Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.1.168 2026-04-11T12:16:33+00:00 2026-04-11T12:16:33+00:00 Ming Lei ming.lei@redhat.com 2026-04-02T13:57:21+00:00 urn:sha1:6e28bab900e40e4d610b04f9f82e01983d8fb356 [ Upstream commit b84bb7bd913d8ca2f976ee6faf4a174f91c02b8d ] When nvme_alloc_admin_tag_set() is called during a controller reset, a previous admin queue may still exist. Release it properly before allocating a new one to avoid orphaning the old queue. This fixes a regression introduced by commit 03b3bcd319b3 ("nvme: fix admin request_queue lifetime"). [ Have to do analogous work in nvme_pci_alloc_admin_tag_set in pci.c due to missing upstream commit 0da7feaa5913 ("nvme-pci: use the tagset alloc/free helpers") ] Cc: Keith Busch <kbusch@kernel.org> Fixes: 03b3bcd319b3 ("nvme: fix admin request_queue lifetime"). Reported-and-tested-by: Yi Zhang <yi.zhang@redhat.com> Closes: https://lore.kernel.org/linux-block/CAHj4cs9wv3SdPo+N01Fw2SHBYDs9tj2M_e1-GdQOkRy=DsBB1w@mail.gmail.com/ Signed-off-by: Ming Lei <ming.lei@redhat.com> Signed-off-by: Keith Busch <kbusch@kernel.org> Signed-off-by: Maximilian Heyne <mheyne@amazon.de> Tested-by: Fedor Pchelkin <pchelkin@ispras.ru> Signed-off-by: Sasha Levin <sashal@kernel.org> 2026-04-11T12:16:33+00:00 Keith Busch kbusch@kernel.org 2026-04-02T13:57:19+00:00 urn:sha1:4896491c497226022626c3acc46044fd182f943c [ Upstream commit 03b3bcd319b3ab5182bc9aaa0421351572c78ac0] The namespaces can access the controller's admin request_queue, and stale references on the namespaces may exist after tearing down the controller. Ensure the admin request_queue is active by moving the controller's 'put' to after all controller references have been released to ensure no one is can access the request_queue. This fixes a reported use-after-free bug: BUG: KASAN: slab-use-after-free in blk_queue_enter+0x41c/0x4a0 Read of size 8 at addr ffff88c0a53819f8 by task nvme/3287 CPU: 67 UID: 0 PID: 3287 Comm: nvme Tainted: G E 6.13.2-ga1582f1a031e #15 Tainted: [E]=UNSIGNED_MODULE Hardware name: Jabil /EGS 2S MB1, BIOS 1.00 06/18/2025 Call Trace: <TASK> dump_stack_lvl+0x4f/0x60 print_report+0xc4/0x620 ? _raw_spin_lock_irqsave+0x70/0xb0 ? _raw_read_unlock_irqrestore+0x30/0x30 ? blk_queue_enter+0x41c/0x4a0 kasan_report+0xab/0xe0 ? blk_queue_enter+0x41c/0x4a0 blk_queue_enter+0x41c/0x4a0 ? __irq_work_queue_local+0x75/0x1d0 ? blk_queue_start_drain+0x70/0x70 ? irq_work_queue+0x18/0x20 ? vprintk_emit.part.0+0x1cc/0x350 ? wake_up_klogd_work_func+0x60/0x60 blk_mq_alloc_request+0x2b7/0x6b0 ? __blk_mq_alloc_requests+0x1060/0x1060 ? __switch_to+0x5b7/0x1060 nvme_submit_user_cmd+0xa9/0x330 nvme_user_cmd.isra.0+0x240/0x3f0 ? force_sigsegv+0xe0/0xe0 ? nvme_user_cmd64+0x400/0x400 ? vfs_fileattr_set+0x9b0/0x9b0 ? cgroup_update_frozen_flag+0x24/0x1c0 ? cgroup_leave_frozen+0x204/0x330 ? nvme_ioctl+0x7c/0x2c0 blkdev_ioctl+0x1a8/0x4d0 ? blkdev_common_ioctl+0x1930/0x1930 ? fdget+0x54/0x380 __x64_sys_ioctl+0x129/0x190 do_syscall_64+0x5b/0x160 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f765f703b0b Code: ff ff ff 85 c0 79 9b 49 c7 c4 ff ff ff ff 5b 5d 4c 89 e0 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d dd 52 0f 00 f7 d8 64 89 01 