nvmet: move async event work off nvmet-wq_CVE-2026-31557

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

nvmet: move async event work off nvmet-wq

For target nvmet_ctrl_free() flushes ctrl->async_event_work.
If nvmet_ctrl_free() runs on nvmet-wq, the flush re-enters workqueue
completion for the same worker:-

A. Async event work queued on nvmet-wq (prior to disconnect):
nvmet_execute_async_event()
queue_work(nvmet_wq, &ctrl->async_event_work)

nvmet_add_async_event()
queue_work(nvmet_wq, &ctrl->async_event_work)

B. Full pre-work chain (RDMA CM path):
nvmet_rdma_cm_handler()
nvmet_rdma_queue_disconnect()
__nvmet_rdma_queue_disconnect()
queue_work(nvmet_wq, &queue->release_work)
process_one_work()
lock((wq_completion)nvmet-wq) <--------- 1st
nvmet_rdma_release_queue_work()

C. Recursive path (same worker):
nvmet_rdma_release_queue_work()
nvmet_rdma_free_queue()
nvmet_sq_destroy()
nvmet_ctrl_put()
nvmet_ctrl_free()
flush_work(&ctrl->async_event_work)
__flush_work()
touch_wq_lockdep_map()
lock((wq_completion)nvmet-wq) <--------- 2nd

Lockdep splat:

============================================
WARNING: possible recursive locking detected
6.19.0-rc3nvme+ #14 Tainted: G N
--------------------------------------------
kworker/u192:42/44933 is trying to acquire lock:
ffff888118a00948 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: touch_wq_lockdep_map+0x26/0x90

but task is already holding lock:
ffff888118a00948 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: process_one_work+0x53e/0x660

3 locks held by kworker/u192:42/44933:
#0: ffff888118a00948 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: process_one_work+0x53e/0x660
#1: ffffc9000e6cbe28 ((work_completion)(&queue->release_work)){+.+.}-{0:0}, at: process_one_work+0x1c5/0x660
#2: ffffffff82d4db60 (rcu_read_lock){....}-{1:3}, at: __flush_work+0x62/0x530

Workqueue: nvmet-wq nvmet_rdma_release_queue_work [nvmet_rdma]
Call Trace:
__flush_work+0x268/0x530
nvmet_ctrl_free+0x140/0x310 [nvmet]
nvmet_cq_put+0x74/0x90 [nvmet]
nvmet_rdma_free_queue+0x23/0xe0 [nvmet_rdma]
nvmet_rdma_release_queue_work+0x19/0x50 [nvmet_rdma]
process_one_work+0x206/0x660
worker_thread+0x184/0x320
kthread+0x10c/0x240
ret_from_fork+0x319/0x390

Move async event work to a dedicated nvmet-aen-wq to avoid reentrant
flush on nvmet-wq.

Basic Information

ID CVE-2026-31557

Source Linux

Published Apr 24, 2026 at 14:35

Modified Apr 27, 2026 at 14:04

Affected Product

Vendor Linux

Product Linux

Version 8832cf922151e9dfa2821736beb0ae2dd3968b6e

Affected Versions Linux Linux 8832cf922151e9dfa2821736beb0ae2dd3968b6e
Linux Linux 8832cf922151e9dfa2821736beb0ae2dd3968b6e
Linux Linux 8832cf922151e9dfa2821736beb0ae2dd3968b6e
Linux Linux 8832cf922151e9dfa2821736beb0ae2dd3968b6e
Linux Linux d44ff3b100b94e9f23b1e8dbe688eee9bb867ac9
Linux Linux 84026f8c9357c62a9d3e4c554ffd10ccab813654
Linux Linux 5.18

