Linux Kernel NVMe Namespace Management Vulnerability Leading to General Protection Fault

A vulnerability in the Linux kernel's NVMe management can cause a crash when a namespace is disabled. This issue arises because the namespace's per-CPU counter, which safeguards pending I/O, must reach zero before it is safe to disable the namespace. Failing to do so can lead to a general protection fault, likely due to a non-canonical address, as the I/O queue may already be dismantled when pending operations are submitted. This vulnerability was observed in Linux kernel version 6.13.0-rc6.

Impact

Disabling an NVMe namespace without properly managing the pending I/O can lead to a crash, causing a general protection fault.

Reproduction

The vulnerability can be reproduced by running the blktests NVMe test suite, specifically test 058, while the NVMe namespace is disabled improperly. This test will trigger a crash due to the pending I/O not being managed correctly.

Remediation

To address this vulnerability, ensure that the NVMe namespace is properly managed by allowing the per-CPU counter to drop to zero before disabling it. This will prevent pending I/O from causing a crash.