48 RSP: 002b:00007ffe2cefe808 EFLAGS: 00000202 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007ffe2cefe860 RCX: 00007f765f703b0b RDX: 00007ffe2cefe860 RSI: 00000000c0484e41 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000000 R10: 00007f765f611d50 R11: 0000000000000202 R12: 0000000000000003 R13: 00000000c0484e41 R14: 0000000000000001 R15: 00007ffe2cefea60 </TASK> [ Because we're missing commit 0da7feaa5913 ("nvme-pci: use the tagset alloc/free helpers") we need to additionally remove the blk_put_queue from nvme_dev_remove_admin in pci.c to properly fix the UAF ] Reported-by: Casey Chen <cachen@purestorage.com> Reviewed-by: Christoph Hellwig <hch@lst.de> Reviewed-by: Hannes Reinecke <hare@suse.de> Reviewed-by: Ming Lei <ming.lei@redhat.com> Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com> Signed-off-by: Keith Busch <kbusch@kernel.org> Signed-off-by: Maximilian Heyne <mheyne@amazon.de> Tested-by: Fedor Pchelkin <pchelkin@ispras.ru> Signed-off-by: Sasha Levin <sashal@kernel.org> 2026-04-11T12:16:33+00:00 Christoph Hellwig hch@lst.de 2026-04-02T13:57:18+00:00 urn:sha1:550e583b7723afd708139805cb5e7e0b067c1813 [ Upstream commit 96ef1be53663a9343dffcf106e2f1b59da4b8799 ] Once the controller is shutdown no one can access the admin queue. Tear it down in nvme_dev_remove_admin, which matches the flow in the other drivers. Tested-by Gerd Bayer <gbayer@linxu.ibm.com> [ Context change due to missing commit 94cc781f69f4 ("nvme: move OPAL setup from PCIe to core")] Signed-off-by: Christoph Hellwig <hch@lst.de> Reviewed-by: Keith Busch <kbusch@kernel.org> Reviewed-by: Sagi Grimberg <sagi@grimberg.me> Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com> Stable-dep-of: 03b3bcd319b3 ("nvme: fix admin request_queue lifetime") Signed-off-by: Maximilian Heyne <mheyne@amazon.de> Tested-by: Fedor Pchelkin <pchelkin@ispras.ru> Signed-off-by: Sasha Levin <sashal@kernel.org> 2026-04-11T12:16:33+00:00 Christoph Hellwig hch@lst.de 2026-04-02T13:57:16+00:00 urn:sha1:f8e5803f96744d252605c23813da2ebd0e17d145 [ Upstream commit 7dcebef90d35de13a326f765dd787538880566f9 ] Now that blk_mq_destroy_queue does not release the queue reference, there is no need for a second admin queue reference to be held by the nvme_dev. Signed-off-by: Christoph Hellwig <hch@lst.de> Reviewed-by: Sagi Grimberg <sagi@grimberg.me> Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com> Reviewed-by: Keith Busch <kbusch@kernel.org> Link: https://lore.kernel.org/r/20221018135720.670094-4-hch@lst.de Signed-off-by: Jens Axboe <axboe@kernel.dk> Stable-dep-of: 03b3bcd319b3 ("nvme: fix admin request_queue lifetime") Signed-off-by: Maximilian Heyne <mheyne@amazon.de> Tested-by: Fedor Pchelkin <pchelkin@ispras.ru> Signed-off-by: Sasha Levin <sashal@kernel.org> 2026-04-11T12:16:33+00:00 Christoph Hellwig hch@lst.de 2026-04-02T13:57:15+00:00 urn:sha1:6406bec7d28e710709225eabdef933998b08bd33 [ Upstream commit 2b3f056f72e56fa07df69b4705e0b46a6c08e77c ] The fact that blk_mq_destroy_queue also drops a queue reference leads to various places having to grab an extra reference. Move the call to blk_put_queue into the callers to allow removing the extra references. Signed-off-by: