VYPR
← All advisories
Unrated severityNVD Advisory· Published Nov 12, 2025· Updated Apr 15, 2026

CVE-2025-40115

CVE-2025-40115

Description

In the Linux kernel, the following vulnerability has been resolved:

scsi: mpt3sas: Fix crash in transport port remove by using ioc_info()

During mpt3sas_transport_port_remove(), messages were logged with dev_printk() against &mpt3sas_port->port->dev. At this point the SAS transport device may already be partially unregistered or freed, leading to a crash when accessing its struct device.

Using ioc_info(), which logs via the PCI device (ioc->pdev->dev), guaranteed to remain valid until driver removal.

[83428.295776] Oops: general protection fault, probably for non-canonical address 0x6f702f323a33312d: 0000 [#1] SMP NOPTI [83428.295785] CPU: 145 UID: 0 PID: 113296 Comm: rmmod Kdump: loaded Tainted: G OE 6.16.0-rc1+ #1 PREEMPT(voluntary) [83428.295792] Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE [83428.295795] Hardware name: Dell Inc. Precision 7875 Tower/, BIOS 89.1.67 02/23/2024 [83428.295799] RIP: 0010:__dev_printk+0x1f/0x70 [83428.295805] Code: 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 49 89 d1 48 85 f6 74 52 4c 8b 46 50 4d 85 c0 74 1f 48 8b 46 68 48 85 c0 74 22 <48> 8b 08 0f b6 7f 01 48 c7 c2 db e8 42 ad 83 ef 30 e9 7b f8 ff ff [83428.295813] RSP: 0018:ff85aeafc3137bb0 EFLAGS: 00010206 [83428.295817] RAX: 6f702f323a33312d RBX: ff4290ee81292860 RCX: 5000cca25103be32 [83428.295820] RDX: ff85aeafc3137bb8 RSI: ff4290eeb1966c00 RDI: ffffffffc1560845 [83428.295823] RBP: ff85aeafc3137c18 R08: 74726f702f303a33 R09: ff85aeafc3137bb8 [83428.295826] R10: ff85aeafc3137b18 R11: ff4290f5bd60fe68 R12: ff4290ee81290000 [83428.295830] R13: ff4290ee6e345de0 R14: ff4290ee81290000 R15: ff4290ee6e345e30 [83428.295833] FS: 00007fd9472a6740(0000) GS:ff4290f5ce96b000(0000) knlGS:0000000000000000 [83428.295837] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [83428.295840] CR2: 00007f242b4db238 CR3: 00000002372b8006 CR4: 0000000000771ef0 [83428.295844] PKRU: 55555554 [83428.295846] Call Trace: [83428.295848] [83428.295850] _dev_printk+0x5c/0x80 [83428.295857] ? srso_alias_return_thunk+0x5/0xfbef5 [83428.295863] mpt3sas_transport_port_remove+0x1c7/0x420 [mpt3sas] [83428.295882] _scsih_remove_device+0x21b/0x280 [mpt3sas] [83428.295894] ? _scsih_expander_node_remove+0x108/0x140 [mpt3sas] [83428.295906] ? srso_alias_return_thunk+0x5/0xfbef5 [83428.295910] mpt3sas_device_remove_by_sas_address.part.0+0x8f/0x110 [mpt3sas] [83428.295921] _scsih_expander_node_remove+0x129/0x140 [mpt3sas] [83428.295933] _scsih_expander_node_remove+0x6a/0x140 [mpt3sas] [83428.295944] scsih_remove+0x3f0/0x4a0 [mpt3sas] [83428.295957] pci_device_remove+0x3b/0xb0 [83428.295962] device_release_driver_internal+0x193/0x200 [83428.295968] driver_detach+0x44/0x90 [83428.295971] bus_remove_driver+0x69/0xf0 [83428.295975] pci_unregister_driver+0x2a/0xb0 [83428.295979] _mpt3sas_exit+0x1f/0x300 [mpt3sas] [83428.295991] __do_sys_delete_module.constprop.0+0x174/0x310 [83428.295997] ? srso_alias_return_thunk+0x5/0xfbef5 [83428.296000] ? __x64_sys_getdents64+0x9a/0x110 [83428.296005] ? srso_alias_return_thunk+0x5/0xfbef5 [83428.296009] ? syscall_trace_enter+0xf6/0x1b0 [83428.296014] do_syscall_64+0x7b/0x2c0 [83428.296019] ? srso_alias_return_thunk+0x5/0xfbef5 [83428.296023] entry_SYSCALL_64_after_hwframe+0x76/0x7e

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A null pointer dereference in mpt3sas driver crashes the kernel when removing a SAS transport port, due to logging via a possibly already-freed device structure.

Vulnerability

In the Linux kernel's mpt3sas SCSI driver, a null pointer dereference occurs in mpt3sas_transport_port_remove() because the function uses dev_printk() to log messages against &mpt3sas_port->port->dev. At the time of port removal, the SAS transport device may already be partially unregistered or completely freed. The kernel crash log shows a general protection fault at __dev_printk+0x1f/0x70, confirming that the struct device pointer is invalid [1].

Exploitation

An attacker with the ability to trigger a SAS transport port removal—for instance, by physically removing a SAS device or by sending specific SCSI commands in a privileged context—can cause the driver to attempt logging through a stale device pointer. This does not require remote network access but does require local access or the ability to trigger device removal events. The crash occurs synchronously during the removal process, leading to a denial-of-service condition through a kernel NULL pointer dereference [1].

Impact

Successful exploitation results in a kernel crash, causing a denial of service (DoS) on the affected system. The attacker gains no code execution or privilege escalation, but the crash renders the system unavailable until reboot. The crash is reproducible as shown in the provided kernel oops report (CPU 145, PID 113296, during rmmod of the driver) [1].

Mitigation

The fix replaces dev_printk() calls with ioc_info(), which logs via the PCI device (ioc->pdev->dev). The PCI device remains valid until the driver is fully removed, preventing use-after-free scenarios [1]. The patch has been applied to the mainline kernel and backported to stable branches (commits 970ceb1bdc3d, 4e1442bae50e, b3a6d153861d) [1][2][3]. Users should update their kernel to the latest patched version to eliminate this crash vulnerability.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Linux/Kernelinferred2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)

Patches

8
b3a6d153861d
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
4e1442bae50e
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
a89253eb4e64
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
fa153fb40c61
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
6459dba4f350
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
1fd39e14d47d
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
970ceb1bdc3d
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
1703fe4f8ae5
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.