CVE-2026-43415: scsi: ufs: core: Fix SError in ufshcd_rtc_work() during UFS suspend

Linux kernel CVE announcements
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-cve-announce@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@kernel.org>
Subject: CVE-2026-43415: scsi: ufs: core: Fix SError in ufshcd_rtc_work() during UFS suspend
Date: Fri,  8 May 2026 16:22:24 +0200	[thread overview]
Message-ID: <2026050845-CVE-2026-43415-bc74@gregkh> (raw)

From: Greg Kroah-Hartman <gregkh@kernel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

scsi: ufs: core: Fix SError in ufshcd_rtc_work() during UFS suspend

In __ufshcd_wl_suspend(), cancel_delayed_work_sync() is called to cancel
the UFS RTC work, but it is placed after ufshcd_vops_suspend(hba, pm_op,
POST_CHANGE). This creates a race condition where ufshcd_rtc_work() can
still be running while ufshcd_vops_suspend() is executing. When
UFSHCD_CAP_CLK_GATING is not supported, the condition
!hba->clk_gating.active_reqs is always true, causing ufshcd_update_rtc()
to be executed. Since ufshcd_vops_suspend() typically performs clock
gating operations, executing ufshcd_update_rtc() at that moment triggers
an SError. The kernel panic trace is as follows:

Kernel panic - not syncing: Asynchronous SError Interrupt
Call trace:
 dump_backtrace+0xec/0x128
 show_stack+0x18/0x28
 dump_stack_lvl+0x40/0xa0
 dump_stack+0x18/0x24
 panic+0x148/0x374
 nmi_panic+0x3c/0x8c
 arm64_serror_panic+0x64/0x8c
 do_serror+0xc4/0xc8
 el1h_64_error_handler+0x34/0x4c
 el1h_64_error+0x68/0x6c
 el1_interrupt+0x20/0x58
 el1h_64_irq_handler+0x18/0x24
 el1h_64_irq+0x68/0x6c
 ktime_get+0xc4/0x12c
 ufshcd_mcq_sq_stop+0x4c/0xec
 ufshcd_mcq_sq_cleanup+0x64/0x1dc
 ufshcd_clear_cmd+0x38/0x134
 ufshcd_issue_dev_cmd+0x298/0x4d0
 ufshcd_exec_dev_cmd+0x1a4/0x1c4
 ufshcd_query_attr+0xbc/0x19c
 ufshcd_rtc_work+0x10c/0x1c8
 process_scheduled_works+0x1c4/0x45c
 worker_thread+0x32c/0x3e8
 kthread+0x120/0x1d8
 ret_from_fork+0x10/0x20

Fix this by moving cancel_delayed_work_sync() before the call to
ufshcd_vops_suspend(hba, pm_op, PRE_CHANGE), ensuring the UFS RTC work is
fully completed or cancelled at that point.

The Linux kernel CVE team has assigned CVE-2026-43415 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 6.6.81 with commit 06701a545e9a3c4e007cff6872a074bf97c40619 and fixed in 6.6.130 with commit a6a894413b043704b77a6294c379c93b1477e48d
	Issue introduced in 6.8 with commit 6bf999e0eb41850d5c857102535d5c53b2ede224 and fixed in 6.12.78 with commit 2fcc2fc21cae7a0cbe73053f7fc70680ce2a7f69
	Issue introduced in 6.8 with commit 6bf999e0eb41850d5c857102535d5c53b2ede224 and fixed in 6.18.19 with commit b17211b512cbf0e07de27e1932428ee6c20df910
	Issue introduced in 6.8 with commit 6bf999e0eb41850d5c857102535d5c53b2ede224 and fixed in 6.19.9 with commit c387a8f1d3713f6b0415ece8485042d0f134b91a
	Issue introduced in 6.8 with commit 6bf999e0eb41850d5c857102535d5c53b2ede224 and fixed in 7.0 with commit b0bd84c39289ef6a6c3827dd52c875659291970a

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2026-43415
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	drivers/ufs/core/ufshcd.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/a6a894413b043704b77a6294c379c93b1477e48d
	https://git.kernel.org/stable/c/2fcc2fc21cae7a0cbe73053f7fc70680ce2a7f69
	https://git.kernel.org/stable/c/b17211b512cbf0e07de27e1932428ee6c20df910
	https://git.kernel.org/stable/c/c387a8f1d3713f6b0415ece8485042d0f134b91a
	https://git.kernel.org/stable/c/b0bd84c39289ef6a6c3827dd52c875659291970a

                 reply	other threads:[~2026-05-08 14:24 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2026050845-CVE-2026-43415-bc74@gregkh \
    --to=gregkh@linuxfoundation.org \
    --cc=cve@kernel.org \
    --cc=gregkh@kernel.org \
    --cc=linux-cve-announce@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox