From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756734AbbCRUcr (ORCPT ); Wed, 18 Mar 2015 16:32:47 -0400 Received: from mailout.micron.com ([137.201.242.129]:26479 "EHLO mailout.micron.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755197AbbCRUcp (ORCPT ); Wed, 18 Mar 2015 16:32:45 -0400 Message-ID: <5509E1D0.2080908@micron.com> Date: Wed, 18 Mar 2015 13:36:32 -0700 From: Sam Bradshaw User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.23) Gecko/20110928 Red Hat/3.1.15-1.el6_1 Thunderbird/3.1.15 MIME-Version: 1.0 To: CC: Subject: [PATCH] blkmq: Fix NULL pointer deref when all reserved tags in use Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit X-TM-AS-Product-Ver: SMEX-10.0.0.4152-7.000.1014-21408.002 X-TM-AS-Result: No--9.830200-0.000000-31 X-TM-AS-User-Approved-Sender: Yes X-TM-AS-User-Blocked-Sender: No X-MT-CheckInternalSenderRule: True Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org When allocating from the reserved tags pool, bt_get() is called with a NULL hctx. If all tags are in use, the hw queue is kicked to push out any pending IO, potentially freeing tags, and tag allocation is retried. The problem is that blk_mq_run_hw_queue() doesn't check for a NULL hctx. This patch fixes that bug. An alternative implementation might skip kicking the queue for reserved tags and go right to io_schedule() but we chose to keep it simple. Tested by hammering mtip32xx with concurrent smartctl/hdparm. Signed-off-by: Sam Bradshaw Signed-off-by: Selvan Mani --- block/blk-mq.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/block/blk-mq.c b/block/blk-mq.c index 59fa239..0471af6 100644 --- a/block/blk-mq.c +++ b/block/blk-mq.c @@ -887,7 +887,7 @@ static int blk_mq_hctx_next_cpu(struct blk_mq_hw_ctx *hctx) void blk_mq_run_hw_queue(struct blk_mq_hw_ctx *hctx, bool async) { - if (unlikely(test_bit(BLK_MQ_S_STOPPED, &hctx->state) || + if (unlikely(!hctx || test_bit(BLK_MQ_S_STOPPED, &hctx->state) || !blk_mq_hw_queue_mapped(hctx))) return; -- 1.7.1