Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 2483c24d authored by Sujit Reddy Thumma's avatar Sujit Reddy Thumma
Browse files

scsi: ufs: fix NULL pointer dereference when aborting command 



If there is a race between command completion and the scsi timeout,
the scsi timeout ignores the command completion and proceed with
aborting the command. Since the command completion happen in
interrupt context, it would be prioritized and ufshcd might free
resources before abort initiated by scsi is completed. Hence, if the
abort routine refers to the command info saved in lrbp it would cause
NULL pointer dereference. Fix this by using the command info provided
by scsi layer in the ufshcd_abort() argument.

Change-Id: Ie915880b1c239ef9080cfb5cb74f19329b3a82d4
Signed-off-by: default avatarSujit Reddy Thumma <sthumma@codeaurora.org>
parent abedad47

drivers/scsi/ufs/ufshcd.c

+1 −1
Original line number Diff line number Diff line
@@ -3530,7 +3530,7 @@ static int ufshcd_abort(struct scsi_cmnd *cmd) 


	/* Print Transfer Request of aborted task */

	dev_err(hba->dev, "%s: Device abort task at tag %d", __func__, tag);

	scsi_print_command(hba->lrb[tag].cmd);

	scsi_print_command(cmd);

	ufshcd_print_host_regs(hba);

	ufshcd_print_trs(hba, 1 << tag, true);