CVE-2026-31557 (GCVE-0-2026-31557)
Vulnerability from cvelistv5
Published
2026-04-24 14:35
Modified
2026-04-27 14:04
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvmet: move async event work off nvmet-wq
For target nvmet_ctrl_free() flushes ctrl->async_event_work.
If nvmet_ctrl_free() runs on nvmet-wq, the flush re-enters workqueue
completion for the same worker:-
A. Async event work queued on nvmet-wq (prior to disconnect):
nvmet_execute_async_event()
queue_work(nvmet_wq, &ctrl->async_event_work)
nvmet_add_async_event()
queue_work(nvmet_wq, &ctrl->async_event_work)
B. Full pre-work chain (RDMA CM path):
nvmet_rdma_cm_handler()
nvmet_rdma_queue_disconnect()
__nvmet_rdma_queue_disconnect()
queue_work(nvmet_wq, &queue->release_work)
process_one_work()
lock((wq_completion)nvmet-wq) <--------- 1st
nvmet_rdma_release_queue_work()
C. Recursive path (same worker):
nvmet_rdma_release_queue_work()
nvmet_rdma_free_queue()
nvmet_sq_destroy()
nvmet_ctrl_put()
nvmet_ctrl_free()
flush_work(&ctrl->async_event_work)
__flush_work()
touch_wq_lockdep_map()
lock((wq_completion)nvmet-wq) <--------- 2nd
Lockdep splat:
============================================
WARNING: possible recursive locking detected
6.19.0-rc3nvme+ #14 Tainted: G N
--------------------------------------------
kworker/u192:42/44933 is trying to acquire lock:
ffff888118a00948 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: touch_wq_lockdep_map+0x26/0x90
but task is already holding lock:
ffff888118a00948 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: process_one_work+0x53e/0x660
3 locks held by kworker/u192:42/44933:
#0: ffff888118a00948 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: process_one_work+0x53e/0x660
#1: ffffc9000e6cbe28 ((work_completion)(&queue->release_work)){+.+.}-{0:0}, at: process_one_work+0x1c5/0x660
#2: ffffffff82d4db60 (rcu_read_lock){....}-{1:3}, at: __flush_work+0x62/0x530
Workqueue: nvmet-wq nvmet_rdma_release_queue_work [nvmet_rdma]
Call Trace:
__flush_work+0x268/0x530
nvmet_ctrl_free+0x140/0x310 [nvmet]
nvmet_cq_put+0x74/0x90 [nvmet]
nvmet_rdma_free_queue+0x23/0xe0 [nvmet_rdma]
nvmet_rdma_release_queue_work+0x19/0x50 [nvmet_rdma]
process_one_work+0x206/0x660
worker_thread+0x184/0x320
kthread+0x10c/0x240
ret_from_fork+0x319/0x390
Move async event work to a dedicated nvmet-aen-wq to avoid reentrant
flush on nvmet-wq.
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 8832cf922151e9dfa2821736beb0ae2dd3968b6e Version: 8832cf922151e9dfa2821736beb0ae2dd3968b6e Version: 8832cf922151e9dfa2821736beb0ae2dd3968b6e Version: 8832cf922151e9dfa2821736beb0ae2dd3968b6e Version: d44ff3b100b94e9f23b1e8dbe688eee9bb867ac9 Version: 84026f8c9357c62a9d3e4c554ffd10ccab813654 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvme/target/admin-cmd.c",
"drivers/nvme/target/core.c",
"drivers/nvme/target/nvmet.h",
"drivers/nvme/target/rdma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "49c7c50ee6325a084216e94395e067ecde8088fa",
"status": "affected",
"version": "8832cf922151e9dfa2821736beb0ae2dd3968b6e",
"versionType": "git"
},
{
"lessThan": "ca111c9d8d6c9d5735878d933a1716c4be86c2d1",
"status": "affected",
"version": "8832cf922151e9dfa2821736beb0ae2dd3968b6e",
"versionType": "git"
},
{
"lessThan": "25ceffc1dabec3b93f458b437aae26f4da293f87",
"status": "affected",
"version": "8832cf922151e9dfa2821736beb0ae2dd3968b6e",
"versionType": "git"
},
{
"lessThan": "2922e3507f6d5caa7f1d07f145e186fc6f317a4e",
"status": "affected",
"version": "8832cf922151e9dfa2821736beb0ae2dd3968b6e",
"versionType": "git"
},
