In the Linux kernel, the following vulnerability has been resolved:

nvmet: fix race in nvmetbiodone() leading to NULL pointer dereference

There is a race condition in nvmetbiodone() that can cause a NULL pointer dereference in blkcgroupbio_start():

1. nvmetbiodone() is called when a bio completes
2. nvmetreqcomplete() is called, which invokes req->ops->queue_response(req)
3. The queue_response callback can re-queue and re-submit the same request
4. The re-submission reuses the same inlinebio from nvmetreq
5. Meanwhile, nvmetreqbioput() (called after nvmetreqcomplete) invokes biouninit() for inlinebio, which sets bio->biblkg to NULL
6. The re-submitted bio enters submitbionoacct_nocheck()

7. blkcgroupbiostart() dereferences bio->biblkg, causing a crash:

   BUG: kernel NULL pointer dereference, address: 0000000000000028

   PF: supervisor read access in kernel mode

   RIP: 0010:blkcgroupbiostart+0x10/0xd0 Call Trace: submitbionoacctnocheck+0x44/0x250 nvmetbdevexecuterw+0x254/0x370 [nvmet] processonework+0x193/0x3c0 workerthread+0x281/0x3a0

Fix this by reordering nvmetbiodone() to call nvmetreqbioput() BEFORE nvmetreq_complete(). This ensures the bio is cleaned up before the request can be re-submitted, preventing the race condition.