Linux Kernel UFS Deadlock Vulnerability in MCQ Event Handling

A deadlock vulnerability has been identified in the Linux kernel's UFS (Universal Flash Storage) driver, specifically within the multi-queue completion (MCQ) event handling. This issue arises when the error handler function, 'ufshcd_err_handler()', is executed. During this process, the completion queue (CQ) event interrupt can become blocked while waiting for the same lock that is currently held, leading to a deadlock situation. The problem occurs in both 'ufshcd_handle_mcq_cq_events()' and 'ufs_mtk_mcq_intr()' functions. The deadlock is caused by improper lock management, where the completion queue lock is used in an interrupt context with interrupts enabled, creating an inconsistent lock state. The warning message generated during this conflict indicates the presence of a deadlock, with the lock acquisition process being interrupted by an incoming interrupt that attempts to acquire the same lock, thus halting the normal execution flow and causing a standstill.

Impact

Exploitation of this vulnerability leads to a deadlock condition, where the system becomes unresponsive due to two processes waiting indefinitely for each other to release locks.

Reproduction

The deadlock can be reproduced by triggering the 'ufshcd_err_handler()' function while the completion queue lock is held. This can be done by generating a situation where an interrupt occurs while the lock is being held, such as during normal operation of the UFS driver when interrupts are enabled. The warning message about the inconsistent lock state will be generated, indicating that the deadlock has occurred.

Remediation

The deadlock issue can be resolved by modifying the lock management. Instead of using the standard spin lock, 'ufshcd_mcq_poll_cqe_lock()' should be used with 'spin_lock_irqsave', which properly manages the lock in the presence of interrupts. This change has been implemented in the latest patch available in the Linux kernel stable tree.