* [PATCH 6.1.y v2 0/6] nvme: correctly fix admin request_queue lifetime
@ 2026-04-02 13:57 Heyne, Maximilian
2026-04-02 13:57 ` [PATCH 6.1.y v2 1/6] Revert "nvme: fix admin request_queue lifetime" Heyne, Maximilian
` (6 more replies)
0 siblings, 7 replies; 9+ messages in thread
From: Heyne, Maximilian @ 2026-04-02 13:57 UTC (permalink / raw)
To: stable@vger.kernel.org
Cc: Heyne, Maximilian, Jens Axboe, Hector Martin, Sven Peter,
Alyssa Rosenzweig, Keith Busch, Christoph Hellwig, Sagi Grimberg,
James E.J. Bottomley, Martin K. Petersen, Alim Akhtar,
Avri Altman, Bart Van Assche, Sasha Levin, Peter Wang,
Greg Kroah-Hartman, Adrian Hunter, Seunghwan Baek, Seunghui Lee,
Thomas Yen, Brian Kao, Sanjeev Yadav, Wonkon Kim,
Chaitanya Kulkarni, Hannes Reinecke, Ming Lei,
linux-block@vger.kernel.org, linux-kernel@vger.kernel.org,
asahi@lists.linux.dev, linux-arm-kernel@lists.infradead.org,
linux-nvme@lists.infradead.org, linux-scsi@vger.kernel.org
The initial attempt to backport upstream commit 03b3bcd319b3 ("nvme: fix
admin request_queue lifetime") was not correct leading to refcount
underflows and not even fixing the problem.
I've tested the reproduction steps from [1] (adding a delay to
nvme_submit_user_cmd and 'echo 1 | sudo tee
/sys/class/nvme/nvme0/delete_controller') on the nvme-tcp driver which
printed the KASAN UAF blurb.
Fixing the issue in the 6.1 series requires a few dependent patches.
This is mainly the upstream commit 2b3f056f72e5 ("blk-mq: move the call
to blk_put_queue out of blk_mq_destroy_queue") which allows to move the
blk_put_queue to a different location.
The backport of commit 03b3bcd319b3 ("nvme: fix admin
request_queue lifetime") needed a tweak to the nvme pci driver.
Furthermore, in this patch series I've also included a follow-up fixup
from upstream commit b84bb7bd913d ("nvme: fix admin queue leak on
controller reset"), again with an adaption to the nvme pci driver. This
issue could easily be reproduced by resetting the controller (no need to
run full blktests):
echo 1 > /sys/class/nvme/nvme0/reset_controller
[1] https://lore.kernel.org/all/20251029210853.20768-1-cachen@purestorage.com/
---
Changes in v2:
- dropped 2 patches from the series that are unnecessary (scsi and
apple). The apple-nvme patch was even wrong (Thanks Fedor for
pointing that out)
Christoph Hellwig (3):
blk-mq: move the call to blk_put_queue out of blk_mq_destroy_queue
nvme-pci: remove an extra queue reference
nvme-pci: put the admin queue in nvme_dev_remove_admin
Keith Busch (1):
nvme: fix admin request_queue lifetime
Maximilian Heyne (1):
Revert "nvme: fix admin request_queue lifetime"
Ming Lei (1):
nvme: fix admin queue leak on controller reset
block/blk-mq.c | 4 +---
block/bsg-lib.c | 2 ++
drivers/nvme/host/apple.c | 1 +
drivers/nvme/host/core.c | 16 ++++++++++++++--
drivers/nvme/host/pci.c | 14 +++++++-------
drivers/scsi/scsi_sysfs.c | 1 +
drivers/ufs/core/ufshcd.c | 2 ++
7 files changed, 28 insertions(+), 12 deletions(-)
--
2.50.1
Amazon Web Services Development Center Germany GmbH
Tamara-Danz-Str. 13
10243 Berlin
Geschaeftsfuehrung: Christof Hellmis, Andreas Stieger
Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B
Sitz: Berlin
Ust-ID: DE 365 538 597
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH 6.1.y v2 1/6] Revert "nvme: fix admin request_queue lifetime"
2026-04-02 13:57 [PATCH 6.1.y v2 0/6] nvme: correctly fix admin request_queue lifetime Heyne, Maximilian
@ 2026-04-02 13:57 ` Heyne, Maximilian
2026-04-02 13:57 ` [PATCH 6.1.y v2 2/6] blk-mq: move the call to blk_put_queue out of blk_mq_destroy_queue Heyne, Maximilian
` (5 subsequent siblings)
6 siblings, 0 replies; 9+ messages in thread
From: Heyne, Maximilian @ 2026-04-02 13:57 UTC (permalink / raw)
To: stable@vger.kernel.org
Cc: Heyne, Maximilian, Jens Axboe, Hector Martin, Sven Peter,
Alyssa Rosenzweig, Keith Busch, Christoph Hellwig, Sagi Grimberg,
James E.J. Bottomley, Martin K. Petersen, Alim Akhtar,
Avri Altman, Bart Van Assche, Sasha Levin, Peter Wang,
Greg Kroah-Hartman, Seunghwan Baek, Thomas Yen, Adrian Hunter,
Wonkon Kim, Brian Kao, Seunghui Lee, Sanjeev Yadav,
Hannes Reinecke, Ming Lei, Chaitanya Kulkarni,
linux-block@vger.kernel.org, linux-kernel@vger.kernel.org,
asahi@lists.linux.dev, linux-arm-kernel@lists.infradead.org,
linux-nvme@lists.infradead.org, linux-scsi@vger.kernel.org
This reverts commit ff037b5f47eeccc1636c03f84cd47db094eb73c9.
