From: "Heyne, Maximilian" <mheyne@amazon.de>
To: "stable@vger.kernel.org" <stable@vger.kernel.org>
Cc: "Heyne, Maximilian" <mheyne@amazon.de>,
Keith Busch <kbusch@kernel.org>,
Casey Chen <cachen@purestorage.com>,
Christoph Hellwig <hch@lst.de>, "Hannes Reinecke" <hare@suse.de>,
Ming Lei <ming.lei@redhat.com>,
Chaitanya Kulkarni <kch@nvidia.com>, Jens Axboe <axboe@kernel.dk>,
Hector Martin <marcan@marcan.st>, Sven Peter <sven@svenpeter.dev>,
Alyssa Rosenzweig <alyssa@rosenzweig.io>,
Sagi Grimberg <sagi@grimberg.me>,
"James E.J. Bottomley" <jejb@linux.ibm.com>,
"Martin K. Petersen" <martin.petersen@oracle.com>,
Alim Akhtar <alim.akhtar@samsung.com>,
"Avri Altman" <avri.altman@wdc.com>,
Bart Van Assche <bvanassche@acm.org>,
"Sasha Levin" <sashal@kernel.org>,
Peter Wang <peter.wang@mediatek.com>,
"Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
Thomas Yen <thomasyen@google.com>, Bean Huo <beanhuo@micron.com>,
Seunghwan Baek <sh8267.baek@samsung.com>,
Brian Kao <powenkao@google.com>,
Seunghui Lee <sh043.lee@samsung.com>,
Sanjeev Yadav <sanjeev.y@mediatek.com>,
Wonkon Kim <wkon.kim@samsung.com>,
"linux-block@vger.kernel.org" <linux-block@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"asahi@lists.linux.dev" <asahi@lists.linux.dev>,
"linux-arm-kernel@lists.infradead.org"
<linux-arm-kernel@lists.infradead.org>,
"linux-nvme@lists.infradead.org" <linux-nvme@lists.infradead.org>,
"linux-scsi@vger.kernel.org" <linux-scsi@vger.kernel.org>
Subject: [PATCH 6.1.y v2 5/6] nvme: fix admin request_queue lifetime
Date: Thu, 2 Apr 2026 13:57:19 +0000 [thread overview]
Message-ID: <20260402-sloth-visible-3c249ba7@mheyne-amazon> (raw)
In-Reply-To: <20260402-moral-jockey-f072379b@mheyne-amazon>
From: Keith Busch <kbusch@kernel.org>
[ Upstream commit 03b3bcd319b3ab5182bc9aaa0421351572c78ac0]
The namespaces can access the controller's admin request_queue, and
stale references on the namespaces may exist after tearing down the
controller. Ensure the admin request_queue is active by moving the
controller's 'put' to after all controller references have been released
to ensure no one is can access the request_queue. This fixes a reported
use-after-free bug:
BUG: KASAN: slab-use-after-free in blk_queue_enter+0x41c/0x4a0
Read of size 8 at addr ffff88c0a53819f8 by task nvme/3287
CPU: 67 UID: 0 PID: 3287 Comm: nvme Tainted: G E 6.13.2-ga1582f1a031e #15
Tainted: [E]=UNSIGNED_MODULE
Hardware name: Jabil /EGS 2S MB1, BIOS 1.00 06/18/2025
Call Trace:
<TASK>
dump_stack_lvl+0x4f/0x60
print_report+0xc4/0x620
? _raw_spin_lock_irqsave+0x70/0xb0
? _raw_read_unlock_irqrestore+0x30/0x30
? blk_queue_enter+0x41c/0x4a0
kasan_report+0xab/0xe0
? blk_queue_enter+0x41c/0x4a0
blk_queue_enter+0x41c/0x4a0
? __irq_work_queue_local+0x75/0x1d0
? blk_queue_start_drain+0x70/0x70
? irq_work_queue+0x18/0x20
? vprintk_emit.part.0+0x1cc/0x350
? wake_up_klogd_work_func+0x60/0x60
blk_mq_alloc_request+0x2b7/0x6b0
? __blk_mq_alloc_requests+0x1060/0x1060
? __switch_to+0x5b7/0x1060
nvme_submit_user_cmd+0xa9/0x330
nvme_user_cmd.isra.0+0x240/0x3f0
? force_sigsegv+0xe0/0xe0
? nvme_user_cmd64+0x400/0x400
? vfs_fileattr_set+0x9b0/0x9b0
? cgroup_update_frozen_flag+0x24/0x1c0
? cgroup_leave_frozen+0x204/0x330
? nvme_ioctl+0x7c/0x2c0
blkdev_ioctl+0x1a8/0x4d0
? blkdev_common_ioctl+0x1930/0x1930
? fdget+0x54/0x380
__x64_sys_ioctl+0x129/0x190
do_syscall_64+0x5b/0x160
entry_SYSCALL_64_after_hwframe+0x4b/0x53
RIP: 0033:0x7f765f703b0b
Code: ff ff ff 85 c0 79 9b 49 c7 c4 ff ff ff ff 5b 5d 4c 89 e0 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d dd 52 0f 00 f7 d8 64 89 01 48
RSP: 002b:00007ffe2cefe808 EFLAGS: 00000202 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007ffe2cefe860 RCX: 00007f765f703b0b
RDX: 00007ffe2cefe860 RSI: 00000000c0484e41 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000000
R10: 00007f765f611d50 R11: 0000000000000202 R12: 0000000000000003
