Description
In the Linux kernel, the following vulnerability has been resolved: blk-mq: fix null pointer dereference in blk_mq_clear_rq_mapping() Our syzkaller report a null pointer dereference, root cause is following: __blk_mq_alloc_map_and_rqs set->tags[hctx_idx] = blk_mq_alloc_map_and_rqs blk_mq_alloc_map_and_rqs blk_mq_alloc_rqs // failed due to oom alloc_pages_node // set->tags[hctx_idx] is still NULL blk_mq_free_rqs drv_tags = set->tags[hctx_idx]; // null pointer dereference is triggered blk_mq_clear_rq_mapping(drv_tags, ...) This is because commit 63064be150e4 ("blk-mq: Add blk_mq_alloc_map_and_rqs()") merged the two steps: 1) set->tags[hctx_idx] = blk_mq_alloc_rq_map() 2) blk_mq_alloc_rqs(..., set->tags[hctx_idx]) into one step: set->tags[hctx_idx] = blk_mq_alloc_map_and_rqs() Since tags is not initialized yet in this case, fix the problem by checking if tags is NULL pointer in blk_mq_clear_rq_mapping().
Product status
63064be150e4b1ba1e4af594ef5aa81adf21a52d before 6a440e6d04431e774dc084abe88c106e2a474c1a
63064be150e4b1ba1e4af594ef5aa81adf21a52d before 76dd298094f484c6250ebd076fa53287477b2328
5.16
Any version before 5.16
6.0.6
6.1
References
git.kernel.org/...c/6a440e6d04431e774dc084abe88c106e2a474c1a
git.kernel.org/...c/76dd298094f484c6250ebd076fa53287477b2328
