ghsa-w8w5-45x4-qwqp
Vulnerability from github
Published
2025-07-04 15:31
Modified
2025-07-04 15:31
Details

In the Linux kernel, the following vulnerability has been resolved:

nvme-tcp: remove tag set when second admin queue config fails

Commit 104d0e2f6222 ("nvme-fabrics: reset admin connection for secure concatenation") modified nvme_tcp_setup_ctrl() to call nvme_tcp_configure_admin_queue() twice. The first call prepares for DH-CHAP negotitation, and the second call is required for secure concatenation. However, this change triggered BUG KASAN slab-use-after- free in blk_mq_queue_tag_busy_iter(). This BUG can be recreated by repeating the blktests test case nvme/063 a few times [1].

When the BUG happens, nvme_tcp_create_ctrl() fails in the call chain below:

nvme_tcp_create_ctrl() nvme_tcp_alloc_ctrl() new=true ... Alloc nvme_tcp_ctrl and admin_tag_set nvme_tcp_setup_ctrl() new=true nvme_tcp_configure_admin_queue() new=true ... Succeed nvme_alloc_admin_tag_set() ... Alloc the tag set for admin_tag_set nvme_stop_keep_alive() nvme_tcp_teardown_admin_queue() remove=false nvme_tcp_configure_admin_queue() new=false nvme_tcp_alloc_admin_queue() ... Fail, but do not call nvme_remove_admin_tag_set() nvme_uninit_ctrl() nvme_put_ctrl() ... Free up the nvme_tcp_ctrl and admin_tag_set

The first call of nvme_tcp_configure_admin_queue() succeeds with new=true argument. The second call fails with new=false argument. This second call does not call nvme_remove_admin_tag_set() on failure, due to the new=false argument. Then the admin tag set is not removed. However, nvme_tcp_create_ctrl() assumes that nvme_tcp_setup_ctrl() would call nvme_remove_admin_tag_set(). Then it frees up struct nvme_tcp_ctrl which has admin_tag_set field. Later on, the timeout handler accesses the admin_tag_set field and causes the BUG KASAN slab-use-after-free.

To not leave the admin tag set, call nvme_remove_admin_tag_set() when the second nvme_tcp_configure_admin_queue() call fails. Do not return from nvme_tcp_setup_ctrl() on failure. Instead, jump to "destroy_admin" go-to label to call nvme_tcp_teardown_admin_queue() which calls nvme_remove_admin_tag_set().

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-38209"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-04T14:15:29Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-tcp: remove tag set when second admin queue config fails\n\nCommit 104d0e2f6222 (\"nvme-fabrics: reset admin connection for secure\nconcatenation\") modified nvme_tcp_setup_ctrl() to call\nnvme_tcp_configure_admin_queue() twice. The first call prepares for\nDH-CHAP negotitation, and the second call is required for secure\nconcatenation. However, this change triggered BUG KASAN slab-use-after-\nfree in blk_mq_queue_tag_busy_iter(). This BUG can be recreated by\nrepeating the blktests test case nvme/063 a few times [1].\n\nWhen the BUG happens, nvme_tcp_create_ctrl() fails in the call chain\nbelow:\n\nnvme_tcp_create_ctrl()\n nvme_tcp_alloc_ctrl() new=true             ... Alloc nvme_tcp_ctrl and admin_tag_set\n nvme_tcp_setup_ctrl() new=true\n  nvme_tcp_configure_admin_queue() new=true ... Succeed\n   nvme_alloc_admin_tag_set()               ... Alloc the tag set for admin_tag_set\n  nvme_stop_keep_alive()\n  nvme_tcp_teardown_admin_queue() remove=false\n  nvme_tcp_configure_admin_queue() new=false\n   nvme_tcp_alloc_admin_queue()             ... Fail, but do not call nvme_remove_admin_tag_set()\n nvme_uninit_ctrl()\n nvme_put_ctrl()                            ... Free up the nvme_tcp_ctrl and admin_tag_set\n\nThe first call of nvme_tcp_configure_admin_queue() succeeds with\nnew=true argument. The second call fails with new=false argument. This\nsecond call does not call nvme_remove_admin_tag_set() on failure, due to\nthe new=false argument. Then the admin tag set is not removed. However,\nnvme_tcp_create_ctrl() assumes that nvme_tcp_setup_ctrl() would call\nnvme_remove_admin_tag_set(). Then it frees up struct nvme_tcp_ctrl which\nhas admin_tag_set field. Later on, the timeout handler accesses the\nadmin_tag_set field and causes the BUG KASAN slab-use-after-free.\n\nTo not leave the admin tag set, call nvme_remove_admin_tag_set() when\nthe second nvme_tcp_configure_admin_queue() call fails. Do not return\nfrom nvme_tcp_setup_ctrl() on failure. Instead, jump to \"destroy_admin\"\ngo-to label to call nvme_tcp_teardown_admin_queue() which calls\nnvme_remove_admin_tag_set().",
  "id": "GHSA-w8w5-45x4-qwqp",
  "modified": "2025-07-04T15:31:09Z",
  "published": "2025-07-04T15:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38209"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/db1da838b6012e4570c6f81e28ffe1d0ff595948"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e7143706702a209c814ed2c3fc6486c2a7decf6c"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.