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: move async event work off nvmet-wq\n\nFor target nvmet_ctrl_free() flushes ctrl->async_event_work.\nIf nvmet_ctrl_free() runs on nvmet-wq, the flush re-enters workqueue\ncompletion for the same worker:-\n\nA. Async event work queued on nvmet-wq (prior to disconnect):\n  nvmet_execute_async_event()\n     queue_work(nvmet_wq, &ctrl->async_event_work)\n\n  nvmet_add_async_event()\n     queue_work(nvmet_wq, &ctrl->async_event_work)\n\nB. Full pre-work chain (RDMA CM path):\n  nvmet_rdma_cm_handler()\n     nvmet_rdma_queue_disconnect()\n       __nvmet_rdma_queue_disconnect()\n         queue_work(nvmet_wq, &queue->release_work)\n           process_one_work()\n             lock((wq_completion)nvmet-wq)  <--------- 1st\n             nvmet_rdma_release_queue_work()\n\nC. Recursive path (same worker):\n  nvmet_rdma_release_queue_work()\n     nvmet_rdma_free_queue()\n       nvmet_sq_destroy()\n         nvmet_ctrl_put()\n           nvmet_ctrl_free()\n             flush_work(&ctrl->async_event_work)\n               __flush_work()\n                 touch_wq_lockdep_map()\n                 lock((wq_completion)nvmet-wq) <--------- 2nd\n\nLockdep splat:\n\n  ============================================\n  WARNING: possible recursive locking detected\n  6.19.0-rc3nvme+ #14 Tainted: G                 N\n  --------------------------------------------\n  kworker/u192:42/44933 is trying to acquire lock:\n  ffff888118a00948 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: touch_wq_lockdep_map+0x26/0x90\n\n  but task is already holding lock:\n  ffff888118a00948 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: process_one_work+0x53e/0x660\n\n  3 locks held by kworker/u192:42/44933:\n   #0: ffff888118a00948 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: process_one_work+0x53e/0x660\n   #1: ffffc9000e6cbe28 ((work_completion)(&queue->release_work)){+.+.}-{0:0}, at: process_one_work+0x1c5/0x660\n   #2: ffffffff82d4db60 (rcu_read_lock){....}-{1:3}, at: __flush_work+0x62/0x530\n\n  Workqueue: nvmet-wq nvmet_rdma_release_queue_work [nvmet_rdma]\n  Call Trace:\n   __flush_work+0x268/0x530\n   nvmet_ctrl_free+0x140/0x310 [nvmet]\n   nvmet_cq_put+0x74/0x90 [nvmet]\n   nvmet_rdma_free_queue+0x23/0xe0 [nvmet_rdma]\n   nvmet_rdma_release_queue_work+0x19/0x50 [nvmet_rdma]\n   process_one_work+0x206/0x660\n   worker_thread+0x184/0x320\n   kthread+0x10c/0x240\n   ret_from_fork+0x319/0x390\n\nMove async event work to a dedicated nvmet-aen-wq to avoid reentrant\nflush on nvmet-wq.",
    "published": "2026-04-24T14:35:40.544Z",
    "modified": "2026-04-27T14:04:03.623Z",
    "type": "cve",
    "title": "nvmet: move async event work off nvmet-wq",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/49c7c50ee6325a084216e94395e067ecde8088fa\nhttps://git.kernel.org/stable/c/ca111c9d8d6c9d5735878d933a1716c4be86c2d1\nhttps://git.kernel.org/stable/c/25ceffc1dabec3b93f458b437aae26f4da293f87\nhttps://git.kernel.org/stable/c/2922e3507f6d5caa7f1d07f145e186fc6f317a4e",
    "id": "CVE-2026-31557",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux 8832cf922151e9dfa2821736beb0ae2dd3968b6e\nLinux Linux 8832cf922151e9dfa2821736beb0ae2dd3968b6e\nLinux Linux 8832cf922151e9dfa2821736beb0ae2dd3968b6e\nLinux Linux 8832cf922151e9dfa2821736beb0ae2dd3968b6e\nLinux Linux d44ff3b100b94e9f23b1e8dbe688eee9bb867ac9\nLinux Linux 84026f8c9357c62a9d3e4c554ffd10ccab813654\nLinux Linux 5.18",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "8832cf922151e9dfa2821736beb0ae2dd3968b6e",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply