[PATCH 1/1] nvme: fix use-after-free of admin queue via stale pointer

[Chaitanya Kulkarni]

On 10/29/25 2:08 PM, Casey Chen wrote:
> From: Yuanyuan Zhong <yzhong at purestorage.com>
>
> When a controller is deleted (e.g., via sysfs delete_controller), the
> admin queue is freed while userspace may still have open fd to the
> namespace block device. Userspace can issue IOCTLs on the open fd
> that access the freed admin queue through the stale ns->ctrl->admin_q
> pointer, causing a use-after-free.
>
> Fix this by taking an additional reference on the admin queue during
> namespace allocation and releasing it during namespace cleanup.
>
> Signed-off-by: Casey Chen <cachen at purestorage.com>
> Signed-off-by: Seamus Connor <sconnor at purestorage.com>
> ---
>   drivers/nvme/host/core.c | 10 +++++++++-
>   1 file changed, 9 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
> index 8d8af58e79d1..184a6096a2be 100644
> --- a/drivers/nvme/host/core.c
> +++ b/drivers/nvme/host/core.c
> @@ -687,6 +687,7 @@ static void nvme_free_ns(struct kref *kref)
>   {
>   	struct nvme_ns *ns = container_of(kref, struct nvme_ns, kref);
>   
> +	blk_put_queue(ns->ctrl->admin_q);
>   	put_disk(ns->disk);
>   	nvme_put_ns_head(ns->head);
>   	nvme_put_ctrl(ns->ctrl);
> @@ -3903,9 +3904,14 @@ static void nvme_alloc_ns(struct nvme_ctrl *ctrl, struct nvme_ns_info *info)
>   	struct gendisk *disk;
>   	int node = ctrl->numa_node;
>   

would be a good idea to add a comment at both places to explain why we 
are taking this additional reference ? since this is specifically needed 
for userspace.

> +	if (!blk_get_queue(ctrl->admin_q)) {
> +		dev_err(ctrl->device, "failed to get admin_q %p\n", ctrl->admin_q);
> +		return;
> +	}
> +
>   	ns = kzalloc_node(sizeof(*ns), GFP_KERNEL, node);

-ck