VYPR
← All advisories
High severity7.5NVD Advisory· Published Apr 24, 2026· Updated Apr 27, 2026

CVE-2026-31557

CVE-2026-31557

Description

In the Linux kernel, the following vulnerability has been resolved:

nvmet: move async event work off nvmet-wq

For target nvmet_ctrl_free() flushes ctrl->async_event_work. If nvmet_ctrl_free() runs on nvmet-wq, the flush re-enters workqueue completion for the same worker:-

A. Async event work queued on nvmet-wq (prior to disconnect): nvmet_execute_async_event() queue_work(nvmet_wq, &ctrl->async_event_work)

nvmet_add_async_event() queue_work(nvmet_wq, &ctrl->async_event_work)

B. Full pre-work chain (RDMA CM path): nvmet_rdma_cm_handler() nvmet_rdma_queue_disconnect() __nvmet_rdma_queue_disconnect() queue_work(nvmet_wq, &queue->release_work) process_one_work() lock((wq_completion)nvmet-wq) <--------- 1st nvmet_rdma_release_queue_work()

C. Recursive path (same worker): nvmet_rdma_release_queue_work() nvmet_rdma_free_queue() nvmet_sq_destroy() nvmet_ctrl_put() nvmet_ctrl_free() flush_work(&ctrl->async_event_work) __flush_work() touch_wq_lockdep_map() lock((wq_completion)nvmet-wq) <--------- 2nd

Lockdep splat:

============================================ WARNING: possible recursive locking detected 6.19.0-rc3nvme+ #14 Tainted: G N -------------------------------------------- kworker/u192:42/44933 is trying to acquire lock: ffff888118a00948 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: touch_wq_lockdep_map+0x26/0x90

but task is already holding lock: ffff888118a00948 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: process_one_work+0x53e/0x660

3 locks held by kworker/u192:42/44933: #0: ffff888118a00948 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: process_one_work+0x53e/0x660 #1: ffffc9000e6cbe28 ((work_completion)(&queue->release_work)){+.+.}-{0:0}, at: process_one_work+0x1c5/0x660 #2: ffffffff82d4db60 (rcu_read_lock){....}-{1:3}, at: __flush_work+0x62/0x530

Workqueue: nvmet-wq nvmet_rdma_release_queue_work [nvmet_rdma] Call Trace: __flush_work+0x268/0x530 nvmet_ctrl_free+0x140/0x310 [nvmet] nvmet_cq_put+0x74/0x90 [nvmet] nvmet_rdma_free_queue+0x23/0xe0 [nvmet_rdma] nvmet_rdma_release_queue_work+0x19/0x50 [nvmet_rdma] process_one_work+0x206/0x660 worker_thread+0x184/0x320 kthread+0x10c/0x240 ret_from_fork+0x319/0x390

Move async event work to a dedicated nvmet-aen-wq to avoid reentrant flush on nvmet-wq.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In the Linux kernel NVMe target (nvmet), async event work queued on nvmet-wq can cause a recursive lock when freeing a controller, leading to a lockdep warning and potential deadlock.

Vulnerability

Description

The vulnerability is a recursive locking issue in the Linux kernel's NVMe target (nvmet) subsystem. When async event work is queued on the nvmet-wq workqueue, and then a controller is freed via nvmet_ctrl_free(), which calls flush_work() on the async_event_work, if nvmet_ctrl_free() itself runs on nvmet-wq, this leads to a recursive acquisition of the workqueue lock, triggering a lockdep warning and potential deadlock [1].

Exploitation

Path

The exploitation path occurs through the RDMA CM path: an RDMA connection handler nvmet_rdma_cm_handler() eventually queues release_work on nvmet-wq. When that work runs, it calls nvmet_rdma_release_queue_work(), which frees the queue and calls nvmet_ctrl_put() -> nvmet_ctrl_free(). If there is pending async event work, flush_work() tries to acquire the same workqueue lock already held, causing a deadlock [1]. An attacker on the storage network could trigger this by initiating a disconnect while async events are pending.

Impact

The impact is a denial of service (system hang or lockup) due to the recursive locking. The CVSS score is 7.5 (High) indicating significant availability impact. No privilege escalation or data corruption is described [1].

Mitigation

The fix involves moving async event work off the nvmet-wq to a separate workqueue to avoid the recursion. The commits [1][2][3][4] are stable kernel patches that address this issue. Administrators should apply kernel updates to versions containing these patches.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!
  4. Making sure you're not a bot!

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

10
  • Linux/Kernel9 versions
    cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 8 more
    • cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=5.15.42,<5.16
    • cpe:2.3:o:linux:linux_kernel:5.18:-:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
  • Linux/Linux Kernel Rtllm-fuzzy

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.