Linux Kernel UFS Driver Race Condition Vulnerability Leading to Kernel Panic

A race condition vulnerability has been identified in the Linux kernel's UFS driver, specifically within the UFS host controller driver (ufshcd). This vulnerability occurs during the UFS suspend process, where the cancellation of a scheduled work task (ufs_rtc_update_work) is improperly timed. The issue arises because the work cancellation is executed after a function call that initiates the suspend process, allowing the work task to potentially interfere with the suspension, especially when certain clock gating capabilities are not supported. This mismanagement can trigger an asynchronous SError, causing a kernel panic. The vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability leads to a kernel panic, caused by an asynchronous SError interrupt. The panic trace indicates a disruption in the normal operation of the kernel, where critical processes are halted, and an error state is triggered, disrupting system stability.

Reproduction

The vulnerability can be reproduced by initiating a suspend operation in the UFS host controller driver while the UFS RTC update work is still scheduled to run. This can be done by manually suspending the UFS controller without first cancelling the RTC update work, particularly in a scenario where UFS clock gating is not supported, allowing the RTC update to execute and trigger the SError.

Remediation

The vulnerability has been addressed by modifying the order of operations in the suspend process. The UFS RTC work cancellation is now performed before initiating the suspend, ensuring that any scheduled work is properly handled and cannot interfere with the suspension process.