CVE-2022-48790

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nvme: fix a possible use-after-free in controller reset during load<br /> <br /> Unlike .queue_rq, in .submit_async_event drivers may not check the ctrl<br /> readiness for AER submission. This may lead to a use-after-free<br /> condition that was observed with nvme-tcp.<br /> <br /> The race condition may happen in the following scenario:<br /> 1. driver executes its reset_ctrl_work<br /> 2. -&gt; nvme_stop_ctrl - flushes ctrl async_event_work<br /> 3. ctrl sends AEN which is received by the host, which in turn<br /> schedules AEN handling<br /> 4. teardown admin queue (which releases the queue socket)<br /> 5. AEN processed, submits another AER, calling the driver to submit<br /> 6. driver attempts to send the cmd<br /> ==&gt; use-after-free<br /> <br /> In order to fix that, add ctrl state check to validate the ctrl<br /> is actually able to accept the AER submission.<br /> <br /> This addresses the above race in controller resets because the driver<br /> during teardown should:<br /> 1. change ctrl state to RESETTING<br /> 2. flush async_event_work (as well as other async work elements)<br /> <br /> So after 1,2, any other AER command will find the<br /> ctrl state to be RESETTING and bail out without submitting the AER.