CVE-2025-40001

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: mvsas: Fix use-after-free bugs in mvs_work_queue<br /> <br /> During the detaching of Marvell&amp;#39;s SAS/SATA controller, the original code<br /> calls cancel_delayed_work() in mvs_free() to cancel the delayed work<br /> item mwq-&gt;work_q. However, if mwq-&gt;work_q is already running, the<br /> cancel_delayed_work() may fail to cancel it. This can lead to<br /> use-after-free scenarios where mvs_free() frees the mvs_info while<br /> mvs_work_queue() is still executing and attempts to access the<br /> already-freed mvs_info.<br /> <br /> A typical race condition is illustrated below:<br /> <br /> CPU 0 (remove) | CPU 1 (delayed work callback)<br /> mvs_pci_remove() |<br /> mvs_free() | mvs_work_queue()<br /> cancel_delayed_work() |<br /> kfree(mvi) |<br /> | mvi-&gt; // UAF<br /> <br /> Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure<br /> that the delayed work item is properly canceled and any executing<br /> delayed work item completes before the mvs_info is deallocated.<br /> <br /> This bug was found by static analysis.