Christoph Hellwig <hch@lst.de> Reviewed-by: Sagi Grimberg <sagi@grimberg.me> Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com> Reviewed-by: Keith Busch <kbusch@kernel.org> Link: https://lore.kernel.org/r/20221018135720.670094-2-hch@lst.de [axboe: fix fabrics_q vs admin_q conflict in nvme core.c] Signed-off-by: Jens Axboe <axboe@kernel.dk> Stable-dep-of: 03b3bcd319b3 ("nvme: fix admin request_queue lifetime") Signed-off-by: Maximilian Heyne <mheyne@amazon.de> Tested-by: Fedor Pchelkin <pchelkin@ispras.ru> Signed-off-by: Sasha Levin <sashal@kernel.org> 2026-04-11T12:16:32+00:00 Heyne, Maximilian mheyne@amazon.de 2026-04-02T13:57:13+00:00 urn:sha1:089a6f17881a82c6c6e05f8564a867be0767eade This reverts commit ff037b5f47eeccc1636c03f84cd47db094eb73c9. The backport of upstream commit 03b3bcd319b3 ("nvme: fix admin request_queue lifetime") to 6.1 is broken in 2 ways. First of all it doesn't actually fix the issue because blk_put_queue will still be called as part of blk_mq_destroy_queue in nvme_remove_admin_tag_set leading to the UAF. Second, the backport leads to a refcount underflow when unbinding a pci nvme device: refcount_t: underflow; use-after-free. WARNING: CPU: 2 PID: 1486 at lib/refcount.c:28 refcount_warn_saturate+0xba/0x110 Modules linked in: bochs drm_vram_helper simpledrm skx_edac_common drm_shmem_helper drm_kms_helper kvm_intel cfbfillrect syscopyarea cfbimgblt sysfillrect sysimgblt fb_sys_fops cfbcopyarea drm_ttm_helper fb ttm kvm fbdev drm mousedev nls_ascii psmouse irqbypass nls_cp437 atkbd crc32_pclmul crc32c_intel libps2 vfat fat sunrpc virtio_net ata_piix vivaldi_fmap drm_panel_orientation_quirks libata backlight i2c_piix4 net_failover i8042 ghash_clmulni_intel failover serio i2c_core button sch_fq_codel CPU: 2 PID: 1486 Comm: bash Not tainted 6.1.167 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS edk2-20240813-306.amzn2 08/13/2024 RIP: 0010:refcount_warn_saturate+0xba/0x110 Code: 01 01 e8 89 79 ad ff 0f 0b e9 82 f4 7e 00 80 3d 73 03 cc 01 00 75 85 48 c7 c7 e0 5d 3b 8e c6 05 63 03 cc 01 01 e8 66 79 ad ff <0f> 0b c3 cc cc cc cc 80 3d 4e 03 cc 01 00 0f 85 5e ff ff ff 48 c7 RSP: 0018:ffffd0cc011bfd18 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff8ada07b33210 RCX: 0000000000000027 RDX: ffff8adb37d1f728 RSI: 0000000000000001 RDI: ffff8adb37d1f720 RBP: ffff8ada07b33000 R08: 0000000000000000 R09: 00000000fffeffff R10: ffffd0cc011bfba8 R11: ffffffff8f1781a8 R12: ffffd0cc011bfd38 R13: ffff8ada03080800 R14: ffff8ada07b33210 R15: ffff8ada07b33b10 FS: 00007f50f6964740(0000) GS:ffff8adb37d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055cdb54e6ae0 CR3: 000000010224e001 CR4: 0000000000770ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> nvme_pci_free_ctrl+0x45/0x80 nvme_free_ctrl+0x1aa/0x2b0 device_release+0x34/0x90 kobject_cleanup+0x3a/0x130 pci_device_remove+0x3e/0xb0 device_release_driver_internal+0x1aa/0x230 unbind_store+0x11f/0x130 kernfs_fop_write_iter+0x13a/0x1d0 vfs_write+0x2a6/0x3b0 ksys_write+0x5f/0xe0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 RIP: 0033:0x7f50f66ff897 Code: 0f 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24 RSP: 002b:00007fffaef903d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007f50f67fd780 