The backport of upstream commit 03b3bcd319b3 ("nvme: fix admin
request_queue lifetime") to 6.1 is broken in 2 ways. First of all it
doesn't actually fix the issue because blk_put_queue will still be
called as part of blk_mq_destroy_queue in nvme_remove_admin_tag_set
leading to the UAF.
Second, the backport leads to a refcount underflow when unbinding a pci
nvme device:
refcount_t: underflow; use-after-free.
WARNING: CPU: 2 PID: 1486 at lib/refcount.c:28 refcount_warn_saturate+0xba/0x110
Modules linked in: bochs drm_vram_helper simpledrm skx_edac_common drm_shmem_helper drm_kms_helper kvm_intel cfbfillrect syscopyarea cfbimgblt sysfillrect sysimgblt fb_sys_fops cfbcopyarea drm_ttm_helper fb ttm kvm fbdev drm mousedev nls_ascii psmouse irqbypass nls_cp437 atkbd crc32_pclmul crc32c_intel libps2 vfat fat sunrpc virtio_net ata_piix vivaldi_fmap drm_panel_orientation_quirks libata backlight i2c_piix4 net_failover i8042 ghash_clmulni_intel failover serio i2c_core button sch_fq_codel
CPU: 2 PID: 1486 Comm: bash Not tainted 6.1.167 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS edk2-20240813-306.amzn2 08/13/2024
RIP: 0010:refcount_warn_saturate+0xba/0x110
Code: 01 01 e8 89 79 ad ff 0f 0b e9 82 f4 7e 00 80 3d 73 03 cc 01 00 75 85 48 c7 c7 e0 5d 3b 8e c6 05 63 03 cc 01 01 e8 66 79 ad ff <0f> 0b c3 cc cc cc cc 80 3d 4e 03 cc 01 00 0f 85 5e ff ff ff 48 c7
RSP: 0018:ffffd0cc011bfd18 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff8ada07b33210 RCX: 0000000000000027
RDX: ffff8adb37d1f728 RSI: 0000000000000001 RDI: ffff8adb37d1f720
RBP: ffff8ada07b33000 R08: 0000000000000000 R09: 00000000fffeffff
R10: ffffd0cc011bfba8 R11: ffffffff8f1781a8 R12: ffffd0cc011bfd38
R13: ffff8ada03080800 R14: ffff8ada07b33210 R15: ffff8ada07b33b10
FS: 00007f50f6964740(0000) GS:ffff8adb37d00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055cdb54e6ae0 CR3: 000000010224e001 CR4: 0000000000770ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<TASK>
nvme_pci_free_ctrl+0x45/0x80
nvme_free_ctrl+0x1aa/0x2b0
device_release+0x34/0x90
kobject_cleanup+0x3a/0x130
pci_device_remove+0x3e/0xb0
device_release_driver_internal+0x1aa/0x230
unbind_store+0x11f/0x130
kernfs_fop_write_iter+0x13a/0x1d0
vfs_write+0x2a6/0x3b0
ksys_write+0x5f/0xe0
do_syscall_64+0x35/0x80
entry_SYSCALL_64_after_hwframe+0x6e/0xd8
RIP: 0033:0x7f50f66ff897
Code: 0f 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24
RSP: 002b:00007fffaef903d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f50f67fd780 RCX: 00007f50f66ff897
RDX: 000000000000000d RSI: 0000557f72ef6b90 RDI: 0000000000000001
RBP: 000000000000000d R08: 0000000000000000 R09: 00007f50f67b2d20
R10: 00007f50f67b2c20 R11: 0000000000000246 R12: 000000000000000d
R13: 0000557f72ef6b90 R14: 000000000000000d R15: 00007f50f67f89c0
</TASK>
The reason for this is that nvme_free_ctrl calls ->free_ctrl which
resolves to nvme_pci_free_ctrl in aforementioned case which also has a
blk_put_queue, so the admin queue is put twice. This is because on 6.1
we're missing the commit 96ef1be53663 ("nvme-pci: put the admin queue in
nvme_dev_remove_admin").