R13: 00000000c0484e41 R14: 0000000000000001 R15: 00007ffe2cefea60
</TASK>
Reported-by: Casey Chen <cachen@purestorage.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>
[ Because we're missing commit 0da7feaa5913 ("nvme-pci: use the tagset
alloc/free helpers") we need to additionally remove the blk_put_queue
from nvme_dev_remove_admin in pci.c to properly fix the UAF ]
Signed-off-by: Maximilian Heyne <mheyne@amazon.de>
---
drivers/nvme/host/core.c | 3 ++-
drivers/nvme/host/pci.c | 1 -
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index 044e1a9c099b3..f17318f6c82b0 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -5043,7 +5043,6 @@ EXPORT_SYMBOL_GPL(nvme_alloc_admin_tag_set);
void nvme_remove_admin_tag_set(struct nvme_ctrl *ctrl)
{
blk_mq_destroy_queue(ctrl->admin_q);
- blk_put_queue(ctrl->admin_q);
if (ctrl->ops->flags & NVME_F_FABRICS) {
blk_mq_destroy_queue(ctrl->fabrics_q);
blk_put_queue(ctrl->fabrics_q);
@@ -5186,6 +5185,8 @@ static void nvme_free_ctrl(struct device *dev)
container_of(dev, struct nvme_ctrl, ctrl_device);
struct nvme_subsystem *subsys = ctrl->subsys;
+ if (ctrl->admin_q)
+ blk_put_queue(ctrl->admin_q);
if (!subsys || ctrl->instance != subsys->instance)
ida_free(&nvme_instance_ida, ctrl->instance);
diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
index 38732c0c28bbb..e8b7b0004086c 100644
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -1782,7 +1782,6 @@ static void nvme_dev_remove_admin(struct nvme_dev *dev)
*/
nvme_start_admin_queue(&dev->ctrl);
blk_mq_destroy_queue(dev->ctrl.admin_q);
- blk_put_queue(dev->ctrl.admin_q);
blk_mq_free_tag_set(&dev->admin_tagset);
}
}
--
2.50.1
Amazon Web Services Development Center Germany GmbH
Tamara-Danz-Str. 13
10243 Berlin
Geschaeftsfuehrung: Christof Hellmis, Andreas Stieger
Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B
Sitz: Berlin
Ust-ID: DE 365 538 597
next prev parent reply other threads:[~2026-04-02 13:57 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-02 13:57 [PATCH 6.1.y v2 0/6] nvme: correctly fix admin request_queue lifetime Heyne, Maximilian
2026-04-02 13:57 ` [PATCH 6.1.y v2 1/6] Revert "nvme: fix admin request_queue lifetime" Heyne, Maximilian
2026-04-02 13:57 ` [PATCH 6.1.y v2 2/6] blk-mq: move the call to blk_put_queue out of blk_mq_destroy_queue Heyne, Maximilian
2026-04-02 13:57 ` [PATCH 6.1.y v2 3/6] nvme-pci: remove an extra queue reference Heyne, Maximilian
2026-04-02 13:57 ` [PATCH 6.1.y v2 4/6] nvme-pci: put the admin queue in nvme_dev_remove_admin Heyne, Maximilian
2026-04-02 13:57 ` Heyne, Maximilian [this message]
2026-04-02 13:57 ` [PATCH 6.1.y v2 6/6] nvme: fix admin queue leak on controller reset Heyne, Maximilian
2026-04-03 9:43 ` Fedor Pchelkin
2026-04-03 9:48 ` [PATCH 6.1.y v2 0/6] nvme: correctly fix admin request_queue lifetime Fedor Pchelkin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260402-sloth-visible-3c249ba7@mheyne-amazon \
--to=mheyne@amazon.de \
--cc=alim.akhtar@samsung.com \
--cc=alyssa@rosenzweig.io \
--cc=asahi@lists.linux.dev \
--cc=avri.altman@wdc.com \
--cc=axboe@kernel.dk \
--cc=beanhuo@micron.com \
--cc=bvanassche@acm.org \
--cc=cachen@purestorage.com \
--cc=gregkh@linuxfoundation.org \
--cc=hare@suse.de \
--cc=hch@lst.de \
--cc=jejb@linux.ibm.com \
--cc=kbusch@kernel.org \
--cc=kch@nvidia.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-block@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nvme@lists.infradead.org \
--cc=linux-scsi@vger.kernel.org \
--cc=marcan@marcan.st \
--cc=martin.petersen@oracle.com \
--cc=ming.lei@redhat.com \
--cc=peter.wang@mediatek.com \
--cc=powenkao@google.com \
--cc=sagi@grimberg.me \
--cc=sanjeev.y@mediatek.com \
--cc=sashal@kernel.org \
--cc=sh043.lee@samsung.com \
--cc=sh8267.baek@samsung.com \
--cc=stable@vger.kernel.org \
--cc=sven@svenpeter.dev \
--cc=thomasyen@google.com \
--cc=wkon.kim@samsung.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox