CVE-2026-46135

Summary

In the Linux kernel, the following vulnerability has been resolved:

nvmet-tcp: fix race between ICReq handling and queue teardown

nvmet_tcp_handle_icreq() updates queue->state after sending an Initialization Connection Response (ICResp), but it does so without serializing against target-side queue teardown.

If an NVMe/TCP host sends an Initialization Connection Request (ICReq) and immediately closes the connection, target-side teardown may start in softirq context before io_work drains the already buffered ICReq. In that case, nvmet_tcp_schedule_release_queue() sets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue reference under state_lock.

If io_work later processes that ICReq, nvmet_tcp_handle_icreq() can still overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the DISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and allows a later socket state change to re-enter teardown and issue a second kref_put() on an already released queue.

The ICResp send failure path has the same problem. If teardown has already moved the queue to DISCONNECTING, a send error can still overwrite the state with NVMET_TCP_Q_FAILED, again reopening the window for a second teardown path to drop the queue reference.

Fix this by serializing both post-send state transitions with state_lock and bailing out if teardown has already started.

Use -ESHUTDOWN as an internal sentinel for that bail-out path rather than propagating it as a transport error like -ECONNRESET. Keep nvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before honoring that sentinel so receive-side parsing stays quiesced until the existing release path completes.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux872d26a391da92ed8f0c0f5cb5fef428067b7f30 < 5f0b95ef68ab9afba75b20eebf436130f80c161aaffected
LinuxLinux872d26a391da92ed8f0c0f5cb5fef428067b7f30 < 49891c8fe0cb43fbbe480da1cdccfbbaeb820cb3affected
LinuxLinux872d26a391da92ed8f0c0f5cb5fef428067b7f30 < 67e1aaf93b495c2f10bc8a5fbba575fbb7f449b6affected
LinuxLinux872d26a391da92ed8f0c0f5cb5fef428067b7f30 < dcfe4d1f7960e7d1c01642318f3aae1a604f8508affected
LinuxLinux872d26a391da92ed8f0c0f5cb5fef428067b7f30 < 5293a8882c549fab4a878bc76b0b6c951f980a61affected
LinuxLinux5.0affected
LinuxLinux0 < 5.0unaffected
LinuxLinux6.6.144 <= 6.6.*unaffected
LinuxLinux6.12.88 <= 6.12.*unaffected
LinuxLinux6.18.30 <= 6.18.*unaffected
LinuxLinux7.0.7 <= 7.0.*unaffected
LinuxLinux7.1 <= *unaffected

Weaknesses

References