[PATCH 6.1.y 0/8] nvme: correctly fix admin request_queue lifetime

public inbox for linux-scsi@vger.kernel.org
 help / color / mirror / Atom feed

From: "Heyne, Maximilian" <mheyne@amazon.de>
To: "stable@vger.kernel.org" <stable@vger.kernel.org>
Cc: "Heyne, Maximilian" <mheyne@amazon.de>,
	Jens Axboe <axboe@kernel.dk>, Hector Martin <marcan@marcan.st>,
	Sven Peter <sven@svenpeter.dev>,
	"Alyssa Rosenzweig" <alyssa@rosenzweig.io>,
	Keith Busch <kbusch@kernel.org>, Christoph Hellwig <hch@lst.de>,
	Sagi Grimberg <sagi@grimberg.me>,
	"James E.J. Bottomley" <jejb@linux.ibm.com>,
	"Martin K. Petersen" <martin.petersen@oracle.com>,
	Alim Akhtar <alim.akhtar@samsung.com>,
	"Avri Altman" <avri.altman@wdc.com>,
	Bart Van Assche <bvanassche@acm.org>,
	"Sasha Levin" <sashal@kernel.org>,
	Peter Wang <peter.wang@mediatek.com>,
	"Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
	Thomas Yen <thomasyen@google.com>, Bean Huo <beanhuo@micron.com>,
	Brian Kao <powenkao@google.com>,
	Seunghui Lee <sh043.lee@samsung.com>,
	Sanjeev Yadav <sanjeev.y@mediatek.com>,
	Wonkon Kim <wkon.kim@samsung.com>, Ming Lei <ming.lei@redhat.com>,
	Hannes Reinecke <hare@suse.de>,
	Chaitanya Kulkarni <kch@nvidia.com>,
	"linux-block@vger.kernel.org" <linux-block@vger.kernel.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	"asahi@lists.linux.dev" <asahi@lists.linux.dev>,
	"linux-arm-kernel@lists.infradead.org"
	<linux-arm-kernel@lists.infradead.org>,
	"linux-nvme@lists.infradead.org" <linux-nvme@lists.infradead.org>,
	"linux-scsi@vger.kernel.org" <linux-scsi@vger.kernel.org>
Subject: [PATCH 6.1.y 0/8] nvme: correctly fix admin request_queue lifetime
Date: Wed, 1 Apr 2026 13:36:55 +0000	[thread overview]
Message-ID: <20260401-defer-gleam-5226cb65@mheyne-amazon> (raw)

The initial attempt to backport upstream commit 03b3bcd319b3 ("nvme: fix
admin request_queue lifetime") was not correct leading to refcount
underflows and not even fixing the problem.

I've tested the reproduction steps from [1] (adding a delay to
nvme_submit_user_cmd and 'echo 1 | sudo tee
/sys/class/nvme/nvme0/delete_controller') on the nvme-tcp driver which
printed the KASAN UAF blurb.

Fixing the issue in the 6.1 series requires a few dependent patches.
This is mainly the upstream commit 2b3f056f72e5 ("blk-mq: move the call
to blk_put_queue out of blk_mq_destroy_queue") which allows to move the
blk_put_queue to a different location. While at it, I'm backporting the
whole patch series for completeness. However, the scsi and apple patches
are not strictly required and could be dropped from this series.

The backport of commit 03b3bcd319b3 ("nvme: fix admin
request_queue lifetime") needed a tweak to the nvme pci driver.

