Changhui Zhong

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A NULL pointer dereference issue has been resolved in the Linux kernel. The issue occurs when two UBLK CMD START USER RECOVERY commands are submitted, with the first one setting 'ubq->ubq daemon' to NULL, and the second one triggering WARN in ublk queue reinit() and subsequently a NULL pointer dereference issue. The fix involves adding a check in ublk ctrl start recovery() to return immediately in case of zero 'ub->nr queues ready'. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A vulnerability in the Linux kernel has been resolved by moving the stopping of keep-alive into `nvme uninit ctrl()`. The issue occurred when starting keep-alive was moved from `nvme start ctrl()` to `nvme init ctrl finish()`, but stopping keep-alive was not moved to `nvme uninit ctrl()`. This caused keep-alive work to be started and kept pending after failing to start the controller, resulting in a use-after-free error when the NVMe host driver was unloaded. The patch fixes a kernel panic that occurred when running `nvme/004` in the event of a connection failure. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a blk-mq fix for an IO hang from sbitmap wakeup race. In `blk mq mark tag wait()`, ` add wait queue()` may be re-ordered with the following `blk mq get driver tag()` in case of getting driver tag failure. Then in ` sbitmap queue wake up()`, `waitqueue active()` may not observe the added waiter in `blk mq mark tag wait()` and wake up nothing, meantime `blk mq mark tag wait()` can't get driver tag successfully. This issue can be reproduced by running a specific test in loop, and fio hang can be observed in < 30min when running it on a test VM in a laptop. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the SCSI host release mechanism in the Linux kernel. When a SCSI device is freed, the SCSI host release is triggered, and it is essential to ensure that the low-level device driver module is not unloaded before the SCSI host instance is released. This is because the `shost->hostt` is required in the release handler. The problem can lead to a kernel panic with the message 'BUG: unable to handle page fault for address'. The issue was reported by Changhui and Yi. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.