CVE-2025-38209

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nvme-tcp: remove tag set when second admin queue config fails<br /> <br /> Commit 104d0e2f6222 ("nvme-fabrics: reset admin connection for secure<br /> concatenation") modified nvme_tcp_setup_ctrl() to call<br /> nvme_tcp_configure_admin_queue() twice. The first call prepares for<br /> DH-CHAP negotitation, and the second call is required for secure<br /> concatenation. However, this change triggered BUG KASAN slab-use-after-<br /> free in blk_mq_queue_tag_busy_iter(). This BUG can be recreated by<br /> repeating the blktests test case nvme/063 a few times [1].<br /> <br /> When the BUG happens, nvme_tcp_create_ctrl() fails in the call chain<br /> below:<br /> <br /> nvme_tcp_create_ctrl()<br /> nvme_tcp_alloc_ctrl() new=true ... Alloc nvme_tcp_ctrl and admin_tag_set<br /> nvme_tcp_setup_ctrl() new=true<br /> nvme_tcp_configure_admin_queue() new=true ... Succeed<br /> nvme_alloc_admin_tag_set() ... Alloc the tag set for admin_tag_set<br /> nvme_stop_keep_alive()<br /> nvme_tcp_teardown_admin_queue() remove=false<br /> nvme_tcp_configure_admin_queue() new=false<br /> nvme_tcp_alloc_admin_queue() ... Fail, but do not call nvme_remove_admin_tag_set()<br /> nvme_uninit_ctrl()<br /> nvme_put_ctrl() ... Free up the nvme_tcp_ctrl and admin_tag_set<br /> <br /> The first call of nvme_tcp_configure_admin_queue() succeeds with<br /> new=true argument. The second call fails with new=false argument. This<br /> second call does not call nvme_remove_admin_tag_set() on failure, due to<br /> the new=false argument. Then the admin tag set is not removed. However,<br /> nvme_tcp_create_ctrl() assumes that nvme_tcp_setup_ctrl() would call<br /> nvme_remove_admin_tag_set(). Then it frees up struct nvme_tcp_ctrl which<br /> has admin_tag_set field. Later on, the timeout handler accesses the<br /> admin_tag_set field and causes the BUG KASAN slab-use-after-free.<br /> <br /> To not leave the admin tag set, call nvme_remove_admin_tag_set() when<br /> the second nvme_tcp_configure_admin_queue() call fails. Do not return<br /> from nvme_tcp_setup_ctrl() on failure. Instead, jump to "destroy_admin"<br /> go-to label to call nvme_tcp_teardown_admin_queue() which calls<br /> nvme_remove_admin_tag_set().