Furthermore, in this patch series I've also included a follow-up fixup
from upstream commit b84bb7bd913d ("nvme: fix admin queue leak on
controller reset"), again with an adaption to the nvme pci driver. This
issue could easily be reproduced by resetting the controller (no need to
run full blktests):

  echo 1 > /sys/class/nvme/nvme0/reset_controller

[1] https://lore.kernel.org/all/20251029210853.20768-1-cachen@purestorage.com/

Christoph Hellwig (5):
  blk-mq: move the call to blk_put_queue out of blk_mq_destroy_queue
  scsi: remove an extra queue reference
  nvme-pci: remove an extra queue reference
  nvme-apple: remove an extra queue reference
  nvme-pci: put the admin queue in nvme_dev_remove_admin

Keith Busch (1):
  nvme: fix admin request_queue lifetime

Maximilian Heyne (1):
  Revert "nvme: fix admin request_queue lifetime"

Ming Lei (1):
  nvme: fix admin queue leak on controller reset

 block/blk-mq.c            |  4 +---
 block/bsg-lib.c           |  2 ++
 drivers/nvme/host/apple.c |  8 --------
 drivers/nvme/host/core.c  | 16 ++++++++++++++--
 drivers/nvme/host/pci.c   | 14 +++++++-------
 drivers/scsi/scsi_scan.c  |  1 -
 drivers/ufs/core/ufshcd.c |  2 ++
 7 files changed, 26 insertions(+), 21 deletions(-)

-- 
2.50.1

Amazon Web Services Development Center Germany GmbH
Tamara-Danz-Str. 13
10243 Berlin
Geschaeftsfuehrung: Christof Hellmis, Andreas Stieger
Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B
Sitz: Berlin
Ust-ID: DE 365 538 597

next             reply	other threads:[~2026-04-01 13:37 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-01 13:36 Heyne, Maximilian [this message]
2026-04-01 13:36 ` [PATCH 6.1.y 1/8] Revert "nvme: fix admin request_queue lifetime" Heyne, Maximilian
2026-04-01 13:36 ` [PATCH 6.1.y 2/8] blk-mq: move the call to blk_put_queue out of blk_mq_destroy_queue Heyne, Maximilian
2026-04-01 13:37 ` [PATCH 6.1.y 3/8] scsi: remove an extra queue reference Heyne, Maximilian
2026-04-01 13:37 ` [PATCH 6.1.y 4/8] nvme-pci: " Heyne, Maximilian
2026-04-01 13:37 ` [PATCH 6.1.y 5/8] nvme-apple: " Heyne, Maximilian
2026-04-01 20:45   ` Fedor Pchelkin
2026-04-02 12:31     ` Heyne, Maximilian
2026-04-03  9:35       ` Fedor Pchelkin
2026-04-01 13:37 ` [PATCH 6.1.y 6/8] nvme-pci: put the admin queue in nvme_dev_remove_admin Heyne, Maximilian
2026-04-01 13:37 ` [PATCH 6.1.y 7/8] nvme: fix admin request_queue lifetime Heyne, Maximilian
2026-04-01 13:37 ` [PATCH 6.1.y 8/8] nvme: fix admin queue leak on controller reset Heyne, Maximilian

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260401-defer-gleam-5226cb65@mheyne-amazon \
    --to=mheyne@amazon.de \
    --cc=alim.akhtar@samsung.com \
    --cc=alyssa@rosenzweig.io \
    --cc=asahi@lists.linux.dev \
    --cc=avri.altman@wdc.com \
    --cc=axboe@kernel.dk \
    --cc=beanhuo@micron.com \
    --cc=bvanassche@acm.org \
    --cc=gregkh@linuxfoundation.org \
    --cc=hare@suse.de \
    --cc=hch@lst.de \
    --cc=jejb@linux.ibm.com \
    --cc=kbusch@kernel.org \
    --cc=kch@nvidia.com \
    --cc=linux-arm-kernel@lists.infradead.org \
    --cc=linux-block@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-nvme@lists.infradead.org \
    --cc=linux-scsi@vger.kernel.org \
    --cc=marcan@marcan.st \
    --cc=martin.petersen@oracle.com \
    --cc=ming.lei@redhat.com \
    --cc=peter.wang@mediatek.com \
    --cc=powenkao@google.com \
    --cc=sagi@grimberg.me \
    --cc=sanjeev.y@mediatek.com \
    --cc=sashal@kernel.org \
    --cc=sh043.lee@samsung.com \
    --cc=stable@vger.kernel.org \
    --cc=sven@svenpeter.dev \
    --cc=thomasyen@google.com \
    --cc=wkon.kim@samsung.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox