Haoran Zhang

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the handling of multiple calls to `vhost scsi set endpoint` in the Linux kernel. This can lead to several problems, including a use-after-free bug when no tpgs are found, a tpg dir removal hang due to refcount dropping to -1, and a tpg leak because the target name is overwritten when `vhost scsi set endpoint` is called multiple times with different target names. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited. **Recommendations** To resolve the issue, it is recommended to prevent `vhost scsi set endpoint` from being called if it's already successfully added tpgs. To add, remove, or change the tpg config or target name, you must do a `vhost scsi clear endpoint` first. As a temporary workaround, consider restricting the use of the `vhost scsi set endpoint` function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.6.58 Description: A null pointer dereference bug can be triggered in the Linux kernel when a guest sends an SCSI AN request. This occurs because `vc.target` is set to NULL for `VIRTIO SCSI T AN *` requests, and later dereferenced without being checked in `vhost scsi get req()`. This bug can be triggered from the guest and may cause the vhost worker process to be killed while holding `vq->mutex`, resulting in the corresponding tpg remaining occupied indefinitely. Recommendations: To resolve this issue, upgrade the Linux kernel to version 6.6.58 or later. As a temporary workaround, consider adding a check in `vhost scsi get req()` to prevent the null pointer dereference.