From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6B09E3F076F for ; Fri, 8 May 2026 14:26:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778250369; cv=none; b=bwnhlpjBVVV7th/8MWN0FLeFXySIKAYN0qUH5H+d6+iIk9FnYj3xaX6fUkYfoYS7ne8wF+c9hq7It1RcnoYgDKmMCxSimFX/eE+jF5VjktI2k7Aru25LW3x84310DuOuHfrnxXAZNTq0jK7yJasMPZRf4qSxT0ehSL+4Av5oZXE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778250369; c=relaxed/simple; bh=5CJvQWJGq9N4YO1POLbJ6srG/McKKntFH2RHZZJKFdo=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=lDpCHHEXw48tD9Nc9iQLDIbwAZvHB3Xh/EVqEpaqU24Q5E6xBaXJQdwfW6Z4F0Z3m676rL5p4u/H1bvq8jMvTRf9wijFnT/VPsd62ZCeXxxLPKKSc00Qey2yJqrfu4cTEYb340/n2dXRpOJaw5D9h2kCoWkfVElBExPBz+MyZ/4= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=iW5Eknh7; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="iW5Eknh7" Received: by smtp.kernel.org (Postfix) with ESMTPSA id B9EFCC2BCB0; Fri, 8 May 2026 14:26:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1778250369; bh=5CJvQWJGq9N4YO1POLbJ6srG/McKKntFH2RHZZJKFdo=; h=From:To:Cc:Subject:Date:Reply-To:From; b=iW5Eknh7qtO8bvmONjmrytporXrgxdh5v5TzKxNT2dwkrzi9kWauBfgfAIe7ax3n7 FFnxp1/iNGiIOinQRWBOcaiHApv4qwLxy6gehT5ElvdhLxvac1DDPJj24cUvIRzVig 7++BtPiX6kLaGW7Lnxi7+4pwUmQ7pZOCLwcBcPtk= From: Greg Kroah-Hartman To: linux-cve-announce@vger.kernel.org Cc: Greg Kroah-Hartman Subject: CVE-2026-43448: nvme-pci: Fix race bug in nvme_poll_irqdisable() Date: Fri, 8 May 2026 16:22:57 +0200 Message-ID: <2026050856-CVE-2026-43448-4484@gregkh> X-Mailer: git-send-email 2.54.0 Reply-To: , Precedence: bulk X-Mailing-List: linux-cve-announce@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=6961; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=CiAAEzLsCb+wMZm8R/ZLjD0KYx9iayygSmnuZlDVqx0=; b=owGbwMvMwCRo6H6F97bub03G02pJDJl/P7b6935n+rdWzty5Wk6vrr6c5+AlIbvnLYvz+gwlT vE3mNV2xLIwCDIxyIopsnzZxnN0f8UhRS9D29Mwc1iZQIYwcHEKwEQUqxgW3DBV/nUuybl28qUc 4YWfRM7IulivYJhf/qBgUuSrSWcZj3S66CvI150XLDwJAA== X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 Content-Transfer-Encoding: 8bit From: Greg Kroah-Hartman Description =========== In the Linux kernel, the following vulnerability has been resolved: nvme-pci: Fix race bug in nvme_poll_irqdisable() In the following scenario, pdev can be disabled between (1) and (3) by (2). This sets pdev->msix_enabled = 0. Then, pci_irq_vector() will return MSI-X IRQ(>15) for (1) whereas return INTx IRQ(<=15) for (2). This causes IRQ warning because it tries to enable INTx IRQ that has never been disabled before. To fix this, save IRQ number into a local variable and ensure disable_irq() and enable_irq() operate on the same IRQ number. Even if pci_free_irq_vectors() frees the IRQ concurrently, disable_irq() and enable_irq() on a stale IRQ number is still valid and safe, and the depth accounting reamins balanced. task 1: nvme_poll_irqdisable() disable_irq(pci_irq_vector(pdev, nvmeq->cq_vector)) ...(1) enable_irq(pci_irq_vector(pdev, nvmeq->cq_vector)) ...(3) task 2: nvme_reset_work() nvme_dev_disable() pdev->msix_enable = 0; ...(2) crash log: ------------[ cut here ]------------ Unbalanced enable for IRQ 10 WARNING: kernel/irq/manage.c:753 at __enable_irq+0x102/0x190 kernel/irq/manage.c:753, CPU#1: kworker/1:0H/26 Modules linked in: CPU: 1 UID: 0 PID: 26 Comm: kworker/1:0H Not tainted 6.19.0-dirty #9 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 Workqueue: kblockd blk_mq_timeout_work RIP: 0010:__enable_irq+0x107/0x190 kernel/irq/manage.c:753 Code: ff df 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 79 48 8d 3d 2e 7a 3f 05 41 8b 74 24 2c <67> 48 0f b9 3a e8 ef b9 21 00 5b 41 5c 5d e9 46 54 66 03 e8 e1 b9 RSP: 0018:ffffc900001bf550 EFLAGS: 00010046 RAX: 0000000000000007 RBX: 0000000000000000 RCX: ffffffffb20c0e90 RDX: 0000000000000000 RSI: 000000000000000a RDI: