From e8dc100ae8cd91242cd65a7b4a6e36f572a7407b Mon Sep 17 00:00:00 2001 From: Martin Belanger Date: Mon, 6 Apr 2026 10:12:38 -0400 Subject: [PATCH] libnvme: guard against NULL transport handle in discovery path While stress testing with nvme-stas using repeated nvmet create/delete cycles, a segmentation fault was observed during teardown when running nvme connect-all. The crash occurs in nvme_get_log() due to a NULL hdl: nvme_get_log(hdl=0x0, ...) Root cause is that the return value of nvme_ctrl_get_transport_handle() is not validated before use. Under certain conditions, a race can occur where the udev-triggered nvmf-connect@.service attempts to operate on a controller (e.g. nvme1) that has already been removed. Fix this by checking that the transport handle is non-NULL before issuing commands that depend on it. This prevents a potential SIGSEGV during discovery in transient device removal scenarios. Signed-off-by: Martin Belanger --- libnvme/src/nvme/fabrics.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libnvme/src/nvme/fabrics.c b/libnvme/src/nvme/fabrics.c index 7fd73306dd..a5206f23e3 100644 --- a/libnvme/src/nvme/fabrics.c +++ b/libnvme/src/nvme/fabrics.c @@ -1309,6 +1309,12 @@ static int nvme_discovery_log(const struct libnvme_get_discovery_args *args, struct libnvme_transport_handle *hdl = libnvme_ctrl_get_transport_handle(args->c); struct libnvme_passthru_cmd cmd; + if (!hdl) { + libnvme_msg(ctx, LOG_DEBUG, + "%s: no transport handle, skipping discovery\n", name); + return -ENOENT; + } + log = __libnvme_alloc(sizeof(*log)); if (!log) { libnvme_msg(ctx, LOG_ERR,