Linux Kernel NVMe Target Component Denial-of-Service Vulnerability via Workqueue Mismanagement

A denial-of-service vulnerability has been identified in the Linux kernel's NVMe target component. This issue arises from improper management of asynchronous event work within the NVMe over Fabrics (NVMe-oF) RDMA connection manager. When the NVMe controller is freed, it flushes its asynchronous event work. If this flush occurs on the default NVMe workqueue, it can lead to a recursive locking situation. The vulnerability is present in Linux kernel versions prior to 6.19.0-rc3.

Impact

Exploitation of this vulnerability can cause a deadlock situation, where a worker thread is stuck waiting for a lock that it cannot acquire, effectively halting progress in the workqueue.

Reproduction

The vulnerability can be reproduced by queuing asynchronous event work on the NVMe workqueue, then initiating a disconnect process that triggers a flush of the queued work. This flush re-enters the workqueue completion process for the same worker, causing a recursive locking issue.

Remediation

The vulnerability has been addressed by moving the asynchronous event work to a dedicated workqueue, preventing the reentrant flush on the default NVMe workqueue. Users should upgrade to the latest version of the Linux kernel where this fix has been implemented.