{
"status": "affected",
"version": "d44ff3b100b94e9f23b1e8dbe688eee9bb867ac9",
"versionType": "git"
},
{
"status": "affected",
"version": "84026f8c9357c62a9d3e4c554ffd10ccab813654",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvme/target/admin-cmd.c",
"drivers/nvme/target/core.c",
"drivers/nvme/target/nvmet.h",
"drivers/nvme/target/rdma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.17.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: move async event work off nvmet-wq\n\nFor target nvmet_ctrl_free() flushes ctrl-\u003easync_event_work.\nIf nvmet_ctrl_free() runs on nvmet-wq, the flush re-enters workqueue\ncompletion for the same worker:-\n\nA. Async event work queued on nvmet-wq (prior to disconnect):\n nvmet_execute_async_event()\n queue_work(nvmet_wq, \u0026ctrl-\u003easync_event_work)\n\n nvmet_add_async_event()\n queue_work(nvmet_wq, \u0026ctrl-\u003easync_event_work)\n\nB. Full pre-work chain (RDMA CM path):\n nvmet_rdma_cm_handler()\n nvmet_rdma_queue_disconnect()\n __nvmet_rdma_queue_disconnect()\n queue_work(nvmet_wq, \u0026queue-\u003erelease_work)\n process_one_work()\n lock((wq_completion)nvmet-wq) \u003c--------- 1st\n nvmet_rdma_release_queue_work()\n\nC. Recursive path (same worker):\n nvmet_rdma_release_queue_work()\n nvmet_rdma_free_queue()\n nvmet_sq_destroy()\n nvmet_ctrl_put()\n nvmet_ctrl_free()\n flush_work(\u0026ctrl-\u003easync_event_work)\n __flush_work()\n touch_wq_lockdep_map()\n lock((wq_completion)nvmet-wq) \u003c--------- 2nd\n\nLockdep splat:\n\n ============================================\n WARNING: possible recursive locking detected\n 6.19.0-rc3nvme+ #14 Tainted: G N\n --------------------------------------------\n kworker/u192:42/44933 is trying to acquire lock:\n ffff888118a00948 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: touch_wq_lockdep_map+0x26/0x90\n\n but task is already holding lock:\n ffff888118a00948 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: process_one_work+0x53e/0x660\n\n 3 locks held by kworker/u192:42/44933:\n #0: ffff888118a00948 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: process_one_work+0x53e/0x660\n #1: ffffc9000e6cbe28 ((work_completion)(\u0026queue-\u003erelease_work)){+.+.}-{0:0}, at: process_one_work+0x1c5/0x660\n #2: ffffffff82d4db60 (rcu_read_lock){....}-{1:3}, at: __flush_work+0x62/0x530\n\n Workqueue: nvmet-wq nvmet_rdma_release_queue_work [nvmet_rdma]\n Call Trace:\n __flush_work+0x268/0x530\n nvmet_ctrl_free+0x140/0x310 [nvmet]\n nvmet_cq_put+0x74/0x90 [nvmet]\n nvmet_rdma_free_queue+0x23/0xe0 [nvmet_rdma]\n nvmet_rdma_release_queue_work+0x19/0x50 [nvmet_rdma]\n process_one_work+0x206/0x660\n worker_thread+0x184/0x320\n kthread+0x10c/0x240\n ret_from_fork+0x319/0x390\n\nMove async event work to a dedicated nvmet-aen-wq to avoid reentrant\nflush on nvmet-wq."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:04:03.623Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/49c7c50ee6325a084216e94395e067ecde8088fa"
},
{
"url": "https://git.kernel.org/stable/c/ca111c9d8d6c9d5735878d933a1716c4be86c2d1"
},
{
"url": "https://git.kernel.org/stable/c/25ceffc1dabec3b93f458b437aae26f4da293f87"
},
{
"url": "https://git.kernel.org/stable/c/2922e3507f6d5caa7f1d07f145e186fc6f317a4e"
}
],
"title": "nvmet: move async event work off nvmet-wq",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31557",
"datePublished": "2026-04-24T14:35:40.544Z",
"dateReserved": "2026-03-09T15:48:24.116Z",
"dateUpdated": "2026-04-27T14:04:03.623Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…