{
    "data_version": "4.0",
    "data_type": "CVE",
    "data_format": "MITRE",
    "CVE_data_meta": {
        "ID": "CVE-2024-42152",
        "ASSIGNER": "cve@kernel.org",
        "STATE": "PUBLIC"
    },
    "description": {
        "description_data": [
            {
                "lang": "eng",
                "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: fix a possible leak when destroy a ctrl during qp establishment\n\nIn nvmet_sq_destroy we capture sq->ctrl early and if it is non-NULL we\nknow that a ctrl was allocated (in the admin connect request handler)\nand we need to release pending AERs, clear ctrl->sqs and sq->ctrl\n(for nvme-loop primarily), and drop the final reference on the ctrl.\n\nHowever, a small window is possible where nvmet_sq_destroy starts (as\na result of the client giving up and disconnecting) concurrently with\nthe nvme admin connect cmd (which may be in an early stage). But *before*\nkill_and_confirm of sq->ref (i.e. the admin connect managed to get an sq\nlive reference). In this case, sq->ctrl was allocated however after it was\ncaptured in a local variable in nvmet_sq_destroy.\nThis prevented the final reference drop on the ctrl.\n\nSolve this by re-capturing the sq->ctrl after all inflight request has\ncompleted, where for sure sq->ctrl reference is final, and move forward\nbased on that.\n\nThis issue was observed in an environment with many hosts connecting\nmultiple ctrls simoutanuosly, creating a delay in allocating a ctrl\nleading up to this race window."
            }
        ]
    },
    "problemtype": {
        "problemtype_data": [
            {
                "description": [
                    {
                        "lang": "eng",
                        "value": "n/a"
                    }
                ]
            }
        ]
    },
    "affects": {
        "vendor": {
            "vendor_data": [
                {
                    "vendor_name": "Linux",
                    "product": {
                        "product_data": [
                            {
                                "product_name": "Linux",
                                "version": {
                                    "version_data": [
                                        {
                                            "version_affected": "<",
                                            "version_name": "1da177e4c3f4",
                                            "version_value": "2f3c22b1d3d7"
                                        },
                                        {
                                            "version_value": "not down converted",
                                            "x_cve_json_5_version_data": {
                                                "versions": [
                                                    {
                                                        "version": "5.10.222",
                                                        "lessThanOrEqual": "5.10.*",
                                                        "status": "unaffected",
                                                        "versionType": "custom"
                                                    },
                                                    {
                                                        "version": "5.15.163",
                                                        "lessThanOrEqual": "5.15.*",
                                                        "status": "unaffected",
                                                        "versionType": "custom"
                                                    },
                                                    {
                                                        "version": "6.1.98",
                                                        "lessThanOrEqual": "6.1.*",
                                                        "status": "unaffected",
                                                        "versionType": "custom"
                                                    },
                                                    {
                                                        "version": "6.6.39",
                                                        "lessThanOrEqual": "6.6.*",
                                                        "status": "unaffected",
                                                        "versionType": "custom"
                                                    },
                                                    {
                                                        "version": "6.9.9",
                                                        "lessThanOrEqual": "6.9.*",
                                                        "status": "unaffected",
                                                        "versionType": "custom"
                                                    },
                                                    {
                                                        "version": "6.10",
                                                        "lessThanOrEqual": "*",
                                                        "status": "unaffected",
                                                        "versionType": "original_commit_for_fix"
                                                    }
                                                ],
                                                "defaultStatus": "affected"
                                            }
                                        }
                                    ]
                                }
                            }
                        ]
                    }
                }
            ]
        }
    },
    "references": {
        "reference_data": [
            {
                "url": "https://git.kernel.org/stable/c/2f3c22b1d3d7e86712253244797a651998c141fa",
                "refsource": "MISC",
                "name": "https://git.kernel.org/stable/c/2f3c22b1d3d7e86712253244797a651998c141fa"
            },
            {
                "url": "https://git.kernel.org/stable/c/b4fed1443a6571d49c6ffe7d97af3bbe5ee6dff5",
                "refsource": "MISC",
                "name": "https://git.kernel.org/stable/c/b4fed1443a6571d49c6ffe7d97af3bbe5ee6dff5"
            },
            {
                "url": "https://git.kernel.org/stable/c/940a71f08ef153ef807f751310b0648d1fa5d0da",
                "refsource": "MISC",
                "name": "https://git.kernel.org/stable/c/940a71f08ef153ef807f751310b0648d1fa5d0da"
            },
            {
                "url": "https://git.kernel.org/stable/c/5502c1f1d0d7472706cc1f201aecf1c935d302d1",
                "refsource": "MISC",
                "name": "https://git.kernel.org/stable/c/5502c1f1d0d7472706cc1f201aecf1c935d302d1"
            },
            {
                "url": "https://git.kernel.org/stable/c/818004f2a380420c19872171be716174d4985e33",
                "refsource": "MISC",
                "name": "https://git.kernel.org/stable/c/818004f2a380420c19872171be716174d4985e33"
            },
            {
                "url": "https://git.kernel.org/stable/c/c758b77d4a0a0ed3a1292b3fd7a2aeccd1a169a4",
                "refsource": "MISC",
                "name": "https://git.kernel.org/stable/c/c758b77d4a0a0ed3a1292b3fd7a2aeccd1a169a4"
            }
        ]
    },
    "generator": {
        "engine": "bippy-c9c4e1df01b2"
    }
}