CVE-2026-46135
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvmet-tcp: fix race between ICReq handling and queue teardown
nvmet_tcp_handle_icreq() updates queue->state after sending an Initialization Connection Response (ICResp), but it does so without serializing against target-side queue teardown.
If an NVMe/TCP host sends an Initialization Connection Request (ICReq) and immediately closes the connection, target-side teardown may start in softirq context before io_work drains the already buffered ICReq. In that case, nvmet_tcp_schedule_release_queue() sets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue reference under state_lock.
If io_work later processes that ICReq, nvmet_tcp_handle_icreq() can still overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the DISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and allows a later socket state change to re-enter teardown and issue a second kref_put() on an already released queue.
The ICResp send failure path has the same problem. If teardown has already moved the queue to DISCONNECTING, a send error can still overwrite the state with NVMET_TCP_Q_FAILED, again reopening the window for a second teardown path to drop the queue reference.
Fix this by serializing both post-send state transitions with state_lock and bailing out if teardown has already started.
Use -ESHUTDOWN as an internal sentinel for that bail-out path rather than propagating it as a transport error like -ECONNRESET. Keep nvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before honoring that sentinel so receive-side parsing stays quiesced until the existing release path completes.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 872d26a391da92ed8f0c0f5cb5fef428067b7f30 < 5f0b95ef68ab9afba75b20eebf436130f80c161a | affected |
| Linux | Linux | 872d26a391da92ed8f0c0f5cb5fef428067b7f30 < 49891c8fe0cb43fbbe480da1cdccfbbaeb820cb3 | affected |
| Linux | Linux | 872d26a391da92ed8f0c0f5cb5fef428067b7f30 < 67e1aaf93b495c2f10bc8a5fbba575fbb7f449b6 | affected |
| Linux | Linux | 872d26a391da92ed8f0c0f5cb5fef428067b7f30 < dcfe4d1f7960e7d1c01642318f3aae1a604f8508 | affected |
| Linux | Linux | 872d26a391da92ed8f0c0f5cb5fef428067b7f30 < 5293a8882c549fab4a878bc76b0b6c951f980a61 | affected |
| Linux | Linux | 5.0 | affected |
| Linux | Linux | 0 < 5.0 | unaffected |
| Linux | Linux | 6.6.144 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.88 <= 6.12.* | unaffected |
| Linux | Linux | 6.18.30 <= 6.18.* | unaffected |
| Linux | Linux | 7.0.7 <= 7.0.* | unaffected |
| Linux | Linux | 7.1 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/5f0b95ef68ab9afba75b20eebf436130f80c161a
- https://git.kernel.org/stable/c/49891c8fe0cb43fbbe480da1cdccfbbaeb820cb3
- https://git.kernel.org/stable/c/67e1aaf93b495c2f10bc8a5fbba575fbb7f449b6
- https://git.kernel.org/stable/c/dcfe4d1f7960e7d1c01642318f3aae1a604f8508
- https://git.kernel.org/stable/c/5293a8882c549fab4a878bc76b0b6c951f980a61
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.