Linux Kernel CPU Latency PM QoS Request Handling Data Race Vulnerability

A data race vulnerability has been identified in the Linux kernel's handling of CPU latency Power Management Quality of Service (PM QoS) requests, specifically within the UFS (Universal Flash Storage) driver. The issue arises because the interfaces for adding, removing, and updating CPU latency QoS requests lack internal synchronization, leaving them vulnerable to concurrent access issues. This flaw has led to data races and corruption of internal data structures. The vulnerability was introduced when CPU latency QoS support was added to the UFS driver, and it has been resolved by implementing a dedicated mutex to synchronize PM QoS operations, ensuring safe access to PM QoS resources and preventing data races.

Impact

The vulnerability could be exploited to create a race condition, leading to a use-after-free error. This type of error can cause memory corruption, potentially allowing for arbitrary code execution or other unintended behavior.

Reproduction

The vulnerability can be reproduced by enabling CPU latency QoS for a UFS device and then concurrently removing a QoS request while another thread is updating the QoS status. This can be done by triggering the 'ufshcd_pm_qos_exit' function in one thread, which removes the QoS request, while simultaneously calling 'ufshcd_pm_qos_update' in another thread, leading to a use-after-free condition.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version where this issue has been addressed.