linux kernel, the following vulnerability has been resolved:

scsi: ufs: core: Fix data race in CPU latency PM QoS request handling

The cpu_latency_qos_add/remove/update_request interfaces lack internal
synchronization by design, requiring the caller to ensure thread safety.
The current implementation relies on the ‘pm_qos_enabled’ flag, which is
insufficient to prevent concurrent access and cannot serve as a proper
synchronization mechanism. This has led to data races and list
corruption issues.

A typical race condition call trace is:

[Thread A]
ufshcd_pm_qos_exit()
–> cpu_latency_qos_remove_request()
–> cpu_latency_qos_apply();
–> pm_qos_update_target()
–> plist_del <--(1) delete plist node --> memset(req, 0, sizeof(*req));
–> hba->pm_qos_enabled = false;

[Thread B]
ufshcd_devfreq_target
–> ufshcd_devfreq_scale
–> ufshcd_scale_clks
–> ufshcd_pm_qos_update <--(2) pm_qos_enabled is true --> cpu_latency_qos_update_request
–> pm_qos_update_target
–> plist_del <--(3) plist node use-after-free Introduces a dedicated mutex to serialize PM QoS operations, preventing data races and ensuring safe access to PM QoS resources, including sysfs interface reads. More information : https://git.kernel.org/stable/c/79dde5f7dc7c038eec903745dc1550cd4139980e