CVE-2025-40259

Vulnerability

In the Linux kernel's SCSI generic (sg) driver, the function sg_finish_rem_req() calls blk_rq_unmap_user() calls blk_rq_unmap_user(), which may sleep. However, the caller was invoking this function with interrupts disabled, violating the rule that sleeping functions must not be called in atomic context. This could lead to a kernel BUG or deadlock.

Exploitation

An attacker with local access and the ability to issue SCSI generic ioctl commands could trigger this code path. The vulnerability is reachable through normal use of the sg driver, which is commonly used for sending SCSI commands from userspace. No special privileges beyond access to the sg device are required.

Impact

If triggered, the kernel would enter an invalid state, likely resulting in a system crash (kernel BUG) or a deadlock, causing a denial of service (DoS). There is no indication of memory corruption or privilege escalation.

Mitigation

The fix, committed to the Linux kernel stable tree, moves the call to sg_finish_rem_req() to a context where interrupts are enabled, ensuring that the potentially sleeping function is not called in atomic context [1][2][3]. Users should apply the latest stable kernel updates to address this issue.