On Fri, 2018-07-13 at 15:29 +0200, Patrick Steinhardt wrote:

When power management for SCSI is enabled and if a device uses blk-mq=

,

it is possible to trigger a `NULL` pointer exception when res=

uming that

device. The NPE is triggered when trying to dereference the `requ=

est_fn`

function pointer of the device's `request_queue`:
=20
    __blk_run_queue_uncond:470
    __blk_run_queue:490
    blk_post_runtime_resume:3889
    sdev_runtime_resume:263
    scsi_runtime_resume:275
=20
When the SCSI device is being allocated by `scsi_alloc_sd=

ev`, the

device's request queue will either be initialized via
`scsi_mq_alloc_queue` or `scsi_old_al=

loc_queue`. But the `request_fn`

member of the request queue is in fact only being set in
`scsi_old_alloc_queue`, which will then later cau=

se the mentioned NPE.

=20
Fix the issue by checking whether the `request_fn` is set=

 in

`__blk_run_queue_uncond`. In case it is unset,=

 we'll silently return and

not try to invoke the callback, thus fixing the NPE.

Which kernel version are you using? Can you check whether the following two
commits are in your kernel tree?

* 4fd41a8552af ("SCSI: Fix NULL pointer dereference in runtime PM�
CIAOw- December
  2015).
* 765e40b675a9 ("block: disable runtime-pm for blk-mq"; July =
2017).

Thanks,

Bart.