CVE-2025-38209

In the Linux kernel, the following vulnerability has been resolved:

nvme-tcp: remove tag set when second admin queue config fails

Commit 104d0e2f6222 ("nvme-fabrics: reset admin connection for secure concatenation") modified nvmetcpsetupctrl() to call nvmetcpconfigureadminqueue() twice. The first call prepares for DH-CHAP negotitation, and the second call is required for secure concatenation. However, this change triggered BUG KASAN slab-use-after- free in blkmqqueuetagbusyiter(). This BUG can be recreated by repeating the blktests test case nvme/063 a few times [1].

When the BUG happens, nvmetcpcreate_ctrl() fails in the call chain below:

nvmetcpcreatectrl() nvmetcpallocctrl() new=true ... Alloc nvmetcpctrl and admintagset nvmetcpsetupctrl() new=true nvmetcpconfigureadminqueue() new=true ... Succeed nvmeallocadmintagset() ... Alloc the tag set for admintagset nvmestopkeepalive() nvmetcpteardownadminqueue() remove=false nvmetcpconfigureadminqueue() new=false nvmetcpallocadminqueue() ... Fail, but do not call nvmeremoveadmintagset() nvmeuninitctrl() nvmeputctrl() ... Free up the nvmetcpctrl and admintagset

The first call of nvmetcpconfigureadminqueue() succeeds with new=true argument. The second call fails with new=false argument. This second call does not call nvmeremoveadmintagset() on failure, due to the new=false argument. Then the admin tag set is not removed. However, nvmetcpcreatectrl() assumes that nvmetcpsetupctrl() would call nvmeremoveadmintagset(). Then it frees up struct nvmetcpctrl which has admintagset field. Later on, the timeout handler accesses the admintagset field and causes the BUG KASAN slab-use-after-free.

To not leave the admin tag set, call nvmeremoveadmintagset() when the second nvmetcpconfigureadminqueue() call fails. Do not return from nvmetcpsetupctrl() on failure. Instead, jump to "destroyadmin" go-to label to call nvmetcpteardownadminqueue() which calls nvmeremoveadmintagset().