Signed-off-by: Maximilian Heyne <mheyne@amazon.de>
---
drivers/nvme/host/core.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index 9df33b293ee3e..938af571dc13e 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -5180,8 +5180,6 @@ static void nvme_free_ctrl(struct device *dev)
container_of(dev, struct nvme_ctrl, ctrl_device);
struct nvme_subsystem *subsys = ctrl->subsys;
- if (ctrl->admin_q)
- blk_put_queue(ctrl->admin_q);
if (!subsys || ctrl->instance != subsys->instance)
ida_free(&nvme_instance_ida, ctrl->instance);
--
2.50.1
Amazon Web Services Development Center Germany GmbH
Tamara-Danz-Str. 13
10243 Berlin
Geschaeftsfuehrung: Christof Hellmis, Andreas Stieger
Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B
Sitz: Berlin
Ust-ID: DE 365 538 597
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH 6.1.y v2 2/6] blk-mq: move the call to blk_put_queue out of blk_mq_destroy_queue
2026-04-02 13:57 [PATCH 6.1.y v2 0/6] nvme: correctly fix admin request_queue lifetime Heyne, Maximilian
2026-04-02 13:57 ` [PATCH 6.1.y v2 1/6] Revert "nvme: fix admin request_queue lifetime" Heyne, Maximilian
@ 2026-04-02 13:57 ` Heyne, Maximilian
2026-04-02 13:57 ` [PATCH 6.1.y v2 3/6] nvme-pci: remove an extra queue reference Heyne, Maximilian
` (4 subsequent siblings)
6 siblings, 0 replies; 9+ messages in thread
From: Heyne, Maximilian @ 2026-04-02 13:57 UTC (permalink / raw)
To: stable@vger.kernel.org
Cc: Heyne, Maximilian, Christoph Hellwig, Sagi Grimberg,
Chaitanya Kulkarni, Keith Busch, Jens Axboe, Hector Martin,
Sven Peter, Alyssa Rosenzweig, James E.J. Bottomley,
Martin K. Petersen, Alim Akhtar, Avri Altman, Bart Van Assche,
Sasha Levin, Peter Wang, Greg Kroah-Hartman, Adrian Hunter,
Thomas Yen, Brian Kao, Seunghui Lee, Sanjeev Yadav, Wonkon Kim,
Ming Lei, Hannes Reinecke, linux-block@vger.kernel.org,
linux-kernel@vger.kernel.org, asahi@lists.linux.dev,
linux-arm-kernel@lists.infradead.org,
linux-nvme@lists.infradead.org, linux-scsi@vger.kernel.org
From: Christoph Hellwig <hch@lst.de>
[ Upstream commit 2b3f056f72e56fa07df69b4705e0b46a6c08e77c ]
The fact that blk_mq_destroy_queue also drops a queue reference leads
to various places having to grab an extra reference. Move the call to
blk_put_queue into the callers to allow removing the extra references.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
Reviewed-by: Keith Busch <kbusch@kernel.org>
Link: https://lore.kernel.org/r/20221018135720.670094-2-hch@lst.de
[axboe: fix fabrics_q vs admin_q conflict in nvme core.c]
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Stable-dep-of: 03b3bcd319b3 ("nvme: fix admin request_queue lifetime")
Signed-off-by: Maximilian Heyne <mheyne@amazon.de>
---
block/blk-mq.c | 4 +---
block/bsg-lib.c | 2 ++
drivers/nvme/host/apple.c | 1 +
drivers/nvme/host/core.c | 10 ++++++++--
drivers/nvme/host/pci.c | 1 +
drivers/scsi/scsi_sysfs.c | 1 +
drivers/ufs/core/ufshcd.c | 2 ++
7 files changed, 16 insertions(+), 5 deletions(-)
diff --git a/block/blk-mq.c b/block/blk-mq.c
index a9697541d67f9..8b9e5ca398242 100644
--- a/block/blk-mq.c
+++ b/block/blk-mq.c
@@ -4194,9 +4194,6 @@ void blk_mq_destroy_queue(struct request_queue *q)
blk_sync_queue(q);
blk_mq_cancel_work_sync(q);
blk_mq_exit_queue(q);
-
- /* @q is and will stay empty, shutdown and put */
- blk_put_queue(q);
}
EXPORT_SYMBOL(blk_mq_destroy_queue);
@@ -4213,6 +4210,7 @@ struct gendisk *__blk_mq_alloc_disk(struct blk_mq_tag_set *set, void *queuedata,
disk = __alloc_disk_node(q, set->numa_node, lkclass);
if (!disk) {
blk_mq_destroy_queue(q);
+ blk_put_queue(q);
return ERR_PTR(-ENOMEM);
}
set_bit(GD_OWNS_QUEUE, &disk->state);
diff --git a/block/bsg-lib.c b/block/bsg-lib.c
index d6f5dcdce748c..435c32373cd68 100644
--- a/block/bsg-lib.c
+++ b/block/bsg-lib.c
@@ -325,6 +325,7 @@ void bsg_remove_queue(struct request_queue *q)
bsg_unregister_queue(bset->bd);
blk_mq_destroy_queue(q);
+ blk_put_queue(q);
blk_mq_free_tag_set(&bset->tag_set);
kfree(bset);
}
@@ -400,6 +401,7 @@ struct request_queue *bsg_setup_queue(struct device *dev, const char *name,
return q;
out_cleanup_queue:
blk_mq_destroy_queue(q);
+ blk_put_queue(q);
out_queue:
blk_mq_free_tag_set(set);
out_tag_set:
diff --git a/drivers/nvme/host/apple.c b/drivers/nvme/host/apple.c
index 262d2b60ac6dd..c5fc293c22123 100644
--- a/drivers/nvme/host/apple.c
+++ b/drivers/nvme/host/apple.c
@@ -1510,6 +1510,7 @@ static int apple_nvme_probe(struct platform_device *pdev)
if (!blk_get_queue(anv->ctrl.admin_q)) {
nvme_start_admin_queue(&anv->ctrl);
blk_mq_destroy_queue(anv->ctrl.admin_q);
+ blk_put_queue(anv->ctrl.admin_q);
anv->ctrl.admin_q = NULL;
ret = -ENODEV;
goto put_dev;
diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index 938af571dc13e..044e1a9c099b3 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -5031,6 +5031,7 @@ int nvme_alloc_admin_tag_set(struct nvme_ctrl *ctrl, struct blk_mq_tag_set *set,
out_cleanup_admin_q:
blk_mq_destroy_queue(ctrl->admin_q);
+ blk_put_queue(ctrl->admin_q);
out_free_tagset:
blk_mq_free_tag_set(set);
ctrl->admin_q = NULL;
@@ -5042,8 +5043,11 @@ EXPORT_SYMBOL_GPL(nvme_alloc_admin_tag_set);
void nvme_remove_admin_tag_set(struct nvme_ctrl *ctrl)
{
blk_mq_destroy_queue(ctrl->admin_q);
- if (ctrl->ops->flags & NVME_F_FABRICS)
+ blk_put_queue(ctrl->admin_q);
+ if (ctrl->ops->flags & NVME_F_FABRICS) {
blk_mq_destroy_queue(ctrl->fabrics_q);
+ blk_put_queue(ctrl->fabrics_q);
