Re: [PATCH v2] blkmq: Fix NULL pointer deref when all reserved tags in use

Re: [PATCH v2] blkmq: Fix NULL pointer deref when all reserved tags in use

[Jens Axboe]

On 03/18/2015 05:07 PM, Sam Bradshaw wrote:
> When allocating from the reserved tags pool, bt_get() is called with
> a NULL hctx.  If all tags are in use, the hw queue is kicked to push
> out any pending IO, potentially freeing tags, and tag allocation is
> retried.  The problem is that blk_mq_run_hw_queue() doesn't check for
> a NULL hctx.  So we avoid it with a simple NULL hctx test.
>
> This issue was introduced by:
> b32232073e80: blk-mq: fix hang in bt_get()
>
> Tested by hammering mtip32xx with concurrent smartctl/hdparm.
>
> Signed-off-by: Sam Bradshaw <sbradshaw@micron.com>
> Signed-off-by: Selvan Mani <smani@micron.com>

Thanks Sam, added to the current series.

-- 
Jens Axboe

[PATCH v2] blkmq: Fix NULL pointer deref when all reserved tags in use

[Sam Bradshaw]

When allocating from the reserved tags pool, bt_get() is called with
a NULL hctx.  If all tags are in use, the hw queue is kicked to push
out any pending IO, potentially freeing tags, and tag allocation is
retried.  The problem is that blk_mq_run_hw_queue() doesn't check for
a NULL hctx.  So we avoid it with a simple NULL hctx test.  

This issue was introduced by:
b32232073e80: blk-mq: fix hang in bt_get()

Tested by hammering mtip32xx with concurrent smartctl/hdparm.

Signed-off-by: Sam Bradshaw <sbradshaw@micron.com>
Signed-off-by: Selvan Mani <smani@micron.com>
---
diff --git a/block/blk-mq-tag.c b/block/blk-mq-tag.c
index d53a764..9d7dd64 100644
--- a/block/blk-mq-tag.c
+++ b/block/blk-mq-tag.c
@@ -280,7 +280,8 @@ static int bt_get(struct blk_mq_alloc_data *data,
 		 * pending IO submits before going to sleep waiting for
 		 * some to complete.
 		 */
-		blk_mq_run_hw_queue(hctx, false);
+		if (hctx)
+			blk_mq_run_hw_queue(hctx, false);
 
 		/*
 		 * Retry tag allocation after running the hardware queue,