{“lastseen”:””,”description”:”In the Linux kernel, the following vulnerability has been resolved:\\n\\nnvmet: move async event work off nvmet-wq\\n\\nFor target nvmet_ctrl_free() flushes ctrl-\\u003easync_event_work.\\nIf nvmet_ctrl_free() runs on nvmet-wq, the flush re-enters workqueue\\ncompletion for the same worker:-\\n\\nA. Async event work queued on nvmet-wq (prior to disconnect):\\n nvmet_execute_async_event()\\n queue_work(nvmet_wq, \\u0026ctrl-\\u003easync_event_work)\\n\\n nvmet_add_async_event()\\n queue_work(nvmet_wq, \\u0026ctrl-\\u003easync_event_work)\\n\\nB. Full pre-work chain (RDMA CM path):\\n nvmet_rdma_cm_handler()\\n nvmet_rdma_queue_disconnect()\\n __nvmet_rdma_queue_disconnect()\\n queue_work(nvmet_wq, \\u0026queue-\\u003erelease_work)\\n process_one_work()\\n lock((wq_completion)nvmet-wq) \\u003c——— 1st\\n nvmet_rdma_release_queue_work()\\n\\nC. Recursive path (same worker):\\n nvmet_rdma_release_queue_work()\\n nvmet_rdma_free_queue()\\n nvmet_sq_destroy()\\n nvmet_ctrl_put()\\n nvmet_ctrl_free()\\n flush_work(\\u0026ctrl-\\u003easync_event_work)\\n __flush_work()\\n touch_wq_lockdep_map()\\n lock((wq_completion)nvmet-wq) \\u003c——— 2nd\\n\\nLockdep splat:\\n\\n ============================================\\n WARNING: possible recursive locking detected\\n 6.19.0-rc3nvme+ #14 Tainted: G N\\n ——————————————–\\n kworker\/u192:42\/44933 is trying to acquire lock:\\n ffff888118a00948 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: touch_wq_lockdep_map+0x26\/0x90\\n\\n but task is already holding lock:\\n ffff888118a00948 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: process_one_work+0x53e\/0x660\\n\\n 3 locks held by kworker\/u192:42\/44933:\\n #0: ffff888118a00948 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: process_one_work+0x53e\/0x660\\n #1: ffffc9000e6cbe28 ((work_completion)(\\u0026queue-\\u003erelease_work)){+.+.}-{0:0}, at: process_one_work+0x1c5\/0x660\\n #2: ffffffff82d4db60 (rcu_read_lock){….}-{1:3}, at: __flush_work+0x62\/0x530\\n\\n Workqueue: nvmet-wq nvmet_rdma_release_queue_work [nvmet_rdma]\\n Call Trace:\\n __flush_work+0x268\/0x530\\n nvmet_ctrl_free+0x140\/0x310 [nvmet]\\n nvmet_cq_put+0x74\/0x90 [nvmet]\\n nvmet_rdma_free_queue+0x23\/0xe0 [nvmet_rdma]\\n nvmet_rdma_release_queue_work+0x19\/0x50 [nvmet_rdma]\\n process_one_work+0x206\/0x660\\n worker_thread+0x184\/0x320\\n kthread+0x10c\/0x240\\n ret_from_fork+0x319\/0x390\\n\\nMove async event work to a dedicated nvmet-aen-wq to avoid reentrant\\nflush on nvmet-wq.”,”published”:”2026-04-24T14:35:40.544Z”,”modified”:”2026-04-27T14:04:03.623Z”,”type”:”cve”,”title”:”nvmet: move async event work off nvmet-wq”,”source”:”Linux”,”references”:”https:\/\/git.kernel.org\/stable\/c\/49c7c50ee6325a084216e94395e067ecde8088fa\\nhttps:\/\/git.kernel.org\/stable\/c\/ca111c9d8d6c9d5735878d933a1716c4be86c2d1\\nhttps:\/\/git.kernel.org\/stable\/c\/25ceffc1dabec3b93f458b437aae26f4da293f87\\nhttps:\/\/git.kernel.org\/stable\/c\/2922e3507f6d5caa7f1d07f145e186fc6f317a4e”,”id”:”CVE-2026-31557″,”bulletinFamily”:””,”cwe”:null,”cvelist”:null,”sourceData”:”Linux Linux 8832cf922151e9dfa2821736beb0ae2dd3968b6e\\nLinux Linux 8832cf922151e9dfa2821736beb0ae2dd3968b6e\\nLinux Linux 8832cf922151e9dfa2821736beb0ae2dd3968b6e\\nLinux Linux 8832cf922151e9dfa2821736beb0ae2dd3968b6e\\nLinux Linux d44ff3b100b94e9f23b1e8dbe688eee9bb867ac9\\nLinux Linux 84026f8c9357c62a9d3e4c554ffd10ccab813654\\nLinux Linux 5.18″,”sourceHref”:””,”cvss”:{“score”:7.5,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:N\/I:N\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:””,”category_name”:”CVE”,”post_link”:””,”product”:”Linux”,”version”:”8832cf922151e9dfa2821736beb0ae2dd3968b6e”,”vendor”:”Linux”,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:””,”description”:”In the Linux kernel, the following vulnerability has been resolved:\\n\\nnvmet: move async event work off nvmet-wq\\n\\nFor target nvmet_ctrl_free() flushes ctrl-\\u003easync_event_work.\\nIf nvmet_ctrl_free() runs on nvmet-wq, the…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[6,8,16,12,15,13,7,11,5],"class_list":["post-49570","post","type-post","status-publish","format-standard","hentry","category-category_cve","tag-cve","tag-cvss","tag-cvss-75","tag-exploit","tag-high","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n