+ }
blk_mq_free_tag_set(ctrl->admin_tagset);
}
EXPORT_SYMBOL_GPL(nvme_remove_admin_tag_set);
@@ -5099,8 +5103,10 @@ EXPORT_SYMBOL_GPL(nvme_alloc_io_tag_set);
void nvme_remove_io_tag_set(struct nvme_ctrl *ctrl)
{
- if (ctrl->ops->flags & NVME_F_FABRICS)
+ if (ctrl->ops->flags & NVME_F_FABRICS) {
blk_mq_destroy_queue(ctrl->connect_q);
+ blk_put_queue(ctrl->connect_q);
+ }
blk_mq_free_tag_set(ctrl->tagset);
}
EXPORT_SYMBOL_GPL(nvme_remove_io_tag_set);
diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
index 518f8c5012bdf..727585f580362 100644
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -1782,6 +1782,7 @@ static void nvme_dev_remove_admin(struct nvme_dev *dev)
*/
nvme_start_admin_queue(&dev->ctrl);
blk_mq_destroy_queue(dev->ctrl.admin_q);
+ blk_put_queue(dev->ctrl.admin_q);
blk_mq_free_tag_set(&dev->admin_tagset);
}
}
diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c
index 456b92c3a7811..af81b2ba0c9b3 100644
--- a/drivers/scsi/scsi_sysfs.c
+++ b/drivers/scsi/scsi_sysfs.c
@@ -1486,6 +1486,7 @@ void __scsi_remove_device(struct scsi_device *sdev)
mutex_unlock(&sdev->state_mutex);
blk_mq_destroy_queue(sdev->request_queue);
+ blk_put_queue(sdev->request_queue);
kref_put(&sdev->host->tagset_refcnt, scsi_mq_free_tags);
cancel_work_sync(&sdev->requeue_work);
diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
index f72ba0b206437..a39ffc62d88a1 100644
--- a/drivers/ufs/core/ufshcd.c
+++ b/drivers/ufs/core/ufshcd.c
@@ -9651,6 +9651,7 @@ void ufshcd_remove(struct ufs_hba *hba)
ufshpb_remove(hba);
ufs_sysfs_remove_nodes(hba->dev);
blk_mq_destroy_queue(hba->tmf_queue);
+ blk_put_queue(hba->tmf_queue);
blk_mq_free_tag_set(&hba->tmf_tag_set);
scsi_remove_host(hba->host);
/* disable interrupts */
@@ -9953,6 +9954,7 @@ int ufshcd_init(struct ufs_hba *hba, void __iomem *mmio_base, unsigned int irq)
free_tmf_queue:
blk_mq_destroy_queue(hba->tmf_queue);
+ blk_put_queue(hba->tmf_queue);
free_tmf_tag_set:
blk_mq_free_tag_set(&hba->tmf_tag_set);
out_remove_scsi_host:
--
2.50.1
Amazon Web Services Development Center Germany GmbH
Tamara-Danz-Str. 13
10243 Berlin
Geschaeftsfuehrung: Christof Hellmis, Andreas Stieger
Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B
Sitz: Berlin
Ust-ID: DE 365 538 597
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH 6.1.y v2 3/6] nvme-pci: remove an extra queue reference
2026-04-02 13:57 [PATCH 6.1.y v2 0/6] nvme: correctly fix admin request_queue lifetime Heyne, Maximilian
2026-04-02 13:57 ` [PATCH 6.1.y v2 1/6] Revert "nvme: fix admin request_queue lifetime" Heyne, Maximilian
2026-04-02 13:57 ` [PATCH 6.1.y v2 2/6] blk-mq: move the call to blk_put_queue out of blk_mq_destroy_queue Heyne, Maximilian
@ 2026-04-02 13:57 ` Heyne, Maximilian
2026-04-02 13:57 ` [PATCH 6.1.y v2 4/6] nvme-pci: put the admin queue in nvme_dev_remove_admin Heyne, Maximilian
` (3 subsequent siblings)
6 siblings, 0 replies; 9+ messages in thread
From: Heyne, Maximilian @ 2026-04-02 13:57 UTC (permalink / raw)
To: stable@vger.kernel.org
Cc: Heyne, Maximilian, Christoph Hellwig, Sagi Grimberg,
Chaitanya Kulkarni, Keith Busch, Jens Axboe, Hector Martin,
Sven Peter, Alyssa Rosenzweig, James E.J. Bottomley,
Martin K. Petersen, Alim Akhtar, Avri Altman, Bart Van Assche,
Sasha Levin, Peter Wang, Greg Kroah-Hartman, Sanjeev Yadav,
Adrian Hunter, Seunghwan Baek, Brian Kao, Seunghui Lee,
Wonkon Kim, Hannes Reinecke, Ming Lei,
linux-block@vger.kernel.org, linux-kernel@vger.kernel.org,
asahi@lists.linux.dev, linux-arm-kernel@lists.infradead.org,
linux-nvme@lists.infradead.org, linux-scsi@vger.kernel.org
From: Christoph Hellwig <hch@lst.de>
[ Upstream commit 7dcebef90d35de13a326f765dd787538880566f9 ]
Now that blk_mq_destroy_queue does not release the queue reference, there
is no need for a second admin queue reference to be held by the nvme_dev.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
Reviewed-by: Keith Busch <kbusch@kernel.org>
Link: https://lore.kernel.org/r/20221018135720.670094-4-hch@lst.de
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Stable-dep-of: 03b3bcd319b3 ("nvme: fix admin request_queue lifetime")
Signed-off-by: Maximilian Heyne <mheyne@amazon.de>
---
drivers/nvme/host/pci.c | 6 ------
1 file changed, 6 deletions(-)
diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
index 727585f580362..13c0098939ec0 100644
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -1782,7 +1782,6 @@ static void nvme_dev_remove_admin(struct nvme_dev *dev)
*/
nvme_start_admin_queue(&dev->ctrl);
blk_mq_destroy_queue(dev->ctrl.admin_q);
- blk_put_queue(dev->ctrl.admin_q);
blk_mq_free_tag_set(&dev->admin_tagset);
}
}
@@ -1811,11 +1810,6 @@ static int nvme_pci_alloc_admin_tag_set(struct nvme_dev *dev)
dev->ctrl.admin_q = NULL;
return -ENOMEM;
}
- if (!blk_get_queue(dev->ctrl.admin_q)) {
- nvme_dev_remove_admin(dev);
- dev->ctrl.admin_q = NULL;
- return -ENODEV;
- }
return 0;
}
--
2.50.1
Amazon Web Services Development Center Germany GmbH
Tamara-Danz-Str. 13
10243 Berlin
Geschaeftsfuehrung: Christof Hellmis, Andreas Stieger
Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B
Sitz: Berlin
Ust-ID: DE 365 538 597
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH 6.1.y v2 4/6] nvme-pci: put the admin queue in nvme_dev_remove_admin
2026-04-02 13:57 [PATCH 6.1.y v2 0/6] nvme: correctly fix admin request_queue lifetime Heyne, Maximilian
` (2 preceding siblings ...)
