From: Peter Wang <peter.wang@xxxxxxxxxxxx> When tmc 100 ms timeout and recevied tmc complete ISR concurrently, Bug happen because complete NULL poiner and KE. Fix this racing issue by check NULL and use host_lock protect. Signed-off-by: Peter Wang <peter.wang@xxxxxxxxxxxx> --- drivers/scsi/ufs/ufshcd.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c index 5c6a58a666d2..6821ceb6783e 100644 --- a/drivers/scsi/ufs/ufshcd.c +++ b/drivers/scsi/ufs/ufshcd.c @@ -6442,7 +6442,8 @@ static irqreturn_t ufshcd_tmc_handler(struct ufs_hba *hba) struct request *req = hba->tmf_rqs[tag]; struct completion *c = req->end_io_data; - complete(c); + if (c) + complete(c); ret = IRQ_HANDLED; } spin_unlock_irqrestore(hba->host->host_lock, flags); @@ -6597,7 +6598,10 @@ static int __ufshcd_issue_tm_cmd(struct ufs_hba *hba, * Make sure that ufshcd_compl_tm() does not trigger a * use-after-free. */ + spin_lock_irqsave(hba->host->host_lock, flags); req->end_io_data = NULL; + spin_unlock_irqrestore(hba->host->host_lock, flags); + ufshcd_add_tm_upiu_trace(hba, task_tag, UFS_TM_ERR); dev_err(hba->dev, "%s: task management cmd 0x%.2x timed-out\n", __func__, tm_function); -- 2.18.0
