CVE-2025-38658

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nvmet: pci-epf: Do not complete commands twice if nvmet_req_init() fails<br /> <br /> Have nvmet_req_init() and req-&gt;execute() complete failed commands.<br /> <br /> Description of the problem:<br /> nvmet_req_init() calls __nvmet_req_complete() internally upon failure,<br /> e.g., unsupported opcode, which calls the "queue_response" callback,<br /> this results in nvmet_pci_epf_queue_response() being called, which will<br /> call nvmet_pci_epf_complete_iod() if data_len is 0 or if dma_dir is<br /> different from DMA_TO_DEVICE. This results in a double completion as<br /> nvmet_pci_epf_exec_iod_work() also calls nvmet_pci_epf_complete_iod()<br /> when nvmet_req_init() fails.<br /> <br /> Steps to reproduce:<br /> On the host send a command with an unsupported opcode with nvme-cli,<br /> For example the admin command "security receive"<br /> $ sudo nvme security-recv /dev/nvme0n1 -n1 -x4096<br /> <br /> This triggers a double completion as nvmet_req_init() fails and<br /> nvmet_pci_epf_queue_response() is called, here iod-&gt;dma_dir is still<br /> in the default state of "DMA_NONE" as set by default in<br /> nvmet_pci_epf_alloc_iod(), so nvmet_pci_epf_complete_iod() is called.<br /> Because nvmet_req_init() failed nvmet_pci_epf_complete_iod() is also<br /> called in nvmet_pci_epf_exec_iod_work() leading to a double completion.<br /> This not only sends two completions to the host but also corrupts the<br /> state of the PCI NVMe target leading to kernel oops.<br /> <br /> This patch lets nvmet_req_init() and req-&gt;execute() complete all failed<br /> commands, and removes the double completion case in<br /> nvmet_pci_epf_exec_iod_work() therefore fixing the edge cases where<br /> double completions occurred.