On 6/28/24 12:00 AM, peter.wang@xxxxxxxxxxxx wrote:
From: Peter Wang <peter.wang@xxxxxxxxxxxx> When ufshcd_clear_cmd racing with complete ISR, the completed tag of request's mq_hctx pointer will set NULL by ISR. And ufshcd_clear_cmd call ufshcd_mcq_req_to_hwq will get NULL pointer KE. Return success when request is completed by ISR beacuse sq dosen't need cleanup. The racing flow is: Thread A ufshcd_err_handler step 1 ufshcd_try_to_abort_task ufshcd_cmd_inflight(true) step 3 ufshcd_clear_cmd ... ufshcd_mcq_req_to_hwq blk_mq_unique_tag rq->mq_hctx->queue_num step 5 Thread B ufs_mtk_mcq_intr(cq complete ISR) step 2 scsi_done ... __blk_mq_free_request rq->mq_hctx = NULL; step 4
Reviewed-by: Bart Van Assche <bvanassche@xxxxxxx>
