CVE-2025-40001

Summary

In the Linux kernel, the following vulnerability has been resolved:

scsi: mvsas: Fix use-after-free bugs in mvs_work_queue

During the detaching of Marvell's SAS/SATA controller, the original code calls cancel_delayed_work() in mvs_free() to cancel the delayed work item mwq->work_q. However, if mwq->work_q is already running, the cancel_delayed_work() may fail to cancel it. This can lead to use-after-free scenarios where mvs_free() frees the mvs_info while mvs_work_queue() is still executing and attempts to access the already-freed mvs_info.

A typical race condition is illustrated below:

CPU 0 (remove) | CPU 1 (delayed work callback) mvs_pci_remove() | mvs_free() | mvs_work_queue() cancel_delayed_work() | kfree(mvi) | | mvi-> // UAF

Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure that the delayed work item is properly canceled and any executing delayed work item completes before the mvs_info is deallocated.

This bug was found by static analysis.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux20b09c2992fefbe78f8cede7b404fb143a413c52 < a6f68f219d4d4b92d7c781708d4afc4cc42961ecaffected
LinuxLinux20b09c2992fefbe78f8cede7b404fb143a413c52 < aacd1777d4a795c387a20b9ca776e2c1225d05d7affected
LinuxLinux20b09c2992fefbe78f8cede7b404fb143a413c52 < 6ba7e73cafd155a5d3abf560d315f0bab2b9d89faffected
LinuxLinux20b09c2992fefbe78f8cede7b404fb143a413c52 < c2c35cb2a31844f84f21ab364b38b4309d756d42affected
LinuxLinux20b09c2992fefbe78f8cede7b404fb143a413c52 < 3c90f583d679c81a5a607a6ae0051251b6dee35baffected
LinuxLinux20b09c2992fefbe78f8cede7b404fb143a413c52 < 00d3af40b158ebf7c7db2b3bbb1598a54bf28127affected
LinuxLinux20b09c2992fefbe78f8cede7b404fb143a413c52 < feb946d2fc9dc754bf3d594d42cd228860ff8647affected
LinuxLinux20b09c2992fefbe78f8cede7b404fb143a413c52 < 60cd16a3b7439ccb699d0bf533799eeb894fd217affected
LinuxLinux2.6.31affected
LinuxLinux0 < 2.6.31unaffected
LinuxLinux5.4.301 <= 5.4.*unaffected
LinuxLinux5.10.246 <= 5.10.*unaffected
LinuxLinux5.15.195 <= 5.15.*unaffected
LinuxLinux6.1.157 <= 6.1.*unaffected
LinuxLinux6.6.113 <= 6.6.*unaffected
LinuxLinux6.12.54 <= 6.12.*unaffected
LinuxLinux6.17.4 <= 6.17.*unaffected
LinuxLinux6.18 <= *unaffected

Weaknesses

References