2026-04-02 13:57 ` [PATCH 6.1.y v2 3/6] nvme-pci: remove an extra queue reference Heyne, Maximilian
@ 2026-04-02 13:57 ` Heyne, Maximilian
2026-04-02 13:57 ` [PATCH 6.1.y v2 5/6] nvme: fix admin request_queue lifetime Heyne, Maximilian
` (2 subsequent siblings)
6 siblings, 0 replies; 9+ messages in thread
From: Heyne, Maximilian @ 2026-04-02 13:57 UTC (permalink / raw)
To: stable@vger.kernel.org
Cc: Heyne, Maximilian, Christoph Hellwig, Keith Busch, Sagi Grimberg,
Chaitanya Kulkarni, Jens Axboe, Hector Martin, Sven Peter,
Alyssa Rosenzweig, James E.J. Bottomley, Martin K. Petersen,
Alim Akhtar, Avri Altman, Bart Van Assche, Sasha Levin,
Peter Wang, Greg Kroah-Hartman, Thomas Yen, Brian Kao,
Sanjeev Yadav, Wonkon Kim, Seunghui Lee, Ming Lei,
Hannes Reinecke, linux-block@vger.kernel.org,
linux-kernel@vger.kernel.org, asahi@lists.linux.dev,
linux-arm-kernel@lists.infradead.org,
linux-nvme@lists.infradead.org, linux-scsi@vger.kernel.org
From: Christoph Hellwig <hch@lst.de>
[ Upstream commit 96ef1be53663a9343dffcf106e2f1b59da4b8799 ]
Once the controller is shutdown no one can access the admin queue. Tear
it down in nvme_dev_remove_admin, which matches the flow in the other
drivers.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Keith Busch <kbusch@kernel.org>
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
Tested-by Gerd Bayer <gbayer@linxu.ibm.com>
Stable-dep-of: 03b3bcd319b3 ("nvme: fix admin request_queue lifetime")
[ Context change due to missing commit 94cc781f69f4 ("nvme: move OPAL
setup from PCIe to core")]
Signed-off-by: Maximilian Heyne <mheyne@amazon.de>
---
drivers/nvme/host/pci.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
index 13c0098939ec0..38732c0c28bbb 100644
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -1782,6 +1782,7 @@ static void nvme_dev_remove_admin(struct nvme_dev *dev)
*/
nvme_start_admin_queue(&dev->ctrl);
blk_mq_destroy_queue(dev->ctrl.admin_q);
+ blk_put_queue(dev->ctrl.admin_q);
blk_mq_free_tag_set(&dev->admin_tagset);
}
}
@@ -2831,8 +2832,6 @@ static void nvme_pci_free_ctrl(struct nvme_ctrl *ctrl)
nvme_dbbuf_dma_free(dev);
nvme_free_tagset(dev);
- if (dev->ctrl.admin_q)
- blk_put_queue(dev->ctrl.admin_q);
free_opal_dev(dev->ctrl.opal_dev);
mempool_destroy(dev->iod_mempool);
put_device(dev->dev);
--
2.50.1
Amazon Web Services Development Center Germany GmbH
Tamara-Danz-Str. 13
10243 Berlin
Geschaeftsfuehrung: Christof Hellmis, Andreas Stieger
Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B
Sitz: Berlin
Ust-ID: DE 365 538 597
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH 6.1.y v2 5/6] nvme: fix admin request_queue lifetime
2026-04-02 13:57 [PATCH 6.1.y v2 0/6] nvme: correctly fix admin request_queue lifetime Heyne, Maximilian
` (3 preceding siblings ...)