RCX: 00007f50f66ff897 RDX: 000000000000000d RSI: 0000557f72ef6b90 RDI: 0000000000000001 RBP: 000000000000000d R08: 0000000000000000 R09: 00007f50f67b2d20 R10: 00007f50f67b2c20 R11: 0000000000000246 R12: 000000000000000d R13: 0000557f72ef6b90 R14: 000000000000000d R15: 00007f50f67f89c0 </TASK> The reason for this is that nvme_free_ctrl calls ->free_ctrl which resolves to nvme_pci_free_ctrl in aforementioned case which also has a blk_put_queue, so the admin queue is put twice. This is because on 6.1 we're missing the commit 96ef1be53663 ("nvme-pci: put the admin queue in nvme_dev_remove_admin"). Signed-off-by: Maximilian Heyne <mheyne@amazon.de> Tested-by: Fedor Pchelkin <pchelkin@ispras.ru> Signed-off-by: Sasha Levin <sashal@kernel.org> 2026-04-11T12:16:03+00:00 Keith Busch kbusch@kernel.org 2026-02-10T17:26:54+00:00 urn:sha1:0685dd9cb855ab77fcf3577b4702ba1d6df1c98d [ Upstream commit 166e31d7dbf6aa44829b98aa446bda5c9580f12a ] A user can change the polled queue count at run time. There's a brief window during a reset where a hipri task may try to poll that queue before the block layer has updated the queue maps, which would race with the now interrupt driven queue and may cause double completions. Reviewed-by: Christoph Hellwig <hch@lst.de> Reviewed-by: Kanchan Joshi <joshi.k@samsung.com> Signed-off-by: Keith Busch <kbusch@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2026-04-11T12:16:03+00:00 Daniel Hodges hodgesd@meta.com 2026-02-01T03:08:40+00:00 urn:sha1:36504bb40b76ba8f323edb7f3662b7432bdd6cd6 [ Upstream commit 0a1fc2f301529ac75aec0ce80d5ab9d9e4dc4b16 ] The DHCHAP secrets (dhchap_secret and dhchap_ctrl_secret) contain authentication key material for NVMe-oF. Use kfree_sensitive() instead of kfree() in nvmf_free_options() to ensure secrets are zeroed before the memory is freed, preventing recovery from freed pages. Reviewed-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Daniel Hodges <hodgesd@meta.com> Signed-off-by: Keith Busch <kbusch@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2026-04-11T12:16:03+00:00 Keith Busch kbusch@kernel.org 2026-02-10T19:00:12+00:00 urn:sha1:958d854829b5c0f6a8e3aff737f679b614f3cf5b [ Upstream commit 4735b510a00fb2d4ac9e8d21a8c9552cb281f585 ] If the user reduces the special queue count at runtime and resets the controller, we need to reduce the number of queues and interrupts requested accordingly rather than start with the pre-allocated queue count. Tested-by: Kanchan Joshi <joshi.k@samsung.com> Reviewed-by: Kanchan Joshi <joshi.k@samsung.com> Reviewed-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Keith Busch <kbusch@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2026-03-25T10:03:25+00:00 Jaskaran Singh jsingh@cloudlinux.com 2026-02-23T17:24:05+00:00 urn:sha1:9610a2c162ef729a3988213a4604376e492f6f44 commit 0a2c5495b6d1ecb0fa18ef6631450f391a888256 upstream. nvme_fc_delete_assocation() waits for pending I/O to complete before returning, and an error can cause ->ioerr_work to be queued after cancel_work_sync() had been called. Move the call to cancel_work_sync() to be after nvme_fc_delete_association() to ensure ->ioerr_work is