blkmq: Fix NULL pointer deref when all reserved tags in

When allocating from the reserved tags pool, bt_get() is called with
a NULL hctx.  If all tags are in use, the hw queue is kicked to push
out any pending IO, potentially freeing tags, and tag allocation is
retried.  The problem is that blk_mq_run_hw_queue() doesn't check for
a NULL hctx.  So we avoid it with a simple NULL hctx test.

Tested by hammering mtip32xx with concurrent smartctl/hdparm.

Signed-off-by: Sam Bradshaw <sbradshaw@micron.com>
Signed-off-by: Selvan Mani <smani@micron.com>
Fixes: b32232073e80 ("blk-mq: fix hang in bt_get()")
Cc: stable@kernel.org

Added appropriate comment.

Signed-off-by: Jens Axboe <axboe@fb.com>

1 files changed, 4 insertions, 2 deletions

diff --git a/block/blk-mq-tag.c b/block/blk-mq-tag.c
index d53a764b05ea..be3290cc0644 100644
--- a/block/blk-mq-tag.c
+++ b/block/blk-mq-tag.c
@@ -278,9 +278,11 @@ static int bt_get(struct blk_mq_alloc_data *data,
                 /*
                  * We're out of tags on this hardware queue, kick any
                  * pending IO submits before going to sleep waiting for
-                 * some to complete.
+                 * some to complete. Note that hctx can be NULL here for
+                 * reserved tag allocation.
                  */
-                blk_mq_run_hw_queue(hctx, false);
+                if (hctx)
+                        blk_mq_run_hw_queue(hctx, false);
 
                 /*
                  * Retry tag allocation after running the hardware queue,