2026-04-02 13:57 ` [PATCH 6.1.y v2 4/6] nvme-pci: put the admin queue in nvme_dev_remove_admin Heyne, Maximilian
@ 2026-04-02 13:57 ` Heyne, Maximilian
2026-04-02 13:57 ` [PATCH 6.1.y v2 6/6] nvme: fix admin queue leak on controller reset Heyne, Maximilian
2026-04-03 9:48 ` [PATCH 6.1.y v2 0/6] nvme: correctly fix admin request_queue lifetime Fedor Pchelkin
6 siblings, 0 replies; 9+ messages in thread
From: Heyne, Maximilian @ 2026-04-02 13:57 UTC (permalink / raw)
To: stable@vger.kernel.org
Cc: Heyne, Maximilian, Keith Busch, Casey Chen, Christoph Hellwig,
Hannes Reinecke, Ming Lei, Chaitanya Kulkarni, Jens Axboe,
Hector Martin, Sven Peter, Alyssa Rosenzweig, Sagi Grimberg,
James E.J. Bottomley, Martin K. Petersen, Alim Akhtar,
Avri Altman, Bart Van Assche, Sasha Levin, Peter Wang,
Greg Kroah-Hartman, Thomas Yen, Bean Huo, Seunghwan Baek,
Brian Kao, Seunghui Lee, Sanjeev Yadav, Wonkon Kim,
linux-block@vger.kernel.org, linux-kernel@vger.kernel.org,
asahi@lists.linux.dev, linux-arm-kernel@lists.infradead.org,
linux-nvme@lists.infradead.org, linux-scsi@vger.kernel.org
From: Keith Busch <kbusch@kernel.org>
[ Upstream commit 03b3bcd319b3ab5182bc9aaa0421351572c78ac0]
The namespaces can access the controller's admin request_queue, and
stale references on the namespaces may exist after tearing down the
controller. Ensure the admin request_queue is active by moving the
controller's 'put' to after all controller references have been released
to ensure no one is can access the request_queue. This fixes a reported
use-after-free bug:
BUG: KASAN: slab-use-after-free in blk_queue_enter+0x41c/0x4a0
Read of size 8 at addr ffff88c0a53819f8 by task nvme/3287
CPU: 67 UID: 0 PID: 3287 Comm: nvme Tainted: G E 6.13.2-ga1582f1a031e #15
Tainted: [E]=UNSIGNED_MODULE
Hardware name: Jabil /EGS 2S MB1, BIOS 1.00 06/18/2025
Call Trace:
<TASK>
dump_stack_lvl+0x4f/0x60
print_report+0xc4/0x620
? _raw_spin_lock_irqsave+0x70/0xb0
? _raw_read_unlock_irqrestore+0x30/0x30
? blk_queue_enter+0x41c/0x4a0
kasan_report+0xab/0xe0
? blk_queue_enter+0x41c/0x4a0
blk_queue_enter+0x41c/0x4a0
? __irq_work_queue_local+0x75/0x1d0
? blk_queue_start_drain+0x70/0x70
? irq_work_queue+0x18/0x20
? vprintk_emit.part.0+0x1cc/0x350
? wake_up_klogd_work_func+0x60/0x60
blk_mq_alloc_request+0x2b7/0x6b0
? __blk_mq_alloc_requests+0x1060/0x1060
? __switch_to+0x5b7/0x1060
nvme_submit_user_cmd+0xa9/0x330
nvme_user_cmd.isra.0+0x240/0x3f0
? force_sigsegv+0xe0/0xe0
? nvme_user_cmd64+0x400/0x400
? vfs_fileattr_set+0x9b0/0x9b0
? cgroup_update_frozen_flag+0x24/0x1c0
? cgroup_leave_frozen+0x204/0x330
? nvme_ioctl+0x7c/0x2c0
blkdev_ioctl+0x1a8/0x4d0
? blkdev_common_ioctl+0x1930/0x1930
? fdget+0x54/0x380
__x64_sys_ioctl+0x129/0x190
do_syscall_64+0x5b/0x160
entry_SYSCALL_64_after_hwframe+0x4b/0x53
RIP: 0033:0x7f765f703b0b
Code: ff ff ff 85 c0 79 9b 49 c7 c4 ff ff ff ff 5b 5d 4c 89 e0 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d dd 52 0f 00 f7 d8 64 89 01 48
RSP: 002b:00007ffe2cefe808 EFLAGS: 00000202 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007ffe2cefe860 RCX: 00007f765f703b0b
RDX: 00007ffe2cefe860 RSI: 00000000c0484e41 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000000
R10: 00007f765f611d50 R11: 0000000000000202 R12: 0000000000000003
R13: 00000000c0484e41 R14: 0000000000000001 R15: 00007ffe2cefea60
</TASK>
Reported-by: Casey Chen <cachen@purestorage.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>
[ Because we're missing commit 0da7feaa5913 ("nvme-pci: use the tagset
alloc/free helpers") we need to additionally remove the blk_put_queue
from nvme_dev_remove_admin in pci.c to properly fix the UAF ]
Signed-off-by: Maximilian Heyne <mheyne@amazon.de>
---
drivers/nvme/host/core.c | 3 ++-
drivers/nvme/host/pci.c | 1 -
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index 044e1a9c099b3..f17318f6c82b0 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -5043,7 +5043,6 @@ EXPORT_SYMBOL_GPL(nvme_alloc_admin_tag_set);
void nvme_remove_admin_tag_set(struct nvme_ctrl *ctrl)
{
blk_mq_destroy_queue(ctrl->admin_q);
- blk_put_queue(ctrl->admin_q);
if (ctrl->ops->flags & NVME_F_FABRICS) {
blk_mq_destroy_queue(ctrl->fabrics_q);
blk_put_queue(ctrl->fabrics_q);
@@ -5186,6 +5185,8 @@ static void nvme_free_ctrl(struct device *dev)
container_of(dev, struct nvme_ctrl, ctrl_device);
struct nvme_subsystem *subsys = ctrl->subsys;
+ if (ctrl->admin_q)
+ blk_put_queue(ctrl->admin_q);
if (!subsys || ctrl->instance != subsys->instance)
ida_free(&nvme_instance_ida, ctrl->instance);
diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
index 38732c0c28bbb..e8b7b0004086c 100644
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -1782,7 +1782,6 @@ static void nvme_dev_remove_admin(struct nvme_dev *dev)
*/
nvme_start_admin_queue(&dev->ctrl);
blk_mq_destroy_queue(dev->ctrl.admin_q);
- blk_put_queue(dev->ctrl.admin_q);
blk_mq_free_tag_set(&dev->admin_tagset);
}
}
--
2.50.1
Amazon Web Services Development Center Germany GmbH
Tamara-Danz-Str. 13
10243 Berlin
Geschaeftsfuehrung: Christof Hellmis, Andreas Stieger
Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B
Sitz: Berlin
Ust-ID: DE 365 538 597
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH 6.1.y v2 6/6] nvme: fix admin queue leak on controller reset
2026-04-02 13:57 [PATCH 6.1.y v2 0/6] nvme: correctly fix admin request_queue lifetime Heyne, Maximilian
` (4 preceding siblings ...)
