DEBIAN-CVE-2025-40130

In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix data race in CPU latency PM QoS request handling The cpulatencyqosadd/remove/updaterequest interfaces lack internal synchronization by design, requiring the caller to ensure thread safety. The current implementation relies on the 'pmqosenabled' flag, which is insufficient to prevent concurrent access and cannot serve as a proper synchronization mechanism. This has led to data races and list corruption issues. A typical race condition call trace is: [Thread A] ufshcdpmqosexit() --> cpulatencyqosremoverequest() --> cpulatencyqosapply(); --> pmqosupdatetarget() --> plistdel <--(1) delete plist node --> memset(req, 0, sizeof(*req)); --> hba->pmqosenabled = false; [Thread B] ufshcddevfreqtarget --> ufshcddevfreqscale --> ufshcdscaleclks --> ufshcdpmqosupdate <--(2) pmqosenabled is true --> cpulatencyqosupdaterequest --> pmqosupdatetarget --> plist_del <--(3) plist node use-after-free Introduces a dedicated mutex to serialize PM QoS operations, preventing data races and ensuring safe access to PM QoS resources, including sysfs interface reads.