CVE-2025-40118

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod<br /> <br /> Since commit f7b705c238d1 ("scsi: pm80xx: Set phy_attached to zero when<br /> device is gone") UBSAN reports:<br /> <br /> UBSAN: array-index-out-of-bounds in drivers/scsi/pm8001/pm8001_sas.c:786:17<br /> index 28 is out of range for type &amp;#39;pm8001_phy [16]&amp;#39;<br /> <br /> on rmmod when using an expander.<br /> <br /> For a direct attached device, attached_phy contains the local phy id.<br /> For a device behind an expander, attached_phy contains the remote phy<br /> id, not the local phy id.<br /> <br /> I.e. while pm8001_ha will have pm8001_ha-&gt;chip-&gt;n_phy local phys, for a<br /> device behind an expander, attached_phy can be much larger than<br /> pm8001_ha-&gt;chip-&gt;n_phy (depending on the amount of phys of the<br /> expander).<br /> <br /> E.g. on my system pm8001_ha has 8 phys with phy ids 0-7. One of the<br /> ports has an expander connected. The expander has 31 phys with phy ids<br /> 0-30.<br /> <br /> The pm8001_ha-&gt;phy array only contains the phys of the HBA. It does not<br /> contain the phys of the expander. Thus, it is wrong to use attached_phy<br /> to index the pm8001_ha-&gt;phy array for a device behind an expander.<br /> <br /> Thus, we can only clear phy_attached for devices that are directly<br /> attached.