nvme-rdma: fix possible use-after-free in transport error_recovery work

thefossguy-ciq · thefossguy-ciq · commit c3ea26a2ffc6 · 2025-07-30T16:34:47.000+05:30
jira VULN-32687 cve CVE-2022-48788 commit-author Sagi Grimberg <sagi@grimberg.me> commit b6bb172 While nvme_rdma_submit_async_event_work is checking the ctrl and queue state before preparing the AER command and scheduling io_work, in order to fully prevent a race where this check is not reliable the error recovery work must flush async_event_work before continuing to destroy the admin queue after setting the ctrl state to RESETTING such that there is no race .submit_async_event and the error recovery handler itself changing the ctrl state. Signed-off-by: Sagi Grimberg <sagi@grimberg.me> (cherry picked from commit b6bb172) Signed-off-by: Pratham Patel <ppatel@ciq.com>
diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c
@@ -1060,6 +1060,7 @@ static void nvme_rdma_error_recovery_work(struct work_struct *work)
 			struct nvme_rdma_ctrl, err_work);
 
 	nvme_stop_keep_alive(&ctrl->ctrl);
+	flush_work(&ctrl->ctrl.async_event_work);
 	nvme_rdma_teardown_io_queues(ctrl, false);
 	nvme_start_queues(&ctrl->ctrl);
 	nvme_rdma_teardown_admin_queue(ctrl, false);
