CVE-2026-31557

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nvmet: move async event work off nvmet-wq<br /> <br /> For target nvmet_ctrl_free() flushes ctrl-&gt;async_event_work.<br /> If nvmet_ctrl_free() runs on nvmet-wq, the flush re-enters workqueue<br /> completion for the same worker:-<br /> <br /> A. Async event work queued on nvmet-wq (prior to disconnect):<br /> nvmet_execute_async_event()<br /> queue_work(nvmet_wq, &amp;ctrl-&gt;async_event_work)<br /> <br /> nvmet_add_async_event()<br /> queue_work(nvmet_wq, &amp;ctrl-&gt;async_event_work)<br /> <br /> B. Full pre-work chain (RDMA CM path):<br /> nvmet_rdma_cm_handler()<br /> nvmet_rdma_queue_disconnect()<br /> __nvmet_rdma_queue_disconnect()<br /> queue_work(nvmet_wq, &amp;queue-&gt;release_work)<br /> process_one_work()<br /> lock((wq_completion)nvmet-wq) async_event_work)<br /> __flush_work()<br /> touch_wq_lockdep_map()<br /> lock((wq_completion)nvmet-wq) release_work)){+.+.}-{0:0}, at: process_one_work+0x1c5/0x660<br /> #2: ffffffff82d4db60 (rcu_read_lock){....}-{1:3}, at: __flush_work+0x62/0x530<br /> <br /> Workqueue: nvmet-wq nvmet_rdma_release_queue_work [nvmet_rdma]<br /> Call Trace:<br /> __flush_work+0x268/0x530<br /> nvmet_ctrl_free+0x140/0x310 [nvmet]<br /> nvmet_cq_put+0x74/0x90 [nvmet]<br /> nvmet_rdma_free_queue+0x23/0xe0 [nvmet_rdma]<br /> nvmet_rdma_release_queue_work+0x19/0x50 [nvmet_rdma]<br /> process_one_work+0x206/0x660<br /> worker_thread+0x184/0x320<br /> kthread+0x10c/0x240<br /> ret_from_fork+0x319/0x390<br /> <br /> Move async event work to a dedicated nvmet-aen-wq to avoid reentrant<br /> flush on nvmet-wq.