{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-38209","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T04:51:23.994Z","datePublished":"2025-07-04T13:37:28.853Z","dateUpdated":"2026-05-11T21:23:21.992Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:23:21.992Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-tcp: remove tag set when second admin queue config fails\n\nCommit 104d0e2f6222 (\"nvme-fabrics: reset admin connection for secure\nconcatenation\") modified nvme_tcp_setup_ctrl() to call\nnvme_tcp_configure_admin_queue() twice. The first call prepares for\nDH-CHAP negotitation, and the second call is required for secure\nconcatenation. However, this change triggered BUG KASAN slab-use-after-\nfree in blk_mq_queue_tag_busy_iter(). This BUG can be recreated by\nrepeating the blktests test case nvme/063 a few times [1].\n\nWhen the BUG happens, nvme_tcp_create_ctrl() fails in the call chain\nbelow:\n\nnvme_tcp_create_ctrl()\n nvme_tcp_alloc_ctrl() new=true             ... Alloc nvme_tcp_ctrl and admin_tag_set\n nvme_tcp_setup_ctrl() new=true\n  nvme_tcp_configure_admin_queue() new=true ... Succeed\n   nvme_alloc_admin_tag_set()               ... Alloc the tag set for admin_tag_set\n  nvme_stop_keep_alive()\n  nvme_tcp_teardown_admin_queue() remove=false\n  nvme_tcp_configure_admin_queue() new=false\n   nvme_tcp_alloc_admin_queue()             ... Fail, but do not call nvme_remove_admin_tag_set()\n nvme_uninit_ctrl()\n nvme_put_ctrl()                            ... Free up the nvme_tcp_ctrl and admin_tag_set\n\nThe first call of nvme_tcp_configure_admin_queue() succeeds with\nnew=true argument. The second call fails with new=false argument. This\nsecond call does not call nvme_remove_admin_tag_set() on failure, due to\nthe new=false argument. Then the admin tag set is not removed. However,\nnvme_tcp_create_ctrl() assumes that nvme_tcp_setup_ctrl() would call\nnvme_remove_admin_tag_set(). Then it frees up struct nvme_tcp_ctrl which\nhas admin_tag_set field. Later on, the timeout handler accesses the\nadmin_tag_set field and causes the BUG KASAN slab-use-after-free.\n\nTo not leave the admin tag set, call nvme_remove_admin_tag_set() when\nthe second nvme_tcp_configure_admin_queue() call fails. Do not return\nfrom nvme_tcp_setup_ctrl() on failure. Instead, jump to \"destroy_admin\"\ngo-to label to call nvme_tcp_teardown_admin_queue() which calls\nnvme_remove_admin_tag_set()."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/nvme/host/tcp.c"],"versions":[{"version":"104d0e2f622233477ef7e57e59e8a4c3bb062c82","lessThan":"db1da838b6012e4570c6f81e28ffe1d0ff595948","status":"affected","versionType":"git"},{"version":"104d0e2f622233477ef7e57e59e8a4c3bb062c82","lessThan":"e7143706702a209c814ed2c3fc6486c2a7decf6c","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/nvme/host/tcp.c"],"versions":[{"version":"6.15","status":"affected"},{"version":"0","lessThan":"6.15","status":"unaffected","versionType":"semver"},{"version":"6.15.4","lessThanOrEqual":"6.15.*","status":"unaffected","versionType":"semver"},{"version":"6.16","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.15","versionEndExcluding":"6.15.4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.15","versionEndExcluding":"6.16"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/db1da838b6012e4570c6f81e28ffe1d0ff595948"},{"url":"https://git.kernel.org/stable/c/e7143706702a209c814ed2c3fc6486c2a7decf6c"}],"title":"nvme-tcp: remove tag set when second admin queue config fails","x_generator":{"engine":"bippy-1.2.0"}}}}