CVE-2025-40118

In the Linux kernel, the following vulnerability has been resolved:

scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod

Since commit f7b705c238d1 ("scsi: pm80xx: Set phy_attached to zero when device is gone") UBSAN reports:

UBSAN: array-index-out-of-bounds in drivers/scsi/pm8001/pm8001sas.c:786:17 index 28 is out of range for type 'pm8001phy [16]'

on rmmod when using an expander.

For a direct attached device, attachedphy contains the local phy id. For a device behind an expander, attachedphy contains the remote phy id, not the local phy id.

I.e. while pm8001ha will have pm8001ha->chip->nphy local phys, for a device behind an expander, attachedphy can be much larger than pm8001ha->chip->nphy (depending on the amount of phys of the expander).

E.g. on my system pm8001_ha has 8 phys with phy ids 0-7. One of the ports has an expander connected. The expander has 31 phys with phy ids 0-30.

The pm8001ha->phy array only contains the phys of the HBA. It does not contain the phys of the expander. Thus, it is wrong to use attachedphy to index the pm8001_ha->phy array for a device behind an expander.

Thus, we can only clear phy_attached for devices that are directly attached.