scsi: ufs: core: Fix a race condition related to device commands - Linux Stable

diff options

author	Bart Van Assche <bvanassche@acm.org>	2025-03-14 15:51:50 -0700
committer	Martin K. Petersen <martin.petersen@oracle.com>	2025-03-20 20:48:37 -0400
commit	20b97acc4cafa2be8ac91a777de135110e58a90b (patch)
tree	5572805739e661444d8f27c87dd9b7b6ba46d1d0 /rust/helpers/helpers.c
parent	daff37f00c7506ca322ccfce95d342022f06ec58 (diff)
download	linux-stable-20b97acc4cafa2be8ac91a777de135110e58a90b.tar.gz linux-stable-20b97acc4cafa2be8ac91a777de135110e58a90b.tar.bz2 linux-stable-20b97acc4cafa2be8ac91a777de135110e58a90b.zip

scsi: ufs: core: Fix a race condition related to device commands

There is a TOCTOU race in ufshcd_compl_one_cqe(): hba->dev_cmd.complete may be cleared from another thread after it has been checked and before it is used. Fix this race by moving the device command completion from the stack of the device command submitter into struct ufs_hba. This patch fixes the following kernel crash: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 Call trace: _raw_spin_lock_irqsave+0x34/0x80 complete+0x24/0xb8 ufshcd_compl_one_cqe+0x13c/0x4f0 ufshcd_mcq_poll_cqe_lock+0xb4/0x108 ufshcd_intr+0x2f4/0x444 __handle_irq_event_percpu+0xbc/0x250 handle_irq_event+0x48/0xb0 Fixes: 5a0b0cb9bee7 ("[SCSI] ufs: Add support for sending NOP OUT UPIU") Signed-off-by: Bart Van Assche <bvanassche@acm.org> Link: https://lore.kernel.org/r/20250314225206.1487838-1-bvanassche@acm.org Reviewed-by: Peter Wang <peter.wang@mediatek.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

Diffstat (limited to 'rust/helpers/helpers.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: