scsi: ufs: core: Fix SError in ufshcd_rtc_work() during UFS suspend

Summary

CVE	CVE-2026-43415
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-05-08 15:16:53 UTC
Updated	2026-05-12 14:10:27 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix SError in ufshcd_rtc_work() during UFS suspend In __ufshcd_wl_suspend(), cancel_delayed_work_sync() is called to cancel the UFS RTC work, but it is placed after ufshcd_vops_suspend(hba, pm_op, POST_CHANGE). This creates a race condition where ufshcd_rtc_work() can still be running while ufshcd_vops_suspend() is executing. When UFSHCD_CAP_CLK_GATING is not supported, the condition !hba->clk_gating.active_reqs is always true, causing ufshcd_update_rtc() to be executed. Since ufshcd_vops_suspend() typically performs clock gating operations, executing ufshcd_update_rtc() at that moment triggers an SError. The kernel panic trace is as follows: Kernel panic - not syncing: Asynchronous SError Interrupt Call trace: dump_backtrace+0xec/0x128 show_stack+0x18/0x28 dump_stack_lvl+0x40/0xa0 dump_stack+0x18/0x24 panic+0x148/0x374 nmi_panic+0x3c/0x8c arm64_serror_panic+0x64/0x8c do_serror+0xc4/0xc8 el1h_64_error_handler+0x34/0x4c el1h_64_error+0x68/0x6c el1_interrupt+0x20/0x58 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x68/0x6c ktime_get+0xc4/0x12c ufshcd_mcq_sq_stop+0x4c/0xec ufshcd_mcq_sq_cleanup+0x64/0x1dc ufshcd_clear_cmd+0x38/0x134 ufshcd_issue_dev_cmd+0x298/0x4d0 ufshcd_exec_dev_cmd+0x1a4/0x1c4 ufshcd_query_attr+0xbc/0x19c ufshcd_rtc_work+0x10c/0x1c8 process_scheduled_works+0x1c4/0x45c worker_thread+0x32c/0x3e8 kthread+0x120/0x1d8 ret_from_fork+0x10/0x20 Fix this by moving cancel_delayed_work_sync() before the call to ufshcd_vops_suspend(hba, pm_op, PRE_CHANGE), ensuring the UFS RTC work is fully completed or cancelled at that point.

Risk And Classification

EPSS: 0.000180000 probability, percentile 0.049210000 (date 2026-05-11)

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected 06701a545e9a3c4e007cff6872a074bf97c40619 a6a894413b043704b77a6294c379c93b1477e48d git	Not specified
CNA	Linux	Linux	affected 6bf999e0eb41850d5c857102535d5c53b2ede224 2fcc2fc21cae7a0cbe73053f7fc70680ce2a7f69 git	Not specified
CNA	Linux	Linux	affected 6bf999e0eb41850d5c857102535d5c53b2ede224 b17211b512cbf0e07de27e1932428ee6c20df910 git	Not specified
CNA	Linux	Linux	affected 6bf999e0eb41850d5c857102535d5c53b2ede224 c387a8f1d3713f6b0415ece8485042d0f134b91a git	Not specified
CNA	Linux	Linux	affected 6bf999e0eb41850d5c857102535d5c53b2ede224 b0bd84c39289ef6a6c3827dd52c875659291970a git	Not specified
CNA	Linux	Linux	affected 6.8	Not specified
CNA	Linux	Linux	unaffected 6.8 semver	Not specified
CNA	Linux	Linux	unaffected 6.6.130 6.6.* semver	Not specified
CNA	Linux	Linux	unaffected 6.12.78 6.12.* semver	Not specified
CNA	Linux	Linux	unaffected 6.18.19 6.18.* semver	Not specified
CNA	Linux	Linux	unaffected 6.19.9 6.19.* semver	Not specified
CNA	Linux	Linux	unaffected 7.0 * original_commit_for_fix	Not specified

References

Reference	Source	Link	Tags
git.kernel.org/stable/c/c387a8f1d3713f6b0415ece8485042d0f134b91a	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/2fcc2fc21cae7a0cbe73053f7fc70680ce2a7f69	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/b17211b512cbf0e07de27e1932428ee6c20df910	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/b0bd84c39289ef6a6c3827dd52c875659291970a	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/a6a894413b043704b77a6294c379c93b1477e48d	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.