not running when the nvme_fc_ctrl object is freed. Otherwise the following can occur: [ 1135.911754] list_del corruption, ff2d24c8093f31f8->next is NULL [ 1135.917705] ------------[ cut here ]------------ [ 1135.922336] kernel BUG at lib/list_debug.c:52! [ 1135.926784] Oops: invalid opcode: 0000 [#1] SMP NOPTI [ 1135.931851] CPU: 48 UID: 0 PID: 726 Comm: kworker/u449:23 Kdump: loaded Not tainted 6.12.0 #1 PREEMPT(voluntary) [ 1135.943490] Hardware name: Dell Inc. PowerEdge R660/0HGTK9, BIOS 2.5.4 01/16/2025 [ 1135.950969] Workqueue: 0x0 (nvme-wq) [ 1135.954673] RIP: 0010:__list_del_entry_valid_or_report.cold+0xf/0x6f [ 1135.961041] Code: c7 c7 98 68 72 94 e8 26 45 fe ff 0f 0b 48 c7 c7 70 68 72 94 e8 18 45 fe ff 0f 0b 48 89 fe 48 c7 c7 80 69 72 94 e8 07 45 fe ff <0f> 0b 48 89 d1 48 c7 c7 a0 6a 72 94 48 89 c2 e8 f3 44 fe ff 0f 0b [ 1135.979788] RSP: 0018:ff579b19482d3e50 EFLAGS: 00010046 [ 1135.985015] RAX: 0000000000000033 RBX: ff2d24c8093f31f0 RCX: 0000000000000000 [ 1135.992148] RDX: 0000000000000000 RSI: ff2d24d6bfa1d0c0 RDI: ff2d24d6bfa1d0c0 [ 1135.999278] RBP: ff2d24c8093f31f8 R08: 0000000000000000 R09: ffffffff951e2b08 [ 1136.006413] R10: ffffffff95122ac8 R11: 0000000000000003 R12: ff2d24c78697c100 [ 1136.013546] R13: fffffffffffffff8 R14: 0000000000000000 R15: ff2d24c78697c0c0 [ 1136.020677] FS: 0000000000000000(0000) GS:ff2d24d6bfa00000(0000) knlGS:0000000000000000 [ 1136.028765] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1136.034510] CR2: 00007fd207f90b80 CR3: 000000163ea22003 CR4: 0000000000f73ef0 [ 1136.041641] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 1136.048776] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 [ 1136.055910] PKRU: 55555554 [ 1136.058623] Call Trace: [ 1136.061074] <TASK> [ 1136.063179] ? show_trace_log_lvl+0x1b0/0x2f0 [ 1136.067540] ? show_trace_log_lvl+0x1b0/0x2f0 [ 1136.071898] ? move_linked_works+0x4a/0xa0 [ 1136.075998] ? __list_del_entry_valid_or_report.cold+0xf/0x6f [ 1136.081744] ? __die_body.cold+0x8/0x12 [ 1136.085584] ? die+0x2e/0x50 [ 1136.088469] ? do_trap+0xca/0x110 [ 1136.091789] ? do_error_trap+0x65/0x80 [ 1136.095543] ? __list_del_entry_valid_or_report.cold+0xf/0x6f [ 1136.101289] ? exc_invalid_op+0x50/0x70 [ 1136.105127] ? __list_del_entry_valid_or_report.cold+0xf/0x6f [ 1136.110874] ? asm_exc_invalid_op+0x1a/0x20 [ 1136.115059] ? __list_del_entry_valid_or_report.cold+0xf/0x6f [ 1136.120806] move_linked_works+0x4a/0xa0 [ 1136.124733] worker_thread+0x216/0x3a0 [ 1136.128485] ? __pfx_worker_thread+0x10/0x10 [ 1136.132758] kthread+0xfa/0x240 [ 1136.135904] ? __pfx_kthread+0x10/0x10 [ 1136.139657] ret_from_fork+0x31/0x50 [ 1136.143236] ? __pfx_kthread+0x10/0x10 [ 1136.146988] ret_from_fork_asm+0x1a/0x30 [ 1136.150915] </TASK> Fixes: 19fce0470f05 ("nvme-fc: avoid calling _nvme_fc_abort_outstanding_ios from interrupt context") Cc: stable@vger.kernel.org Tested-by: Marco Patalano <mpatalan@redhat.com> Reviewed-by: Justin Tee <justin.tee@broadcom.com> Signed-off-by: Ewan D. Milne <emilne@redhat.com> Signed-off-by: Keith Busch <kbusch@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Jaskaran Singh <jsingh@cloudlinux.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>