In the Linux kernel, the following vulnerability has been resolved:
nvme-tcp: fix possible use-after-free in transport error_recovery work
While nvmetcpsubmitasynceventwork is checking the ctrl and queue state before preparing the AER command and scheduling iowork, in order to fully prevent a race where this check is not reliable the error recovery work must flush asynceventwork before continuing to destroy the admin queue after setting the ctrl state to RESETTING such that there is no race .submitasyncevent and the error recovery handler itself changing the ctrl state.