Re: [PATCH 6.1.y v2 0/6] nvme: correctly fix admin request_queue lifetime

Next message: Tengda Wu: "[PATCH v2 00/16] perf arm64: Support data type profiling"
Previous message: Tengda Wu: "[PATCH v2 14/16] perf annotate-arm64: Support 'adrp' instruction to track global variables"
In reply to: Heyne, Maximilian: "[PATCH 6.1.y v2 3/6] nvme-pci: remove an extra queue reference"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Fedor Pchelkin

Date: Fri Apr 03 2026 - 05:52:37 EST

"Heyne, Maximilian" <mheyne@xxxxxxxxx> wrote:
> The initial attempt to backport upstream commit 03b3bcd319b3 ("nvme: fix
> admin request_queue lifetime") was not correct leading to refcount
> underflows and not even fixing the problem.
>
> I've tested the reproduction steps from [1] (adding a delay to
> nvme_submit_user_cmd and 'echo 1 | sudo tee
> /sys/class/nvme/nvme0/delete_controller') on the nvme-tcp driver which
> printed the KASAN UAF blurb.
>
> Fixing the issue in the 6.1 series requires a few dependent patches.
> This is mainly the upstream commit 2b3f056f72e5 ("blk-mq: move the call
> to blk_put_queue out of blk_mq_destroy_queue") which allows to move the
> blk_put_queue to a different location.
>
> The backport of commit 03b3bcd319b3 ("nvme: fix admin
> request_queue lifetime") needed a tweak to the nvme pci driver.
>
> Furthermore, in this patch series I've also included a follow-up fixup
> from upstream commit b84bb7bd913d ("nvme: fix admin queue leak on
> controller reset"), again with an adaption to the nvme pci driver. This
> issue could easily be reproduced by resetting the controller (no need to
> run full blktests):
>
> echo 1 > /sys/class/nvme/nvme0/reset_controller

For the series

Tested-by: Fedor Pchelkin <pchelkin@xxxxxxxxx>

Thanks for the prompt fix.