2026-04-02 13:57 ` [PATCH 6.1.y v2 5/6] nvme: fix admin request_queue lifetime Heyne, Maximilian
@ 2026-04-02 13:57 ` Heyne, Maximilian
2026-04-03 9:43 ` Fedor Pchelkin
2026-04-03 9:48 ` [PATCH 6.1.y v2 0/6] nvme: correctly fix admin request_queue lifetime Fedor Pchelkin
6 siblings, 1 reply; 9+ messages in thread
From: Heyne, Maximilian @ 2026-04-02 13:57 UTC (permalink / raw)
To: stable@vger.kernel.org
Cc: Heyne, Maximilian, Ming Lei, Keith Busch, Yi Zhang, Jens Axboe,
Hector Martin, Sven Peter, Alyssa Rosenzweig, Christoph Hellwig,
Sagi Grimberg, James E.J. Bottomley, Martin K. Petersen,
Alim Akhtar, Avri Altman, Bart Van Assche, Sasha Levin,
Peter Wang, Greg Kroah-Hartman, Seunghwan Baek, Seunghui Lee,
Adrian Hunter, Brian Kao, Sanjeev Yadav, Wonkon Kim,
Chaitanya Kulkarni, Hannes Reinecke, linux-block@vger.kernel.org,
linux-kernel@vger.kernel.org, asahi@lists.linux.dev,
linux-arm-kernel@lists.infradead.org,
linux-nvme@lists.infradead.org, linux-scsi@vger.kernel.org
From: Ming Lei <ming.lei@redhat.com>
[ Upstream commit b84bb7bd913d8ca2f976ee6faf4a174f91c02b8d ]
When nvme_alloc_admin_tag_set() is called during a controller reset,
a previous admin queue may still exist. Release it properly before
allocating a new one to avoid orphaning the old queue.
This fixes a regression introduced by commit 03b3bcd319b3 ("nvme: fix
admin request_queue lifetime").
Cc: Keith Busch <kbusch@kernel.org>
Fixes: 03b3bcd319b3 ("nvme: fix admin request_queue lifetime").
Reported-and-tested-by: Yi Zhang <yi.zhang@redhat.com>
Closes: https://lore.kernel.org/linux-block/CAHj4cs9wv3SdPo+N01Fw2SHBYDs9tj2M_e1-GdQOkRy=DsBB1w@mail.gmail.com/
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>
[ Have to do analogous work in nvme_pci_alloc_admin_tag_set in pci.c due
to missing upstream commit 0da7feaa5913 ("nvme-pci: use the tagset
alloc/free helpers") ]
Signed-off-by: Maximilian Heyne <mheyne@amazon.de>
---
drivers/nvme/host/core.c | 7 +++++++
drivers/nvme/host/pci.c | 7 +++++++
2 files changed, 14 insertions(+)
diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index f17318f6c82b0..09439fa7d083a 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -5012,6 +5012,13 @@ int nvme_alloc_admin_tag_set(struct nvme_ctrl *ctrl, struct blk_mq_tag_set *set,
if (ret)
return ret;
+ /*
+ * If a previous admin queue exists (e.g., from before a reset),
+ * put it now before allocating a new one to avoid orphaning it.
+ */
+ if (ctrl->admin_q)
+ blk_put_queue(ctrl->admin_q);
+
ctrl->admin_q = blk_mq_init_queue(set);
if (IS_ERR(ctrl->admin_q)) {
ret = PTR_ERR(ctrl->admin_q);
diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
index e8b7b0004086c..07ca1e1d920b8 100644
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -1804,6 +1804,13 @@ static int nvme_pci_alloc_admin_tag_set(struct nvme_dev *dev)
return -ENOMEM;
dev->ctrl.admin_tagset = set;
+ /*
+ * If a previous admin queue exists (e.g., from before a reset),
+ * put it now before allocating a new one to avoid orphaning it.
