Linux Kernel NVMe PCI Polled Queue Handling Vulnerability

A vulnerability in the Linux kernel's NVMe over PCI driver can lead to improper queue polling, potentially causing double completion of tasks. This issue arises because a user can modify the polled queue count at runtime. During a reset, there is a short window where a high-priority task might attempt to poll the queue before the block layer has refreshed the queue mappings. This can conflict with the now interrupt-driven queue, leading to double completions.

Impact

The vulnerability could cause double completions in the NVMe queue processing, which may disrupt the expected behavior of I/O operations and potentially lead to data corruption or other unintended consequences.

Reproduction

The vulnerability can be reproduced by changing the polled queue count at runtime while a high-priority task is polling the queue. This can be done by initiating a reset process that temporarily disrupts the normal queue management, allowing the task to interfere with the queue polling before the block layer has updated the queue maps.

Remediation

Users can apply the latest patches available in the Linux kernel stable tree to address this vulnerability.