Description

In the Linux kernel, the following vulnerability has been resolved: blk-mq: fix null pointer dereference in blk_mq_clear_rq_mapping() Our syzkaller report a null pointer dereference, root cause is following: __blk_mq_alloc_map_and_rqs set->tags[hctx_idx] = blk_mq_alloc_map_and_rqs blk_mq_alloc_map_and_rqs blk_mq_alloc_rqs // failed due to oom alloc_pages_node // set->tags[hctx_idx] is still NULL blk_mq_free_rqs drv_tags = set->tags[hctx_idx]; // null pointer dereference is triggered blk_mq_clear_rq_mapping(drv_tags, ...) This is because commit 63064be150e4 ("blk-mq: Add blk_mq_alloc_map_and_rqs()") merged the two steps: 1) set->tags[hctx_idx] = blk_mq_alloc_rq_map() 2) blk_mq_alloc_rqs(..., set->tags[hctx_idx]) into one step: set->tags[hctx_idx] = blk_mq_alloc_map_and_rqs() Since tags is not initialized yet in this case, fix the problem by checking if tags is NULL pointer in blk_mq_clear_rq_mapping().

Weaknesses 1

Affected Products 2

References 2

• git.kernel.org https://git.kernel.org/stable/c/6a440e6d04431e774dc084abe88c106e2a474c1a
  Patch
• git.kernel.org https://git.kernel.org/stable/c/76dd298094f484c6250ebd076fa53287477b2328
  Patch

Remediation

• git.kernel.org https://git.kernel.org/stable/c/6a440e6d04431e774dc084abe88c106e2a474c1a
  Patch
• git.kernel.org https://git.kernel.org/stable/c/76dd298094f484c6250ebd076fa53287477b2328
  Patch