+ */
+ if (dev->ctrl.admin_q)
+ blk_put_queue(dev->ctrl.admin_q);
+
dev->ctrl.admin_q = blk_mq_init_queue(set);
if (IS_ERR(dev->ctrl.admin_q)) {
blk_mq_free_tag_set(set);
--
2.50.1
Amazon Web Services Development Center Germany GmbH
Tamara-Danz-Str. 13
10243 Berlin
Geschaeftsfuehrung: Christof Hellmis, Andreas Stieger
Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B
Sitz: Berlin
Ust-ID: DE 365 538 597
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH 6.1.y v2 6/6] nvme: fix admin queue leak on controller reset
2026-04-02 13:57 ` [PATCH 6.1.y v2 6/6] nvme: fix admin queue leak on controller reset Heyne, Maximilian
@ 2026-04-03 9:43 ` Fedor Pchelkin
0 siblings, 0 replies; 9+ messages in thread
From: Fedor Pchelkin @ 2026-04-03 9:43 UTC (permalink / raw)
To: Heyne, Maximilian
Cc: stable@vger.kernel.org, Ming Lei, Keith Busch, Yi Zhang,
Jens Axboe, Hector Martin, Sven Peter, Alyssa Rosenzweig,
Christoph Hellwig, Sagi Grimberg, James E.J. Bottomley,
Martin K. Petersen, Alim Akhtar, Avri Altman, Bart Van Assche,
Sasha Levin, Peter Wang, Greg Kroah-Hartman, Seunghwan Baek,
Seunghui Lee, Adrian Hunter, Brian Kao, Sanjeev Yadav, Wonkon Kim,
Chaitanya Kulkarni, Hannes Reinecke, linux-block@vger.kernel.org,
linux-kernel@vger.kernel.org, asahi@lists.linux.dev,
linux-arm-kernel@lists.infradead.org,
linux-nvme@lists.infradead.org, linux-scsi@vger.kernel.org
"Heyne, Maximilian" <mheyne@amazon.de>
> [ Have to do analogous work in nvme_pci_alloc_admin_tag_set in pci.c due
> to missing upstream commit 0da7feaa5913 ("nvme-pci: use the tagset
> alloc/free helpers") ]
nit: not actually needed for 6.1.y because the only callsite of
nvme_pci_alloc_admin_tag_set() there looks like
if (!dev->ctrl.admin_q) {
result = nvme_pci_alloc_admin_tag_set(dev);
Though that doesn't really matter and not worth resending I think.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 6.1.y v2 0/6] nvme: correctly fix admin request_queue lifetime
2026-04-02 13:57 [PATCH 6.1.y v2 0/6] nvme: correctly fix admin request_queue lifetime Heyne, Maximilian
` (5 preceding siblings ...)
2026-04-02 13:57 ` [PATCH 6.1.y v2 6/6] nvme: fix admin queue leak on controller reset Heyne, Maximilian
@ 2026-04-03 9:48 ` Fedor Pchelkin
6 siblings, 0 replies; 9+ messages in thread
From: Fedor Pchelkin @ 2026-04-03 9:48 UTC (permalink / raw)
To: Heyne, Maximilian, stable@vger.kernel.org
Cc: Jens Axboe, Hector Martin, Sven Peter, Alyssa Rosenzweig,
Keith Busch, Christoph Hellwig, Sagi Grimberg,
James E.J. Bottomley, Martin K. Petersen, Alim Akhtar,
Avri Altman, Bart Van Assche, Sasha Levin, Peter Wang,
Greg Kroah-Hartman, Adrian Hunter, Seunghwan Baek, Seunghui Lee,
Thomas Yen, Brian Kao, Sanjeev Yadav, Wonkon Kim,
Chaitanya Kulkarni, Hannes Reinecke, Ming Lei,
linux-block@vger.kernel.org, linux-kernel@vger.kernel.org,
asahi@lists.linux.dev, linux-arm-kernel@lists.infradead.org,
linux-nvme@lists.infradead.org, linux-scsi@vger.kernel.org
"Heyne, Maximilian" <mheyne@amazon.de> wrote:
> The initial attempt to backport upstream commit 03b3bcd319b3 ("nvme: fix
> admin request_queue lifetime") was not correct leading to refcount
> underflows and not even fixing the problem.
>
> I've tested the reproduction steps from [1] (adding a delay to
> nvme_submit_user_cmd and 'echo 1 | sudo tee
> /sys/class/nvme/nvme0/delete_controller') on the nvme-tcp driver which
> printed the KASAN UAF blurb.
>
> Fixing the issue in the 6.1 series requires a few dependent patches.
> This is mainly the upstream commit 2b3f056f72e5 ("blk-mq: move the call
> to blk_put_queue out of blk_mq_destroy_queue") which allows to move the
> blk_put_queue to a different location.
>
> The backport of commit 03b3bcd319b3 ("nvme: fix admin
> request_queue lifetime") needed a tweak to the nvme pci driver.
>
> Furthermore, in this patch series I've also included a follow-up fixup
> from upstream commit b84bb7bd913d ("nvme: fix admin queue leak on
> controller reset"), again with an adaption to the nvme pci driver. This
> issue could easily be reproduced by resetting the controller (no need to
> run full blktests):
>
> echo 1 > /sys/class/nvme/nvme0/reset_controller
For the series
Tested-by: Fedor Pchelkin <pchelkin@ispras.ru>
Thanks for the prompt fix.
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2026-04-03 9:48 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-02 13:57 [PATCH 6.1.y v2 0/6] nvme: correctly fix admin request_queue lifetime Heyne, Maximilian
2026-04-02 13:57 ` [PATCH 6.1.y v2 1/6] Revert "nvme: fix admin request_queue lifetime" Heyne, Maximilian
2026-04-02 13:57 ` [PATCH 6.1.y v2 2/6] blk-mq: move the call to blk_put_queue out of blk_mq_destroy_queue Heyne, Maximilian
2026-04-02 13:57 ` [PATCH 6.1.y v2 3/6] nvme-pci: remove an extra queue reference Heyne, Maximilian
2026-04-02 13:57 ` [PATCH 6.1.y v2 4/6] nvme-pci: put the admin queue in nvme_dev_remove_admin Heyne, Maximilian
2026-04-02 13:57 ` [PATCH 6.1.y v2 5/6] nvme: fix admin request_queue lifetime Heyne, Maximilian
2026-04-02 13:57 ` [PATCH 6.1.y v2 6/6] nvme: fix admin queue leak on controller reset Heyne, Maximilian
2026-04-03 9:43 ` Fedor Pchelkin
2026-04-03 9:48 ` [PATCH 6.1.y v2 0/6] nvme: correctly fix admin request_queue lifetime Fedor Pchelkin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox