{"id":"CVE-2025-40261","summary":"nvme: nvme-fc: Ensure -\u003eioerr_work is cancelled in nvme_fc_delete_ctrl()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnvme: nvme-fc: Ensure -\u003eioerr_work is cancelled in nvme_fc_delete_ctrl()\n\nnvme_fc_delete_assocation() waits for pending I/O to complete before\nreturning, and an error can cause -\u003eioerr_work to be queued after\ncancel_work_sync() had been called.  Move the call to cancel_work_sync() to\nbe after nvme_fc_delete_association() to ensure -\u003eioerr_work is not running\nwhen the nvme_fc_ctrl object is freed.  Otherwise the following can occur:\n\n[ 1135.911754] list_del corruption, ff2d24c8093f31f8-\u003enext is NULL\n[ 1135.917705] ------------[ cut here ]------------\n[ 1135.922336] kernel BUG at lib/list_debug.c:52!\n[ 1135.926784] Oops: invalid opcode: 0000 [#1] SMP NOPTI\n[ 1135.931851] CPU: 48 UID: 0 PID: 726 Comm: kworker/u449:23 Kdump: loaded Not tainted 6.12.0 #1 PREEMPT(voluntary)\n[ 1135.943490] Hardware name: Dell Inc. PowerEdge R660/0HGTK9, BIOS 2.5.4 01/16/2025\n[ 1135.950969] Workqueue:  0x0 (nvme-wq)\n[ 1135.954673] RIP: 0010:__list_del_entry_valid_or_report.cold+0xf/0x6f\n[ 1135.961041] Code: c7 c7 98 68 72 94 e8 26 45 fe ff 0f 0b 48 c7 c7 70 68 72 94 e8 18 45 fe ff 0f 0b 48 89 fe 48 c7 c7 80 69 72 94 e8 07 45 fe ff \u003c0f\u003e 0b 48 89 d1 48 c7 c7 a0 6a 72 94 48 89 c2 e8 f3 44 fe ff 0f 0b\n[ 1135.979788] RSP: 0018:ff579b19482d3e50 EFLAGS: 00010046\n[ 1135.985015] RAX: 0000000000000033 RBX: ff2d24c8093f31f0 RCX: 0000000000000000\n[ 1135.992148] RDX: 0000000000000000 RSI: ff2d24d6bfa1d0c0 RDI: ff2d24d6bfa1d0c0\n[ 1135.999278] RBP: ff2d24c8093f31f8 R08: 0000000000000000 R09: ffffffff951e2b08\n[ 1136.006413] R10: ffffffff95122ac8 R11: 0000000000000003 R12: ff2d24c78697c100\n[ 1136.013546] R13: fffffffffffffff8 R14: 0000000000000000 R15: ff2d24c78697c0c0\n[ 1136.020677] FS:  0000000000000000(0000) GS:ff2d24d6bfa00000(0000) knlGS:0000000000000000\n[ 1136.028765] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 1136.034510] CR2: 00007fd207f90b80 CR3: 000000163ea22003 CR4: 0000000000f73ef0\n[ 1136.041641] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 1136.048776] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400\n[ 1136.055910] PKRU: 55555554\n[ 1136.058623] Call Trace:\n[ 1136.061074]  \u003cTASK\u003e\n[ 1136.063179]  ? show_trace_log_lvl+0x1b0/0x2f0\n[ 1136.067540]  ? show_trace_log_lvl+0x1b0/0x2f0\n[ 1136.071898]  ? move_linked_works+0x4a/0xa0\n[ 1136.075998]  ? __list_del_entry_valid_or_report.cold+0xf/0x6f\n[ 1136.081744]  ? __die_body.cold+0x8/0x12\n[ 1136.085584]  ? die+0x2e/0x50\n[ 1136.088469]  ? do_trap+0xca/0x110\n[ 1136.091789]  ? do_error_trap+0x65/0x80\n[ 1136.095543]  ? __list_del_entry_valid_or_report.cold+0xf/0x6f\n[ 1136.101289]  ? exc_invalid_op+0x50/0x70\n[ 1136.105127]  ? __list_del_entry_valid_or_report.cold+0xf/0x6f\n[ 1136.110874]  ? asm_exc_invalid_op+0x1a/0x20\n[ 1136.115059]  ? __list_del_entry_valid_or_report.cold+0xf/0x6f\n[ 1136.120806]  move_linked_works+0x4a/0xa0\n[ 1136.124733]  worker_thread+0x216/0x3a0\n[ 1136.128485]  ? __pfx_worker_thread+0x10/0x10\n[ 1136.132758]  kthread+0xfa/0x240\n[ 1136.135904]  ? __pfx_kthread+0x10/0x10\n[ 1136.139657]  ret_from_fork+0x31/0x50\n[ 1136.143236]  ? __pfx_kthread+0x10/0x10\n[ 1136.146988]  ret_from_fork_asm+0x1a/0x30\n[ 1136.150915]  \u003c/TASK\u003e","modified":"2026-03-31T17:29:20.744385Z","published":"2025-12-04T16:08:21.345Z","related":["MGASA-2026-0017","MGASA-2026-0018","SUSE-SU-2026:0447-1","SUSE-SU-2026:0472-1","SUSE-SU-2026:0473-1","SUSE-SU-2026:0587-1","SUSE-SU-2026:20477-1","SUSE-SU-2026:20498-1","SUSE-SU-2026:20555-1","SUSE-SU-2026:20599-1","SUSE-SU-2026:20615-1","SUSE-SU-2026:20845-1","SUSE-SU-2026:20876-1","openSUSE-SU-2026:20287-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40261.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0a2c5495b6d1ecb0fa18ef6631450f391a888256"},{"type":"WEB","url":"https://git.kernel.org/stable/c/33f64600a12055219bda38b55320c62cdeda9167"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3d78e8e01251da032a5f7cbc9728e4ab1a5a5464"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3d81beae4753db3b3dc5b70dc300d4036e0d9cb8"},{"type":"WEB","url":"https://git.kernel.org/stable/c/48ae433c6cc6985f647b1b37d8bb002972cf9bdb"},{"type":"WEB","url":"https://git.kernel.org/stable/c/60ba31330faf5677e2eebef7eac62ea9e42a200d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9610a2c162ef729a3988213a4604376e492f6f44"},{"type":"WEB","url":"https://git.kernel.org/stable/c/fbd5741a556eaaa63d0908132ca79d335b58b1cd"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40261.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-40261"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"f1cd8c40936ff2b560e1f35159dd6a4602b558e5"},{"fixed":"3d78e8e01251da032a5f7cbc9728e4ab1a5a5464"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"19fce0470f05031e6af36e49ce222d0f0050d432"},{"fixed":"60ba31330faf5677e2eebef7eac62ea9e42a200d"},{"fixed":"9610a2c162ef729a3988213a4604376e492f6f44"},{"fixed":"33f64600a12055219bda38b55320c62cdeda9167"},{"fixed":"48ae433c6cc6985f647b1b37d8bb002972cf9bdb"},{"fixed":"fbd5741a556eaaa63d0908132ca79d335b58b1cd"},{"fixed":"0a2c5495b6d1ecb0fa18ef6631450f391a888256"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40261.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.10.247"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.197"},{"fixed":"6.1.167"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.6.118"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.12.60"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.17.10"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40261.json"}}],"schema_version":"1.7.5"}