CVE-2022-50530

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> blk-mq: fix null pointer dereference in blk_mq_clear_rq_mapping()<br /> <br /> Our syzkaller report a null pointer dereference, root cause is<br /> following:<br /> <br /> __blk_mq_alloc_map_and_rqs<br /> set-&gt;tags[hctx_idx] = blk_mq_alloc_map_and_rqs<br /> blk_mq_alloc_map_and_rqs<br /> blk_mq_alloc_rqs<br /> // failed due to oom<br /> alloc_pages_node<br /> // set-&gt;tags[hctx_idx] is still NULL<br /> blk_mq_free_rqs<br /> drv_tags = set-&gt;tags[hctx_idx];<br /> // null pointer dereference is triggered<br /> blk_mq_clear_rq_mapping(drv_tags, ...)<br /> <br /> This is because commit 63064be150e4 ("blk-mq:<br /> Add blk_mq_alloc_map_and_rqs()") merged the two steps:<br /> <br /> 1) set-&gt;tags[hctx_idx] = blk_mq_alloc_rq_map()<br /> 2) blk_mq_alloc_rqs(..., set-&gt;tags[hctx_idx])<br /> <br /> into one step:<br /> <br /> set-&gt;tags[hctx_idx] = blk_mq_alloc_map_and_rqs()<br /> <br /> Since tags is not initialized yet in this case, fix the problem by<br /> checking if tags is NULL pointer in blk_mq_clear_rq_mapping().