Description
In the Linux kernel, the following vulnerability has been resolved: nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free nvmet_tcp_release_queue_work() runs on nvmet-wq and can drop the final controller reference through nvmet_cq_put(). If that triggers nvmet_ctrl_free(), the teardown path flushes ctrl->async_event_work on the same nvmet-wq. Call chain: nvmet_tcp_schedule_release_queue() kref_put(&queue->kref, nvmet_tcp_release_queue) nvmet_tcp_release_queue() queue_work(nvmet_wq, &queue->release_work) <--- nvmet_wq process_one_work() nvmet_tcp_release_queue_work() nvmet_cq_put(&queue->nvme_cq) nvmet_cq_destroy() nvmet_ctrl_put(cq->ctrl) nvmet_ctrl_free() flush_work(&ctrl->async_event_work) <--- nvmet_wq Previously Scheduled by :- nvmet_add_async_event queue_work(nvmet_wq, &ctrl->async_event_work); This trips lockdep with a possible recursive locking warning. [ 5223.015876] run blktests nvme/003 at 2026-04-07 20:53:55 [ 5223.061801] loop0: detected capacity change from 0 to 2097152 [ 5223.072206] nvmet: adding nsid 1 to subsystem blktests-subsystem-1 [ 5223.088368] nvmet_tcp: enabling port 0 (127.0.0.1:4420) [ 5223.126086] nvmet: Created discovery controller 1 for subsystem nqn.2014-08.org.nvmexpress.discovery for NQN nqn.2014-08.org.nvmexpress:uuid:0f01fb42-9f7f-4856-b0b3-51e60b8de349. [ 5223.128453] nvme nvme1: new ctrl: NQN "nqn.2014-08.org.nvmexpress.discovery", addr 127.0.0.1:4420, hostnqn: nqn.2014-08.org.nvmexpress:uuid:0f01fb42-9f7f-4856-b0b3-51e60b8de349 [ 5233.199447] nvme nvme1: Removing ctrl: NQN "nqn.2014-08.org.nvmexpress.discovery" [ 5233.227718] ============================================ [ 5233.231283] WARNING: possible recursive locking detected [ 5233.234696] 7.0.0-rc3nvme+ #20 Tainted: G O N [ 5233.238434] -------------------------------------------- [ 5233.241852] kworker/u192:6/2413 is trying to acquire lock: [ 5233.245429] ffff888111632548 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: touch_wq_lockdep_map+0x26/0x90 [ 5233.251438] but task is already holding lock: [ 5233.255254] ffff888111632548 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: process_one_work+0x5cc/0x6e0 [ 5233.261125] other info that might help us debug this: [ 5233.265333] Possible unsafe locking scenario: [ 5233.269217] CPU0 [ 5233.270795] ---- [ 5233.272436] lock((wq_completion)nvmet-wq); [ 5233.275241] lock((wq_completion)nvmet-wq); [ 5233.278020] *** DEADLOCK *** [ 5233.281793] May be due to missing lock nesting notation [ 5233.286195] 3 locks held by kworker/u192:6/2413: [ 5233.289192] #0: ffff888111632548 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: process_one_work+0x5cc/0x6e0 [ 5233.294569] #1: ffffc9000e2a7e40 ((work_completion)(&queue->release_work)){+.+.}-{0:0}, at: process_one_work+0x1c5/0x6e0 [ 5233.300128] #2: ffffffff82d7dc40 (rcu_read_lock){....}-{1:3}, at: __flush_work+0x62/0x530 [ 5233.304290] stack backtrace: [ 5233.306520] CPU: 4 UID: 0 PID: 2413 Comm: kworker/u192:6 Tainted: G O N 7.0.0-rc3nvme+ #20 PREEMPT(full) [ 5233.306524] Tainted: [O]=OOT_MODULE, [N]=TEST [ 5233.306525] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014 [ 5233.306527] Workqueue: nvmet-wq nvmet_tcp_release_queue_work [nvmet_tcp] [ 5233.306532] Call Trace: [ 5233.306534] <TASK> [ 5233.306536] dump_stack_lvl+0x73/0xb0 [ 5233.306552] print_deadlock_bug+0x225/0x2f0 [ 5233.306556] __lock_acquire+0x13f0/0x2290 [ 5233.306563] lock_acquire+0xd0/0x300 [ 5233.306565] ? touch_wq_lockdep_map+0x26/0x90 [ 5233.306571] ? __flush_work+0x20b/0x530 [ 5233.306573] ? touch_wq_lockdep_map+0x26/0x90 [ 5233.306577] touch_wq_lockdep_map+0x3b/0x90 [ 5233.306580] ? touch_wq_lockdep_map+0x26/0x90 [ 52 ---truncated---
Product status
06406d81a2d7cfb8abcc4fa6cdfeb8e5897007c5 (git) before ae5b0cad163833e10b271e9becc05d81dae56e5f
06406d81a2d7cfb8abcc4fa6cdfeb8e5897007c5 (git) before 8d66ba89480ff098a58d79003a505f383aa4e920
06406d81a2d7cfb8abcc4fa6cdfeb8e5897007c5 (git) before a696fbbd5240b4ac9b166f7bd4c550882ff543f1
06406d81a2d7cfb8abcc4fa6cdfeb8e5897007c5 (git) before 9a4d7222c0955b221e38bb66d10e6bccb672c8a1
06406d81a2d7cfb8abcc4fa6cdfeb8e5897007c5 (git) before ee6e20c4bc9eae542a0954a368449532383169d4
06406d81a2d7cfb8abcc4fa6cdfeb8e5897007c5 (git) before 781f47d641432c26c19625b2cdd7f40825097592
06406d81a2d7cfb8abcc4fa6cdfeb8e5897007c5 (git) before 551f445a56a11a6457550cddcf39c9ebb8bcacc6
06406d81a2d7cfb8abcc4fa6cdfeb8e5897007c5 (git) before aade8abd8b868b6ffa9697aadaea28ec7f65bee6
3976dd677e891c0b2c63d08028d445663539472c (git)
4.9.68 (semver) before 4.10
4.10
Any version before 4.10
5.10.258 (semver)
5.15.209 (semver)
6.1.175 (semver)
6.6.140 (semver)
6.12.88 (semver)
6.18.30 (semver)
7.0.7 (semver)
7.1-rc2 (original_commit_for_fix)
References
git.kernel.org/...c/ae5b0cad163833e10b271e9becc05d81dae56e5f
git.kernel.org/...c/8d66ba89480ff098a58d79003a505f383aa4e920
git.kernel.org/...c/a696fbbd5240b4ac9b166f7bd4c550882ff543f1
git.kernel.org/...c/9a4d7222c0955b221e38bb66d10e6bccb672c8a1
git.kernel.org/...c/ee6e20c4bc9eae542a0954a368449532383169d4
git.kernel.org/...c/781f47d641432c26c19625b2cdd7f40825097592
git.kernel.org/...c/551f445a56a11a6457550cddcf39c9ebb8bcacc6
git.kernel.org/...c/aade8abd8b868b6ffa9697aadaea28ec7f65bee6