CVE-2026-43415

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: ufs: core: Fix SError in ufshcd_rtc_work() during UFS suspend<br /> <br /> In __ufshcd_wl_suspend(), cancel_delayed_work_sync() is called to cancel<br /> the UFS RTC work, but it is placed after ufshcd_vops_suspend(hba, pm_op,<br /> POST_CHANGE). This creates a race condition where ufshcd_rtc_work() can<br /> still be running while ufshcd_vops_suspend() is executing. When<br /> UFSHCD_CAP_CLK_GATING is not supported, the condition<br /> !hba-&gt;clk_gating.active_reqs is always true, causing ufshcd_update_rtc()<br /> to be executed. Since ufshcd_vops_suspend() typically performs clock<br /> gating operations, executing ufshcd_update_rtc() at that moment triggers<br /> an SError. The kernel panic trace is as follows:<br /> <br /> Kernel panic - not syncing: Asynchronous SError Interrupt<br /> Call trace:<br /> dump_backtrace+0xec/0x128<br /> show_stack+0x18/0x28<br /> dump_stack_lvl+0x40/0xa0<br /> dump_stack+0x18/0x24<br /> panic+0x148/0x374<br /> nmi_panic+0x3c/0x8c<br /> arm64_serror_panic+0x64/0x8c<br /> do_serror+0xc4/0xc8<br /> el1h_64_error_handler+0x34/0x4c<br /> el1h_64_error+0x68/0x6c<br /> el1_interrupt+0x20/0x58<br /> el1h_64_irq_handler+0x18/0x24<br /> el1h_64_irq+0x68/0x6c<br /> ktime_get+0xc4/0x12c<br /> ufshcd_mcq_sq_stop+0x4c/0xec<br /> ufshcd_mcq_sq_cleanup+0x64/0x1dc<br /> ufshcd_clear_cmd+0x38/0x134<br /> ufshcd_issue_dev_cmd+0x298/0x4d0<br /> ufshcd_exec_dev_cmd+0x1a4/0x1c4<br /> ufshcd_query_attr+0xbc/0x19c<br /> ufshcd_rtc_work+0x10c/0x1c8<br /> process_scheduled_works+0x1c4/0x45c<br /> worker_thread+0x32c/0x3e8<br /> kthread+0x120/0x1d8<br /> ret_from_fork+0x10/0x20<br /> <br /> Fix this by moving cancel_delayed_work_sync() before the call to<br /> ufshcd_vops_suspend(hba, pm_op, PRE_CHANGE), ensuring the UFS RTC work is<br /> fully completed or cancelled at that point.