CVE-2026-23261

In the Linux kernel, the following vulnerability has been resolved:

nvme-fc: release admin tagset if init fails

nvme fabrics creates an NVMe/FC controller in following path:

nvmf dev write() -> nvmf create ctrl() -> nvme fc create ctrl() -> nvme fc init ctrl()

nvme fc init ctrl() allocates the admin blk-mq resources right after nvme add ctrl() succeeds. If any of the subsequent steps fail (changing the controller state, scheduling connect work, etc.), we jump to the fail ctrl path, which tears down the controller references but never frees the admin queue/tag set. The leaked blk-mq allocations match the kmemleak report seen during blktests nvme/fc.

Check ctrl->ctrl.admin tagset in the fail ctrl path and call nvme remove admin tag set() when it is set so that all admin queue allocations are reclaimed whenever controller setup aborts.