CVE-2025-40001

Root

Cause

The vulnerability resides in the mvsas driver for Marvell SAS/SATA controllers. During device removal, the function mvs_free() calls cancel_delayed_work() to stop a delayed work item (mwq->work_q). However, if that work item is already running on another CPU, cancel_delayed_work() may return before the work function completes. This creates a race condition where mvs_free() can kfree the mvs_info structure while mvs_work_queue() is still executing and subsequently accesses freed memory [CVE description].

Exploitation

Prerequisites

Exploitation requires the attacker to have the ability to trigger a device detach (e.g., via hot-unplug or PCI removal) while the delayed work is executing. No special privileges beyond local access are needed, as the race can be induced through normal device removal operations. The vulnerability was found through static analysis, indicating it is a real but potentially difficult race to trigger in practice [CVE description].

Impact

If the race is won, an attacker can cause a use-after-free condition. This can lead to memory corruption, system crash (denial of service), or, in theory, arbitrary code execution if the freed memory is repurposed with controlled data. The risk is heightened in multi-core environments where the work queue can execute concurrently with the removal path [CVE description].

Mitigation

The fix replaces cancel_delayed_work() with cancel_delayed_work_sync(), which waits for any currently executing work item to finish before returning. This ensures that the mvs_info structure is not freed while the work function is still active. The patch has been applied to the stable kernel tree [1][2][3][4]. Users should update to a kernel containing the fix to prevent this vulnerability.