{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-38658","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T04:51:24.031Z","datePublished":"2025-08-22T16:01:01.651Z","dateUpdated":"2026-05-11T21:32:28.595Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:32:28.595Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: pci-epf: Do not complete commands twice if nvmet_req_init() fails\n\nHave nvmet_req_init() and req->execute() complete failed commands.\n\nDescription of the problem:\nnvmet_req_init() calls __nvmet_req_complete() internally upon failure,\ne.g., unsupported opcode, which calls the \"queue_response\" callback,\nthis results in nvmet_pci_epf_queue_response() being called, which will\ncall nvmet_pci_epf_complete_iod() if data_len is 0 or if dma_dir is\ndifferent from DMA_TO_DEVICE. This results in a double completion as\nnvmet_pci_epf_exec_iod_work() also calls nvmet_pci_epf_complete_iod()\nwhen nvmet_req_init() fails.\n\nSteps to reproduce:\nOn the host send a command with an unsupported opcode with nvme-cli,\nFor example the admin command \"security receive\"\n$ sudo nvme security-recv /dev/nvme0n1 -n1 -x4096\n\nThis triggers a double completion as nvmet_req_init() fails and\nnvmet_pci_epf_queue_response() is called, here iod->dma_dir is still\nin the default state of \"DMA_NONE\" as set by default in\nnvmet_pci_epf_alloc_iod(), so nvmet_pci_epf_complete_iod() is called.\nBecause nvmet_req_init() failed nvmet_pci_epf_complete_iod() is also\ncalled in nvmet_pci_epf_exec_iod_work() leading to a double completion.\nThis not only sends two completions to the host but also corrupts the\nstate of the PCI NVMe target leading to kernel oops.\n\nThis patch lets nvmet_req_init() and req->execute() complete all failed\ncommands, and removes the double completion case in\nnvmet_pci_epf_exec_iod_work() therefore fixing the edge cases where\ndouble completions occurred."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/nvme/target/pci-epf.c"],"versions":[{"version":"0faa0fe6f90ea59b10d1b0f15ce0eb0c18eff186","lessThan":"a535c0b10060bc8c174a7964b0f98064ee0c4774","status":"affected","versionType":"git"},{"version":"0faa0fe6f90ea59b10d1b0f15ce0eb0c18eff186","lessThan":"746d0ac5a07d5da952ef258dd4d75f0b26c96476","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/nvme/target/pci-epf.c"],"versions":[{"version":"6.14","status":"affected"},{"version":"0","lessThan":"6.14","status":"unaffected","versionType":"semver"},{"version":"6.16.1","lessThanOrEqual":"6.16.*","status":"unaffected","versionType":"semver"},{"version":"6.17","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.14","versionEndExcluding":"6.16.1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.14","versionEndExcluding":"6.17"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/a535c0b10060bc8c174a7964b0f98064ee0c4774"},{"url":"https://git.kernel.org/stable/c/746d0ac5a07d5da952ef258dd4d75f0b26c96476"}],"title":"nvmet: pci-epf: Do not complete commands twice if nvmet_req_init() fails","x_generator":{"engine":"bippy-1.2.0"}}}}