From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9611A3EFD2D for ; Fri, 8 May 2026 14:24:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778250285; cv=none; b=NN2sKWdNx1C8r8jDxsq6FhUg48q+EdQ+FEO5lUFXDP1AOGMblPhxBULUefkU9bWfyjz2xXybcjocyTiFT1xyeE4gk/1uruUuCwYnqt5CmYkWWMAlG7XVyZqH5wQfDN4J0qgeywRzSQCm5Pm39CET8GPY3b0IrtiKCE6SnEyof+A= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778250285; c=relaxed/simple; bh=G4t6fh9KXfeSPum0KNCCa+knM3ssHpI5DFl291Q/oQ4=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=HJEsnQpkNQc9KzOpJEhFiRY4RoEof1b4GN4Jh3aViHgIBWagJzxY/HstqHNSFPrMW4ZlW7XuSXLS4NeRpb0eVLk9ODKJCF0njPTuoy6pUFx8HcCj8TsC/K0hvRoi8R7MuuXfmfj1Poy3/Y8eVRqgMOaAWsW04Mp6SnU6zrfn7WU= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=Z84uI4ix; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="Z84uI4ix" Received: by smtp.kernel.org (Postfix) with ESMTPSA id DB9DCC2BCB0; Fri, 8 May 2026 14:24:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1778250285; bh=G4t6fh9KXfeSPum0KNCCa+knM3ssHpI5DFl291Q/oQ4=; h=From:To:Cc:Subject:Date:Reply-To:From; b=Z84uI4ixFhB1dPIh5Hwzzn8xj0LBR2a3U415crCFTccbnuIHp2rhY79VOARWMqLzv iuad4YLciB6OwMxID72bmvFFt9pWYNQfAK2ovJl528mETCeiyn87SlQrp+zmHua5J5 LXrqJm9jP0IFc4tmHjLniTdLZkjGAiBaMHJLdmpY= From: Greg Kroah-Hartman To: linux-cve-announce@vger.kernel.org Cc: Greg Kroah-Hartman Subject: CVE-2026-43415: scsi: ufs: core: Fix SError in ufshcd_rtc_work() during UFS suspend Date: Fri, 8 May 2026 16:22:24 +0200 Message-ID: <2026050845-CVE-2026-43415-bc74@gregkh> X-Mailer: git-send-email 2.54.0 Reply-To: , Precedence: bulk X-Mailing-List: linux-cve-announce@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=4030; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=dsgqyqU7BPVvthCujUXK7S1b45QNts2Rb6xKBKgMQAA=; b=owGbwMvMwCRo6H6F97bub03G02pJDJl/P1bGGRzfvOvvRdH+iDN3b/c+cXaZoD3rW5jX/PMTG Vv3MWQt7YhlYRBkYpAVU2T5so3n6P6KQ4pehranYeawMoEMYeDiFICJKDUxzK97+K7mpIPAmdjH pit1Bc/fu55weRHDgrVb7md571c/08++sT3jwGPrMt2XGgA= X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 Content-Transfer-Encoding: 8bit From: Greg Kroah-Hartman Description =========== In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix SError in ufshcd_rtc_work() during UFS suspend In __ufshcd_wl_suspend(), cancel_delayed_work_sync() is called to cancel the UFS RTC work, but it is placed after ufshcd_vops_suspend(hba, pm_op, POST_CHANGE). This creates a race condition where ufshcd_rtc_work() can still be running while ufshcd_vops_suspend() is executing. When UFSHCD_CAP_CLK_GATING is not supported, the condition !hba->clk_gating.active_reqs is always true, causing ufshcd_update_rtc() to be executed. Since ufshcd_vops_suspend() typically performs clock gating operations, executing ufshcd_update_rtc() at that moment triggers an SError. The kernel panic trace is as follows: Kernel panic - not syncing: Asynchronous SError Interrupt Call trace: dump_backtrace+0xec/0x128 show_stack+0x18/0x28 dump_stack_lvl+0x40/0xa0 dump_stack+0x18/0x24 panic+0x148/0x374 nmi_panic+0x3c/0x8c arm64_serror_panic+0x64/0x8c do_serror+0xc4/0xc8 el1h_64_error_handler+0x34/0x4c el1h_64_error+0x68/0x6c el1_interrupt+0x20/0x58 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x68/0x6c ktime_get+0xc4/0x12c ufshcd_mcq_sq_stop+0x4c/0xec ufshcd_mcq_sq_cleanup+0x64/0x1dc ufshcd_clear_cmd+0x38/0x134 ufshcd_issue_dev_cmd+0x298/0x4d0 ufshcd_exec_dev_cmd+0x1a4/0x1c4 ufshcd_query_attr+0xbc/0x19c ufshcd_rtc_work+0x10c/0x1c8 process_scheduled_works+0x1c4/0x45c worker_thread+0x32c/0x3e8 kthread+0x120/0x1d8 ret_from_fork+0x10/0x20 Fix this by moving cancel_delayed_work_sync() before the call to ufshcd_vops_suspend(hba, pm_op, PRE_CHANGE), ensuring the UFS RTC work is fully completed or cancelled at that point. The Linux kernel CVE team has assigned CVE-2026-43415 to this issue. Affected and fixed versions =========================== Issue introduced in 6.6.81 with commit 06701a545e9a3c4e007cff6872a074bf97c40619 and fixed in 6.6.130 with commit a6a894413b043704b77a6294c379c93b1477e48d Issue introduced in 6.8 with commit 6bf999e0eb41850d5c857102535d5c53b2ede224 and fixed in 6.12.78 with commit 2fcc2fc21cae7a0cbe73053f7fc70680ce2a7f69 Issue introduced in 6.8 with commit 6bf999e0eb41850d5c857102535d5c53b2ede224 and fixed in 6.18.19 with commit b17211b512cbf0e07de27e1932428ee6c20df910 Issue introduced in 6.8 with commit 6bf999e0eb41850d5c857102535d5c53b2ede224 and fixed in 6.19.9 with commit c387a8f1d3713f6b0415ece8485042d0f134b91a Issue introduced in 6.8 with commit 6bf999e0eb41850d5c857102535d5c53b2ede224 and fixed in 7.0 with commit b0bd84c39289ef6a6c3827dd52c875659291970a Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2026-43415 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/ufs/core/ufshcd.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/a6a894413b043704b77a6294c379c93b1477e48d https://git.kernel.org/stable/c/2fcc2fc21cae7a0cbe73053f7fc70680ce2a7f69 https://git.kernel.org/stable/c/b17211b512cbf0e07de27e1932428ee6c20df910 https://git.kernel.org/stable/c/c387a8f1d3713f6b0415ece8485042d0f134b91a https://git.kernel.org/stable/c/b0bd84c39289ef6a6c3827dd52c875659291970a