ffffffffb74b88f0 RBP: ffffc900001bf560 R08: ffff88800197cf00 R09: 0000000000000001 R10: 0000000000000003 R11: 0000000000000003 R12: ffff8880012a6000 R13: 1ffff92000037eae R14: 000000000000000a R15: 0000000000000293 FS: 0000000000000000(0000) GS:ffff8880b49f7000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000555da4a25fa8 CR3: 00000000208e8000 CR4: 00000000000006f0 Call Trace: enable_irq+0x121/0x1e0 kernel/irq/manage.c:797 nvme_poll_irqdisable+0x162/0x1c0 drivers/nvme/host/pci.c:1494 nvme_timeout+0x965/0x14b0 drivers/nvme/host/pci.c:1744 blk_mq_rq_timed_out block/blk-mq.c:1653 [inline] blk_mq_handle_expired+0x227/0x2d0 block/blk-mq.c:1721 bt_iter+0x2fc/0x3a0 block/blk-mq-tag.c:292 __sbitmap_for_each_set include/linux/sbitmap.h:269 [inline] sbitmap_for_each_set include/linux/sbitmap.h:290 [inline] bt_for_each block/blk-mq-tag.c:324 [inline] blk_mq_queue_tag_busy_iter+0x969/0x1e80 block/blk-mq-tag.c:536 blk_mq_timeout_work+0x627/0x870 block/blk-mq.c:1763 process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257 process_scheduled_works kernel/workqueue.c:3340 [inline] worker_thread+0x65c/0xe60 kernel/workqueue.c:3421 kthread+0x41a/0x930 kernel/kthread.c:463 ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 irq event stamp: 74478 hardirqs last enabled at (74477): [] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:159 [inline] hardirqs last enabled at (74477): [] _raw_spin_unlock_irq+0x2c/0x60 kernel/locking/spinlock.c:202 hardirqs last disabled at (74478): [] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline] hardirqs last disabled at (74478): [] _raw_spin_lock_irqsave+0x85/0xa0 kernel/locking/spinlock.c:162 softirqs last enabled at (74304): [] __do_softirq kernel/softirq.c:656 [inline] softirqs last enabled at (74304): [] invoke_softirq kernel/softirq.c:496 [inline] softirqs last enabled at (74304): [] __irq_exit_rcu+0xdc/0x120 kernel/softirq.c:723 softirqs last disabled at (74287): [] __do_softirq kernel/softirq.c:656 [inline] softirqs last disabled at (74287): [] invoke_softirq kernel/softirq.c:496 [inline] softirqs last disabled at (74287): [] __irq_exit_rcu+0xdc/0x120 kernel/softirq.c:723 ---[ end trace 0000000000000000 ]--- The Linux kernel CVE team has assigned CVE-2026-43448 to this issue. Affected and fixed versions =========================== Issue introduced in 5.7 with commit fa059b856a593a7bddd4d3779ae8ab1380e05d91 and fixed in 6.1.167 with commit 265dbc9bc33c29f60f90be3e0afe1c4067ebb70b Issue introduced in 5.7 with commit fa059b856a593a7bddd4d3779ae8ab1380e05d91 and fixed in 6.6.130 with commit 628773eba024d1107cc9ec157a682cbb42ac912a Issue introduced in 5.7 with commit fa059b856a593a7bddd4d3779ae8ab1380e05d91 and fixed in 6.12.78 with commit 843e913cef4e33723663a899727f685a95ab53fe Issue introduced in 5.7 with commit fa059b856a593a7bddd4d3779ae8ab1380e05d91 and fixed in 6.18.19 with commit b56c49897bdac5cb49e3495ef421c391628ee9bb Issue introduced in 5.7 with commit fa059b856a593a7bddd4d3779ae8ab1380e05d91 and fixed in 6.19.9 with commit e311d84c62eb76e025e11a44155b402e55950b83 Issue introduced in 5.7 with commit fa059b856a593a7bddd4d3779ae8ab1380e05d91 and fixed in 7.0 with commit fc71f409b22ca831a9f87a2712eaa09ef2bb4a5e Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2026-43448 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/nvme/host/pci.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/265dbc9bc33c29f60f90be3e0afe1c4067ebb70b https://git.kernel.org/stable/c/628773eba024d1107cc9ec157a682cbb42ac912a https://git.kernel.org/stable/c/843e913cef4e33723663a899727f685a95ab53fe https://git.kernel.org/stable/c/b56c49897bdac5cb49e3495ef421c391628ee9bb https://git.kernel.org/stable/c/e311d84c62eb76e025e11a44155b402e55950b83 https://git.kernel.org/stable/c/fc71f409b22ca831a9f87a2712eaa09ef2bb4a5e