CVE-2022-50530
Severity CVSS v4.0:
Pending analysis
Type:
CWE-476
NULL Pointer Dereference
Publication date:
07/10/2025
Last modified:
05/02/2026
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
blk-mq: fix null pointer dereference in blk_mq_clear_rq_mapping()<br />
<br />
Our syzkaller report a null pointer dereference, root cause is<br />
following:<br />
<br />
__blk_mq_alloc_map_and_rqs<br />
set->tags[hctx_idx] = blk_mq_alloc_map_and_rqs<br />
blk_mq_alloc_map_and_rqs<br />
blk_mq_alloc_rqs<br />
// failed due to oom<br />
alloc_pages_node<br />
// set->tags[hctx_idx] is still NULL<br />
blk_mq_free_rqs<br />
drv_tags = set->tags[hctx_idx];<br />
// null pointer dereference is triggered<br />
blk_mq_clear_rq_mapping(drv_tags, ...)<br />
<br />
This is because commit 63064be150e4 ("blk-mq:<br />
Add blk_mq_alloc_map_and_rqs()") merged the two steps:<br />
<br />
1) set->tags[hctx_idx] = blk_mq_alloc_rq_map()<br />
2) blk_mq_alloc_rqs(..., set->tags[hctx_idx])<br />
<br />
into one step:<br />
<br />
set->tags[hctx_idx] = blk_mq_alloc_map_and_rqs()<br />
<br />
Since tags is not initialized yet in this case, fix the problem by<br />
checking if tags is NULL pointer in blk_mq_clear_rq_mapping().
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 6.0.6 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.1:rc1:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page