CVE-2025-40001
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: mvsas: Fix use-after-free bugs in mvs_work_queue
During the detaching of Marvell's SAS/SATA controller, the original code calls cancel_delayed_work() in mvs_free() to cancel the delayed work item mwq->work_q. However, if mwq->work_q is already running, the cancel_delayed_work() may fail to cancel it. This can lead to use-after-free scenarios where mvs_free() frees the mvs_info while mvs_work_queue() is still executing and attempts to access the already-freed mvs_info.
A typical race condition is illustrated below:
CPU 0 (remove) | CPU 1 (delayed work callback) mvs_pci_remove() | mvs_free() | mvs_work_queue() cancel_delayed_work() | kfree(mvi) | | mvi-> // UAF
Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure that the delayed work item is properly canceled and any executing delayed work item completes before the mvs_info is deallocated.
This bug was found by static analysis.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 20b09c2992fefbe78f8cede7b404fb143a413c52 < a6f68f219d4d4b92d7c781708d4afc4cc42961ec | affected |
| Linux | Linux | 20b09c2992fefbe78f8cede7b404fb143a413c52 < aacd1777d4a795c387a20b9ca776e2c1225d05d7 | affected |
| Linux | Linux | 20b09c2992fefbe78f8cede7b404fb143a413c52 < 6ba7e73cafd155a5d3abf560d315f0bab2b9d89f | affected |
| Linux | Linux | 20b09c2992fefbe78f8cede7b404fb143a413c52 < c2c35cb2a31844f84f21ab364b38b4309d756d42 | affected |
| Linux | Linux | 20b09c2992fefbe78f8cede7b404fb143a413c52 < 3c90f583d679c81a5a607a6ae0051251b6dee35b | affected |
| Linux | Linux | 20b09c2992fefbe78f8cede7b404fb143a413c52 < 00d3af40b158ebf7c7db2b3bbb1598a54bf28127 | affected |
| Linux | Linux | 20b09c2992fefbe78f8cede7b404fb143a413c52 < feb946d2fc9dc754bf3d594d42cd228860ff8647 | affected |
| Linux | Linux | 20b09c2992fefbe78f8cede7b404fb143a413c52 < 60cd16a3b7439ccb699d0bf533799eeb894fd217 | affected |
| Linux | Linux | 2.6.31 | affected |
| Linux | Linux | 0 < 2.6.31 | unaffected |
| Linux | Linux | 5.4.301 <= 5.4.* | unaffected |
| Linux | Linux | 5.10.246 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.195 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.157 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.113 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.54 <= 6.12.* | unaffected |
| Linux | Linux | 6.17.4 <= 6.17.* | unaffected |
| Linux | Linux | 6.18 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/a6f68f219d4d4b92d7c781708d4afc4cc42961ec
- https://git.kernel.org/stable/c/aacd1777d4a795c387a20b9ca776e2c1225d05d7
- https://git.kernel.org/stable/c/6ba7e73cafd155a5d3abf560d315f0bab2b9d89f
- https://git.kernel.org/stable/c/c2c35cb2a31844f84f21ab364b38b4309d756d42
- https://git.kernel.org/stable/c/3c90f583d679c81a5a607a6ae0051251b6dee35b
- https://git.kernel.org/stable/c/00d3af40b158ebf7c7db2b3bbb1598a54bf28127
- https://git.kernel.org/stable/c/feb946d2fc9dc754bf3d594d42cd228860ff8647
- https://git.kernel.org/stable/c/60cd16a3b7439ccb699d0bf533799eeb894fd217
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.