OESA-2026-1073

The Linux Kernel, the operating system core itself.

Security Fix(es):

In the Linux kernel, the following vulnerability has been resolved:

scsi: mpt3sas: Fix crash in transport port remove by using ioc_info()

During mpt3sastransportportremove(), messages were logged with devprintk() against &mpt3sas_port->port->dev. At this point the SAS transport device may already be partially unregistered or freed, leading to a crash when accessing its struct device.

Using ioc_info(), which logs via the PCI device (ioc->pdev->dev), guaranteed to remain valid until driver removal.

[83428.295776] Oops: general protection fault, probably for non-canonical address 0x6f702f323a33312d: 0000 [#1] SMP NOPTI [83428.295785] CPU: 145 UID: 0 PID: 113296 Comm: rmmod Kdump: loaded Tainted: G OE 6.16.0-rc1+ #1 PREEMPT(voluntary) [83428.295792] Tainted: [O]=OOTMODULE, [E]=UNSIGNEDMODULE [83428.295795] Hardware name: Dell Inc. Precision 7875 Tower/, BIOS 89.1.67 02/23/2024 [83428.295799] RIP: 0010:_devprintk+0x1f/0x70 [83428.295805] Code: 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 49 89 d1 48 85 f6 74 52 4c 8b 46 50 4d 85 c0 74 1f 48 8b 46 68 48 85 c0 74 22 <48> 8b 08 0f b6 7f 01 48 c7 c2 db e8 42 ad 83 ef 30 e9 7b f8 ff ff [83428.295813] RSP: 0018:ff85aeafc3137bb0 EFLAGS: 00010206 [83428.295817] RAX: 6f702f323a33312d RBX: ff4290ee81292860 RCX: 5000cca25103be32 [83428.295820] RDX: ff85aeafc3137bb8 RSI: ff4290eeb1966c00 RDI: ffffffffc1560845 [83428.295823] RBP: ff85aeafc3137c18 R08: 74726f702f303a33 R09: ff85aeafc3137bb8 [83428.295826] R10: ff85aeafc3137b18 R11: ff4290f5bd60fe68 R12: ff4290ee81290000 [83428.295830] R13: ff4290ee6e345de0 R14: ff4290ee81290000 R15: ff4290ee6e345e30 [83428.295833] FS: 00007fd9472a6740(0000) GS:ff4290f5ce96b000(0000) knlGS:0000000000000000 [83428.295837] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [83428.295840] CR2: 00007f242b4db238 CR3: 00000002372b8006 CR4: 0000000000771ef0 [83428.295844] PKRU: 55555554 [83428.295846] Call Trace: [83428.295848] <TASK> [83428.295850] devprintk+0x5c/0x80 [83428.295857] ? srsoaliasreturnthunk+0x5/0xfbef5 [83428.295863] mpt3sastransportportremove+0x1c7/0x420 [mpt3sas] [83428.295882] scsihremovedevice+0x21b/0x280 [mpt3sas] [83428.295894] ? _scsihexpandernoderemove+0x108/0x140 [mpt3sas] [83428.295906] ? srsoaliasreturnthunk+0x5/0xfbef5 [83428.295910] mpt3sasdeviceremovebysasaddress.part.0+0x8f/0x110 [mpt3sas] [83428.295921] scsihexpandernoderemove+0x129/0x140 [mpt3sas] [83428.295933] scsihexpandernoderemove+0x6a/0x140 [mpt3sas] [83428.295944] scsihremove+0x3f0/0x4a0 [mpt3sas] [83428.295957] pcideviceremove+0x3b/0xb0 [83428.295962] devicereleasedriverinternal+0x193/0x200 [83428.295968] driverdetach+0x44/0x90 [83428.295971] busremovedriver+0x69/0xf0 [83428.295975] pciunregisterdriver+0x2a/0xb0 [83428.295979] _mpt3sasexit+0x1f/0x300 [mpt3sas] [83428.295991] _dosysdeletemodule.constprop.0+0x174/0x310 [83428.295997] ? srsoaliasreturnthunk+0x5/0xfbef5 [83428.296000] ? _x64sysgetdents64+0x9a/0x110 [83428.296005] ? srsoaliasreturnthunk+0x5/0xfbef5 [83428.296009] ? syscalltraceenter+0xf6/0x1b0 [83428.296014] dosyscall64+0x7b/0x2c0 [83428.296019] ? srsoaliasreturnthunk+0x5/0xfbef5 [83428.296023] entrySYSCALL64afterhwframe+0x76/0x7e(CVE-2025-40115)

In the Linux kernel, the following vulnerability has been resolved:

KVM: arm64: Check the untrusted offset in FF-A memory share

Verify the offset to prevent OOB access in the hypervisor FF-A buffer in case an untrusted large enough value [U32MAX - sizeof(struct ffacompositememregion) + 1, U32_MAX] is set from the host kernel.(CVE-2025-40266)