In the Linux kernel, the following vulnerability has been resolved:
nvmet: Fix crash when a namespace is disabled
The namespace percpu counter protects pending I/O, and we can only safely diable the namespace once the counter drop to zero. Otherwise we end up with a crash when running blktests/nvme/058 (eg for loop transport):
[ 2352.930426] [ T53909] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN PTI [ 2352.930431] [ T53909] KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] [ 2352.930434] [ T53909] CPU: 3 UID: 0 PID: 53909 Comm: kworker/u16:5 Tainted: G W 6.13.0-rc6 #232 [ 2352.930438] [ T53909] Tainted: [W]=WARN [ 2352.930440] [ T53909] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014 [ 2352.930443] [ T53909] Workqueue: nvmet-wq nvmeloopexecutework [nvmeloop] [ 2352.930449] [ T53909] RIP: 0010:blkcgsetioprio+0x44/0x180
as the queue is already torn down when calling submit_bio();
So we need to init the percpu counter in nvmetnsenable(), and wait for it to drop to zero in nvmetnsdisable() to avoid having I/O pending after the namespace has been disabled.
[
    {
        "id": "CVE-2025-21850-4d441c66",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "205799532400628930436313881818631750818",
                "192406748404295336768934937493265342372",
                "256366561730469557270801993123056161282",
                "299538919685792215139520305430335883632",
                "261329654369661134059334887339924740134",
                "313900810828947714936503043621103958222",
                "51441028097513988498489528410632621021",
                "94556357294997655726798439417646101633",
                "200578376821415499837362132408243431407",
                "136139287914707679027911009620667312380",
                "250825162625984597303940132348418117500",
                "86607192420926953303449211435383683620",
                "14376355233856892245378835931230009027",
                "310562698134901342061090458910594770387",
                "294585381765240438927520406047610368348",
                "232292256036072100022769876785739893902",
                "169422902527973774355292352913379019279",
                "293770838966107505140389727265402242303",
                "108412865494453597495218163883335269262",
                "83818940806978835076553763740307921902",
                "289199530282515190448702178120362331413",
                "64312371414224192971839895836907389530",
                "8036404785151121986704647094854207257",
                "185307348359404311515014361470184973365",
                "222287094028461888742108430381590558953",
                "17362398892328049328515422401938870675",
                "117978573225169572775475418443034546779",
                "134828266345179543813161153325632825367",
                "188197673037457129796634195041699493127"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "drivers/nvme/target/core.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4082326807072b71496501b6a0c55ffe8d5092a5"
    },
    {
        "id": "CVE-2025-21850-529b69c9",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "function_hash": "58491874921026133170911260967706715366",
            "length": 640.0
        },
        "target": {
            "file": "drivers/nvme/target/core.c",
            "function": "nvmet_ns_free"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4082326807072b71496501b6a0c55ffe8d5092a5"
    },
    {
        "id": "CVE-2025-21850-52be5255",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "function_hash": "165484208083549574851127175458582316246",
            "length": 578.0
        },
        "target": {
            "file": "drivers/nvme/target/core.c",
            "function": "nvmet_ns_disable"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@cc0607594f6813342b27c752c6fb6f6eb9980cb5"
    },
    {
        "id": "CVE-2025-21850-614ba45a",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "function_hash": "280029539643405300806011309364675992534",
            "length": 1061.0
        },
        "target": {
            "file": "drivers/nvme/target/core.c",
            "function": "nvmet_ns_enable"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4082326807072b71496501b6a0c55ffe8d5092a5"
    },
    {
        "id": "CVE-2025-21850-7e25db8e",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "function_hash": "167770274293167869774758107033087839653",
            "length": 1067.0
        },
        "target": {
            "file": "drivers/nvme/target/core.c",
            "function": "nvmet_ns_alloc"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4082326807072b71496501b6a0c55ffe8d5092a5"
    },
    {
        "id": "CVE-2025-21850-9af3ddf8",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "function_hash": "165484208083549574851127175458582316246",
            "length": 578.0
        },
        "target": {
            "file": "drivers/nvme/target/core.c",
            "function": "nvmet_ns_disable"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4082326807072b71496501b6a0c55ffe8d5092a5"
    },
    {
        "id": "CVE-2025-21850-a7c46ce5",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "205799532400628930436313881818631750818",
                "192406748404295336768934937493265342372",
                "256366561730469557270801993123056161282",
                "299538919685792215139520305430335883632",
                "261329654369661134059334887339924740134",
                "313900810828947714936503043621103958222",
                "51441028097513988498489528410632621021",
                "94556357294997655726798439417646101633",
                "200578376821415499837362132408243431407",
                "136139287914707679027911009620667312380",
                "250825162625984597303940132348418117500",
                "86607192420926953303449211435383683620",
                "14376355233856892245378835931230009027",
                "310562698134901342061090458910594770387",
                "294585381765240438927520406047610368348",
                "232292256036072100022769876785739893902",
                "169422902527973774355292352913379019279",
                "293770838966107505140389727265402242303",
                "108412865494453597495218163883335269262",
                "83818940806978835076553763740307921902",
                "289199530282515190448702178120362331413",
                "64312371414224192971839895836907389530",
                "8036404785151121986704647094854207257",
                "185307348359404311515014361470184973365",
                "222287094028461888742108430381590558953",
                "17362398892328049328515422401938870675",
                "117978573225169572775475418443034546779",
                "134828266345179543813161153325632825367",
                "188197673037457129796634195041699493127"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "drivers/nvme/target/core.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@cc0607594f6813342b27c752c6fb6f6eb9980cb5"
    },
    {
        "id": "CVE-2025-21850-aa00d781",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "function_hash": "280029539643405300806011309364675992534",
            "length": 1061.0
        },
        "target": {
            "file": "drivers/nvme/target/core.c",
            "function": "nvmet_ns_enable"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@cc0607594f6813342b27c752c6fb6f6eb9980cb5"
    },
    {
        "id": "CVE-2025-21850-d09551d4",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "function_hash": "58491874921026133170911260967706715366",
            "length": 640.0
        },
        "target": {
            "file": "drivers/nvme/target/core.c",
            "function": "nvmet_ns_free"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@cc0607594f6813342b27c752c6fb6f6eb9980cb5"
    },
    {
        "id": "CVE-2025-21850-e032b575",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "function_hash": "167770274293167869774758107033087839653",
            "length": 1067.0
        },
        "target": {
            "file": "drivers/nvme/target/core.c",
            "function": "nvmet_ns_alloc"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@cc0607594f6813342b27c752c6fb6f6eb9980cb5"
    }
]