libnvme: guard against NULL transport handle in discovery path

Martin Belanger · Martin Belanger · commit 42d7c5c5723d · 2026-04-07T06:24:17.000-04:00
While stress testing with nvme-stas using repeated nvmet create/delete cycles,
a segmentation fault was observed during teardown when running nvme connect-all.

The crash occurs in nvme_get_log() due to a NULL hdl:

nvme_get_log(hdl=0x0, ...)

Root cause is that the return value of nvme_ctrl_get_transport_handle() is
not validated before use. Under certain conditions, a race can occur where
the udev-triggered nvmf-connect@.service attempts to operate on a controller
(e.g. nvme1) that has already been removed.

Fix this by checking that the transport handle is non-NULL before issuing
commands that depend on it.

This prevents a potential SIGSEGV during discovery in transient device
removal scenarios.

Signed-off-by: Martin Belanger &lt;martin.belanger@dell.com&gt;
diff --git a/libnvme/src/nvme/fabrics.c b/libnvme/src/nvme/fabrics.c
@@ -1309,6 +1309,12 @@ static int nvme_discovery_log(const struct nvme_get_discovery_args *args,
 	struct nvme_transport_handle *hdl = nvme_ctrl_get_transport_handle(args->c);
 	struct nvme_passthru_cmd cmd;
 
+	if (!hdl) {
+		nvme_msg(ctx, LOG_DEBUG,
+			 "%s: no transport handle, skipping discovery\n", name);
+		return -ENOENT;
+	}
+
 	log = __nvme_alloc(sizeof(*log));
 	if (!log) {
 		nvme_msg(ctx, LOG_ERR,
