{"id":"CVE-2022-48790","summary":"nvme: fix a possible use-after-free in controller reset during load","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnvme: fix a possible use-after-free in controller reset during load\n\nUnlike .queue_rq, in .submit_async_event drivers may not check the ctrl\nreadiness for AER submission. This may lead to a use-after-free\ncondition that was observed with nvme-tcp.\n\nThe race condition may happen in the following scenario:\n1. driver executes its reset_ctrl_work\n2. -\u003e nvme_stop_ctrl - flushes ctrl async_event_work\n3. ctrl sends AEN which is received by the host, which in turn\n   schedules AEN handling\n4. teardown admin queue (which releases the queue socket)\n5. AEN processed, submits another AER, calling the driver to submit\n6. driver attempts to send the cmd\n==\u003e use-after-free\n\nIn order to fix that, add ctrl state check to validate the ctrl\nis actually able to accept the AER submission.\n\nThis addresses the above race in controller resets because the driver\nduring teardown should:\n1. change ctrl state to RESETTING\n2. flush async_event_work (as well as other async work elements)\n\nSo after 1,2, any other AER command will find the\nctrl state to be RESETTING and bail out without submitting the AER.","modified":"2026-04-02T08:27:00.753318Z","published":"2024-07-16T11:43:46.556Z","related":["SUSE-SU-2024:2894-1","SUSE-SU-2024:2902-1","SUSE-SU-2024:2929-1","SUSE-SU-2024:2939-1","SUSE-SU-2024:2947-1","SUSE-SU-2024:3225-1","SUSE-SU-2024:3249-1","SUSE-SU-2024:3559-1","SUSE-SU-2024:3566-1","SUSE-SU-2024:3591-1","SUSE-SU-2024:4100-1","SUSE-SU-2025:0034-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/48xxx/CVE-2022-48790.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0ead57ceb21bbf15963b4874c2ac67143455382f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/0fa0f99fc84e41057cbdd2efbfe91c6b2f47dd9d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/70356b756a58704e5c8818cb09da5854af87e765"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9e956a2596ae276124ef0d96829c013dd0faf861"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a25e460fbb0340488d119fb2e28fe3f829b7417e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e043fb5a0336ee74614e26f0d9f36f1f5bb6d606"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/48xxx/CVE-2022-48790.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-48790"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"ad22c355b707a8d8d48e282aadc01c0b0604b2e9"},{"fixed":"a25e460fbb0340488d119fb2e28fe3f829b7417e"},{"fixed":"70356b756a58704e5c8818cb09da5854af87e765"},{"fixed":"0ead57ceb21bbf15963b4874c2ac67143455382f"},{"fixed":"e043fb5a0336ee74614e26f0d9f36f1f5bb6d606"},{"fixed":"9e956a2596ae276124ef0d96829c013dd0faf861"},{"fixed":"0fa0f99fc84e41057cbdd2efbfe91c6b2f47dd9d"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-48790.json"}}],"schema_version":"1.7.5"}