CVE-2025-21850
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-21850
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-21850.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-21850
- Downstream
- Related
- Published
- 2025-03-12T09:42:05Z
- Modified
- 2025-10-17T21:48:05.862484Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- nvmet: Fix crash when a namespace is disabled
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
nvmet: Fix crash when a namespace is disabled
The namespace percpu counter protects pending I/O, and we can only safely diable the namespace once the counter drop to zero. Otherwise we end up with a crash when running blktests/nvme/058 (eg for loop transport):
[ 2352.930426] [ T53909] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN PTI [ 2352.930431] [ T53909] KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] [ 2352.930434] [ T53909] CPU: 3 UID: 0 PID: 53909 Comm: kworker/u16:5 Tainted: G W 6.13.0-rc6 #232 [ 2352.930438] [ T53909] Tainted: [W]=WARN [ 2352.930440] [ T53909] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014 [ 2352.930443] [ T53909] Workqueue: nvmet-wq nvmeloopexecutework [nvmeloop] [ 2352.930449] [ T53909] RIP: 0010:blkcgsetioprio+0x44/0x180
as the queue is already torn down when calling submit_bio();
So we need to init the percpu counter in nvmetnsenable(), and wait for it to drop to zero in nvmetnsdisable() to avoid having I/O pending after the namespace has been disabled.
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced74d16965d7ac378d28ebd833ae6d6a097186a4ecFixedcc0607594f6813342b27c752c6fb6f6eb9980cb5
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced74d16965d7ac378d28ebd833ae6d6a097186a4ecFixed4082326807072b71496501b6a0c55ffe8d5092a5
Affected versions
v6.*
v6.13
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.13.1
v6.13.2
v6.13.3
v6.13.4
Database specific
vanir_signatures
[
{
"id": "CVE-2025-21850-4d441c66",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"line_hashes": [
"205799532400628930436313881818631750818",
"192406748404295336768934937493265342372",
"256366561730469557270801993123056161282",
"299538919685792215139520305430335883632",
"261329654369661134059334887339924740134",
"313900810828947714936503043621103958222",
"51441028097513988498489528410632621021",
"94556357294997655726798439417646101633",
"200578376821415499837362132408243431407",
"136139287914707679027911009620667312380",
"250825162625984597303940132348418117500",
"86607192420926953303449211435383683620",
"14376355233856892245378835931230009027",
"310562698134901342061090458910594770387",
"294585381765240438927520406047610368348",
"232292256036072100022769876785739893902",
"169422902527973774355292352913379019279",
"293770838966107505140389727265402242303",
"108412865494453597495218163883335269262",
"83818940806978835076553763740307921902",
"289199530282515190448702178120362331413",
"64312371414224192971839895836907389530",
"8036404785151121986704647094854207257",
"185307348359404311515014361470184973365",
"222287094028461888742108430381590558953",
"17362398892328049328515422401938870675",
"117978573225169572775475418443034546779",
"134828266345179543813161153325632825367",
"188197673037457129796634195041699493127"
],
"threshold": 0.9
},
"target": {
"file": "drivers/nvme/target/core.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4082326807072b71496501b6a0c55ffe8d5092a5"
},
{
"id": "CVE-2025-21850-529b69c9",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"function_hash": "58491874921026133170911260967706715366",
"length": 640.0
},
"target": {
"file": "drivers/nvme/target/core.c",
"function": "nvmet_ns_free"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4082326807072b71496501b6a0c55ffe8d5092a5"
},
{
"id": "CVE-2025-21850-52be5255",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"function_hash": "165484208083549574851127175458582316246",
"length": 578.0
},
"target": {
"file": "drivers/nvme/target/core.c",
"function": "nvmet_ns_disable"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@cc0607594f6813342b27c752c6fb6f6eb9980cb5"
},
{
"id": "CVE-2025-21850-614ba45a",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"function_hash": "280029539643405300806011309364675992534",
"length": 1061.0
},
"target": {
"file": "drivers/nvme/target/core.c",
"function": "nvmet_ns_enable"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4082326807072b71496501b6a0c55ffe8d5092a5"
},
{
"id": "CVE-2025-21850-7e25db8e",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"function_hash": "167770274293167869774758107033087839653",
"length": 1067.0
},
"target": {
"file": "drivers/nvme/target/core.c",
"function": "nvmet_ns_alloc"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4082326807072b71496501b6a0c55ffe8d5092a5"
},
{
"id": "CVE-2025-21850-9af3ddf8",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"function_hash": "165484208083549574851127175458582316246",
"length": 578.0
},
"target": {
"file": "drivers/nvme/target/core.c",
"function": "nvmet_ns_disable"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4082326807072b71496501b6a0c55ffe8d5092a5"
},
{
"id": "CVE-2025-21850-a7c46ce5",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"line_hashes": [
"205799532400628930436313881818631750818",
"192406748404295336768934937493265342372",
"256366561730469557270801993123056161282",
"299538919685792215139520305430335883632",
"261329654369661134059334887339924740134",
"313900810828947714936503043621103958222",
"51441028097513988498489528410632621021",
"94556357294997655726798439417646101633",
"200578376821415499837362132408243431407",
"136139287914707679027911009620667312380",
"250825162625984597303940132348418117500",
"86607192420926953303449211435383683620",
"14376355233856892245378835931230009027",
"310562698134901342061090458910594770387",
"294585381765240438927520406047610368348",
"232292256036072100022769876785739893902",
"169422902527973774355292352913379019279",
"293770838966107505140389727265402242303",
"108412865494453597495218163883335269262",
"83818940806978835076553763740307921902",
"289199530282515190448702178120362331413",
"64312371414224192971839895836907389530",
"8036404785151121986704647094854207257",
"185307348359404311515014361470184973365",
"222287094028461888742108430381590558953",
"17362398892328049328515422401938870675",
"117978573225169572775475418443034546779",
"134828266345179543813161153325632825367",
"188197673037457129796634195041699493127"
],
"threshold": 0.9
},
"target": {
"file": "drivers/nvme/target/core.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@cc0607594f6813342b27c752c6fb6f6eb9980cb5"
},
{
"id": "CVE-2025-21850-aa00d781",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"function_hash": "280029539643405300806011309364675992534",
"length": 1061.0
},
"target": {
"file": "drivers/nvme/target/core.c",
"function": "nvmet_ns_enable"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@cc0607594f6813342b27c752c6fb6f6eb9980cb5"
},
{
"id": "CVE-2025-21850-d09551d4",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"function_hash": "58491874921026133170911260967706715366",
"length": 640.0
},
"target": {
"file": "drivers/nvme/target/core.c",
"function": "nvmet_ns_free"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@cc0607594f6813342b27c752c6fb6f6eb9980cb5"
},
{
"id": "CVE-2025-21850-e032b575",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"function_hash": "167770274293167869774758107033087839653",
"length": 1067.0
},
"target": {
"file": "drivers/nvme/target/core.c",
"function": "nvmet_ns_alloc"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@cc0607594f6813342b27c752c6fb6f6eb9980cb5"
}
]