{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2022-50530","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-10-07T15:15:38.664Z","datePublished":"2025-10-07T15:19:21.259Z","dateUpdated":"2026-05-11T19:21:12.557Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:21:12.557Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nblk-mq: fix null pointer dereference in blk_mq_clear_rq_mapping()\n\nOur syzkaller report a null pointer dereference, root cause is\nfollowing:\n\n__blk_mq_alloc_map_and_rqs\n set->tags[hctx_idx] = blk_mq_alloc_map_and_rqs\n  blk_mq_alloc_map_and_rqs\n   blk_mq_alloc_rqs\n    // failed due to oom\n    alloc_pages_node\n    // set->tags[hctx_idx] is still NULL\n    blk_mq_free_rqs\n     drv_tags = set->tags[hctx_idx];\n     // null pointer dereference is triggered\n     blk_mq_clear_rq_mapping(drv_tags, ...)\n\nThis is because commit 63064be150e4 (\"blk-mq:\nAdd blk_mq_alloc_map_and_rqs()\") merged the two steps:\n\n1) set->tags[hctx_idx] = blk_mq_alloc_rq_map()\n2) blk_mq_alloc_rqs(..., set->tags[hctx_idx])\n\ninto one step:\n\nset->tags[hctx_idx] = blk_mq_alloc_map_and_rqs()\n\nSince tags is not initialized yet in this case, fix the problem by\nchecking if tags is NULL pointer in blk_mq_clear_rq_mapping()."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["block/blk-mq.c"],"versions":[{"version":"63064be150e4b1ba1e4af594ef5aa81adf21a52d","lessThan":"6a440e6d04431e774dc084abe88c106e2a474c1a","status":"affected","versionType":"git"},{"version":"63064be150e4b1ba1e4af594ef5aa81adf21a52d","lessThan":"76dd298094f484c6250ebd076fa53287477b2328","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["block/blk-mq.c"],"versions":[{"version":"5.16","status":"affected"},{"version":"0","lessThan":"5.16","status":"unaffected","versionType":"semver"},{"version":"6.0.6","lessThanOrEqual":"6.0.*","status":"unaffected","versionType":"semver"},{"version":"6.1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.0.6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.1"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/6a440e6d04431e774dc084abe88c106e2a474c1a"},{"url":"https://git.kernel.org/stable/c/76dd298094f484c6250ebd076fa53287477b2328"}],"title":"blk-mq: fix null pointer dereference in blk_mq_clear_rq_mapping()","x_generator":{"engine":"bippy-1.2.0"}}}}