diff options
| author | Bart Van Assche <bvanassche@acm.org> | 2025-03-14 15:51:50 -0700 |
|---|---|---|
| committer | Martin K. Petersen <martin.petersen@oracle.com> | 2025-03-20 20:48:37 -0400 |
| commit | 20b97acc4cafa2be8ac91a777de135110e58a90b (patch) | |
| tree | 5572805739e661444d8f27c87dd9b7b6ba46d1d0 /include/ufs | |
| parent | daff37f00c7506ca322ccfce95d342022f06ec58 (diff) | |
| download | linux-20b97acc4cafa2be8ac91a777de135110e58a90b.tar.gz linux-20b97acc4cafa2be8ac91a777de135110e58a90b.tar.bz2 linux-20b97acc4cafa2be8ac91a777de135110e58a90b.zip | |
scsi: ufs: core: Fix a race condition related to device commands
There is a TOCTOU race in ufshcd_compl_one_cqe(): hba->dev_cmd.complete may
be cleared from another thread after it has been checked and before it is
used. Fix this race by moving the device command completion from the stack
of the device command submitter into struct ufs_hba. This patch fixes the
following kernel crash:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008
Call trace:
_raw_spin_lock_irqsave+0x34/0x80
complete+0x24/0xb8
ufshcd_compl_one_cqe+0x13c/0x4f0
ufshcd_mcq_poll_cqe_lock+0xb4/0x108
ufshcd_intr+0x2f4/0x444
__handle_irq_event_percpu+0xbc/0x250
handle_irq_event+0x48/0xb0
Fixes: 5a0b0cb9bee7 ("[SCSI] ufs: Add support for sending NOP OUT UPIU")
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Link: https://lore.kernel.org/r/20250314225206.1487838-1-bvanassche@acm.org
Reviewed-by: Peter Wang <peter.wang@mediatek.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Diffstat (limited to 'include/ufs')
| -rw-r--r-- | include/ufs/ufshcd.h | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/include/ufs/ufshcd.h b/include/ufs/ufshcd.h index e3909cc691b2..f56050ce9445 100644 --- a/include/ufs/ufshcd.h +++ b/include/ufs/ufshcd.h @@ -246,7 +246,7 @@ struct ufs_query { struct ufs_dev_cmd { enum dev_cmd_type type; struct mutex lock; - struct completion *complete; + struct completion complete; struct ufs_query query; }; |