{"id":"CVE-2024-42152","summary":"nvmet: fix a possible leak when destroy a ctrl during qp establishment","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: fix a possible leak when destroy a ctrl during qp establishment\n\nIn nvmet_sq_destroy we capture sq-\u003ectrl early and if it is non-NULL we\nknow that a ctrl was allocated (in the admin connect request handler)\nand we need to release pending AERs, clear ctrl-\u003esqs and sq-\u003ectrl\n(for nvme-loop primarily), and drop the final reference on the ctrl.\n\nHowever, a small window is possible where nvmet_sq_destroy starts (as\na result of the client giving up and disconnecting) concurrently with\nthe nvme admin connect cmd (which may be in an early stage). But *before*\nkill_and_confirm of sq-\u003eref (i.e. the admin connect managed to get an sq\nlive reference). In this case, sq-\u003ectrl was allocated however after it was\ncaptured in a local variable in nvmet_sq_destroy.\nThis prevented the final reference drop on the ctrl.\n\nSolve this by re-capturing the sq-\u003ectrl after all inflight request has\ncompleted, where for sure sq-\u003ectrl reference is final, and move forward\nbased on that.\n\nThis issue was observed in an environment with many hosts connecting\nmultiple ctrls simoutanuosly, creating a delay in allocating a ctrl\nleading up to this race window.","modified":"2026-04-16T00:06:04.308790119Z","published":"2024-07-30T07:46:44.795Z","related":["ALSA-2024:5928","ALSA-2024:7000","ALSA-2024:7001","SUSE-SU-2024:3190-1","SUSE-SU-2024:3194-1","SUSE-SU-2024:3195-1","SUSE-SU-2024:3209-1","SUSE-SU-2024:3383-1","SUSE-SU-2024:3483-1","SUSE-SU-2025:20044-1","SUSE-SU-2025:20047-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/42xxx/CVE-2024-42152.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/2f3c22b1d3d7e86712253244797a651998c141fa"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5502c1f1d0d7472706cc1f201aecf1c935d302d1"},{"type":"WEB","url":"https://git.kernel.org/stable/c/818004f2a380420c19872171be716174d4985e33"},{"type":"WEB","url":"https://git.kernel.org/stable/c/940a71f08ef153ef807f751310b0648d1fa5d0da"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b4fed1443a6571d49c6ffe7d97af3bbe5ee6dff5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c758b77d4a0a0ed3a1292b3fd7a2aeccd1a169a4"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/42xxx/CVE-2024-42152.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42152"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0f5be6a4ff7b3f8bf3db15f904e3e76797a43d9a"},{"fixed":"2f3c22b1d3d7e86712253244797a651998c141fa"},{"fixed":"b4fed1443a6571d49c6ffe7d97af3bbe5ee6dff5"},{"fixed":"940a71f08ef153ef807f751310b0648d1fa5d0da"},{"fixed":"5502c1f1d0d7472706cc1f201aecf1c935d302d1"},{"fixed":"818004f2a380420c19872171be716174d4985e33"},{"fixed":"c758b77d4a0a0ed3a1292b3fd7a2aeccd1a169a4"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-42152.json"}}],"schema_version":"1.7.5"}