On Fri, 2025-03-14 at 15:51 -0700, Bart Van Assche wrote:
>
> External email : Please do not click links or open attachments until
> you have verified the sender or the content.
>
>
> There is a TOCTOU race in ufshcd_compl_one_cqe(): hba-
> >dev_cmd.complete
> may be cleared from another thread after it has been checked and
> before
> it is used. Fix this race by moving the device command completion
> from
> the stack of the device command submitter into struct ufs_hba. This
> patch fixes the following kernel crash:
>
> Unable to handle kernel NULL pointer dereference at virtual address
> 0000000000000008
> Call trace:
> _raw_spin_lock_irqsave+0x34/0x80
> complete+0x24/0xb8
> ufshcd_compl_one_cqe+0x13c/0x4f0
> ufshcd_mcq_poll_cqe_lock+0xb4/0x108
> ufshcd_intr+0x2f4/0x444
> __handle_irq_event_percpu+0xbc/0x250
> handle_irq_event+0x48/0xb0
>
> Fixes: 5a0b0cb9bee7 ("[SCSI] ufs: Add support for sending NOP OUT
> UPIU")
> Signed-off-by: Bart Van Assche <bvanassche@xxxxxxx>
> ---
>
> Changes compared to v1:
> - Call init_completion() once instead of every time a device
> management
> command is submitted.
>
Reviewed-by: Peter Wang <peter.wang@xxxxxxxxxxxx>
