{"id":"CVE-2024-46735","summary":"ublk_drv: fix NULL pointer dereference in ublk_ctrl_start_recovery()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nublk_drv: fix NULL pointer dereference in ublk_ctrl_start_recovery()\n\nWhen two UBLK_CMD_START_USER_RECOVERY commands are submitted, the\nfirst one sets 'ubq-\u003eubq_daemon' to NULL, and the second one triggers\nWARN in ublk_queue_reinit() and subsequently a NULL pointer dereference\nissue.\n\nFix it by adding the check in ublk_ctrl_start_recovery() and return\nimmediately in case of zero 'ub-\u003enr_queues_ready'.\n\n  BUG: kernel NULL pointer dereference, address: 0000000000000028\n  RIP: 0010:ublk_ctrl_start_recovery.constprop.0+0x82/0x180\n  Call Trace:\n   \u003cTASK\u003e\n   ? __die+0x20/0x70\n   ? page_fault_oops+0x75/0x170\n   ? exc_page_fault+0x64/0x140\n   ? asm_exc_page_fault+0x22/0x30\n   ? ublk_ctrl_start_recovery.constprop.0+0x82/0x180\n   ublk_ctrl_uring_cmd+0x4f7/0x6c0\n   ? pick_next_task_idle+0x26/0x40\n   io_uring_cmd+0x9a/0x1b0\n   io_issue_sqe+0x193/0x3f0\n   io_wq_submit_work+0x9b/0x390\n   io_worker_handle_work+0x165/0x360\n   io_wq_worker+0xcb/0x2f0\n   ? finish_task_switch.isra.0+0x203/0x290\n   ? finish_task_switch.isra.0+0x203/0x290\n   ? __pfx_io_wq_worker+0x10/0x10\n   ret_from_fork+0x2d/0x50\n   ? __pfx_io_wq_worker+0x10/0x10\n   ret_from_fork_asm+0x1a/0x30\n   \u003c/TASK\u003e","modified":"2026-04-02T12:19:34.945350Z","published":"2024-09-18T07:11:57.279Z","related":["MGASA-2024-0316","MGASA-2024-0318","SUSE-SU-2024:3551-1","SUSE-SU-2024:3553-1","SUSE-SU-2024:3561-1","SUSE-SU-2024:3564-1","SUSE-SU-2025:20073-1","SUSE-SU-2025:20077-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/46xxx/CVE-2024-46735.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/136a29d8112df4ea0a57f9602ddf3579e04089dc"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7c890ef60bf417d3fe5c6f7a9f6cef0e1d77f74f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ca249435893dda766f3845c15ca77ca5672022d8"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e58f5142f88320a5b1449f96a146f2f24615c5c7"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/46xxx/CVE-2024-46735.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-46735"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"c732a852b419fa057b53657e2daaf9433940391c"},{"fixed":"ca249435893dda766f3845c15ca77ca5672022d8"},{"fixed":"136a29d8112df4ea0a57f9602ddf3579e04089dc"},{"fixed":"7c890ef60bf417d3fe5c6f7a9f6cef0e1d77f74f"},{"fixed":"e58f5142f88320a5b1449f96a146f2f24615c5c7"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-46735.json"}}],"schema_version":"1.7.5"}