blkmq: Fix NULL pointer deref when all reserved tags in

When allocating from the reserved tags pool, bt_get() is called with a NULL hctx. If all tags are in use, the hw queue is kicked to push out any pending IO, potentially freeing tags, and tag allocation is retried. The problem is that blk_mq_run_hw_queue() doesn't check for a NULL hctx. So we avoid it with a simple NULL hctx test. Tested by hammering mtip32xx with concurrent smartctl/hdparm. Signed-off-by: Sam Bradshaw <[email protected]> Signed-off-by: Selvan Mani <[email protected]> Fixes: b322320 ("blk-mq: fix hang in bt_get()") Cc: [email protected] Added appropriate comment. Signed-off-by: Jens Axboe <[email protected]>
ambv · Mar 18, 2015 · bc188d8 · bc188d8
1 parent 9a30b09
commit bc188d8
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/block/blk-mq-tag.c b/block/blk-mq-tag.c
@@ -278,9 +278,11 @@ static int bt_get(struct blk_mq_alloc_data *data,
 		/*
 		 * We're out of tags on this hardware queue, kick any
 		 * pending IO submits before going to sleep waiting for
-		 * some to complete.
+		 * some to complete. Note that hctx can be NULL here for
+		 * reserved tag allocation.
 		 */
-		blk_mq_run_hw_queue(hctx, false);
+		if (hctx)
+			blk_mq_run_hw_queue(hctx, false);
 
 		/*
 		 * Retry tag allocation after running the hardware queue,