If an hctx has no software ctx mapped, blk_mq_map_swqueue() never
allocates tags and leaves hctx->tags NULL. The CPU hotplug offline
notifier can still run for that hctx, return early since hctx cannot
hold any requests.

Signed-off-by: Cong Zhang <cong.zhang@oss.qualcomm.com>
---
This issue was observed during CPU hotplug. If an hctx is not mapped,
offlining a CPU can trigger a kernel crash.
When a block device does not map all hctx, some hctx instances may remain
unused. These unused hctx can still receive CPU offline notifications and
enter blk_mq_hctx_notify_offline().
blk_mq_hctx_notify_offline() calls blk_mq_hctx_has_requests() to check
whether there are pending requests on the hctx. However, unused hctx do
not have tags allocated, which leads to a crash.
Since an unused hctx cannot have any requests, fix this by returning
early when nr_ctx is zero, skipping blk_mq_hctx_notify_offline().
---
 block/blk-mq.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/block/blk-mq.c b/block/blk-mq.c
index 1978eef95dca3fb332a73aeff7b9613ee770a8a3..eff4f72ce83be80aac9da86aab35079be7d2b5e4 100644
--- a/block/blk-mq.c
+++ b/block/blk-mq.c
@@ -3721,7 +3721,7 @@ static int blk_mq_hctx_notify_offline(unsigned int cpu, struct hlist_node *node)
 			struct blk_mq_hw_ctx, cpuhp_online);
 	int ret = 0;
 
-	if (blk_mq_hctx_has_online_cpu(hctx, cpu))
+	if (!hctx->nr_ctx || blk_mq_hctx_has_online_cpu(hctx, cpu))
 		return 0;
 
 	/*

---
base-commit: cc3aa43b44bdb43dfbac0fcb51c56594a11338a8
change-id: 20251226-blk_mq_no_ctx_checking-05b68f5b8b9d

Best regards,
-- 
Cong Zhang <cong.zhang@oss.qualcomm.com>

On Tue, 30 Dec 2025 17:17:05 +0800, Cong Zhang wrote:
> If an hctx has no software ctx mapped, blk_mq_map_swqueue() never
> allocates tags and leaves hctx->tags NULL. The CPU hotplug offline
> notifier can still run for that hctx, return early since hctx cannot
> hold any requests.
> 
> 

Applied, thanks!

[1/1] blk-mq: skip CPU offline notify on unmapped hctx
      commit: 10845a105bbcb030647a729f1716c2309da71d33

Best regards,
-- 
Jens Axboe

On Tue, Dec 30, 2025 at 05:17:05PM +0800, Cong Zhang wrote:
> If an hctx has no software ctx mapped, blk_mq_map_swqueue() never
> allocates tags and leaves hctx->tags NULL. The CPU hotplug offline
> notifier can still run for that hctx, return early since hctx cannot
> hold any requests.
> 
> Signed-off-by: Cong Zhang <cong.zhang@oss.qualcomm.com>

Fixes: bf0beec0607d ("blk-mq: drain I/O when all CPUs in a hctx are offline")

> ---
> This issue was observed during CPU hotplug. If an hctx is not mapped,
> offlining a CPU can trigger a kernel crash.
> When a block device does not map all hctx, some hctx instances may remain
> unused. These unused hctx can still receive CPU offline notifications and
> enter blk_mq_hctx_notify_offline().
> blk_mq_hctx_notify_offline() calls blk_mq_hctx_has_requests() to check
> whether there are pending requests on the hctx. However, unused hctx do
> not have tags allocated, which leads to a crash.
> Since an unused hctx cannot have any requests, fix this by returning
> early when nr_ctx is zero, skipping blk_mq_hctx_notify_offline().
> ---
>  block/blk-mq.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/block/blk-mq.c b/block/blk-mq.c
> index 1978eef95dca3fb332a73aeff7b9613ee770a8a3..eff4f72ce83be80aac9da86aab35079be7d2b5e4 100644
> --- a/block/blk-mq.c
> +++ b/block/blk-mq.c
> @@ -3721,7 +3721,7 @@ static int blk_mq_hctx_notify_offline(unsigned int cpu, struct hlist_node *node)
>  			struct blk_mq_hw_ctx, cpuhp_online);
>  	int ret = 0;
>  
> -	if (blk_mq_hctx_has_online_cpu(hctx, cpu))
> +	if (!hctx->nr_ctx || blk_mq_hctx_has_online_cpu(hctx, cpu))
>  		return 0;

Looks correct, and the notify_online handler won't touch hctx->tags:

Reviewed-by: Ming Lei <ming.lei@redhat.com>


Thanks,
Ming