* [PATCH v1] ufs: core: Fix possible NULL pointer dereference in ufshcd_add_command_trace()
@ 2026-02-23 6:56 peter.wang
2026-02-23 17:13 ` Bart Van Assche
` (2 more replies)
0 siblings, 3 replies; 9+ messages in thread
From: peter.wang @ 2026-02-23 6:56 UTC (permalink / raw)
To: linux-scsi, martin.petersen, avri.altman, alim.akhtar, jejb
Cc: wsd_upstream, linux-mediatek, peter.wang, chun-hung.wu,
alice.chao, cc.chou, chaotian.jing, tun-yu.yu, eddie.huang,
naomi.chu, ed.tsai, bvanassche
From: Peter Wang <peter.wang@mediatek.com>
The kernel log indicates a crash in ufshcd_add_command_trace,
due to a NULL pointer dereference when accessing hwq->id.
This can happen if ufshcd_mcq_req_to_hwq() returns NULL.
This patch adds a NULL check for hwq before accessing its
id field to prevent a kernel crash.
Kernel log excerpt:
[<ffffffd5d192dc4c>] notify_die+0x4c/0x8c
[<ffffffd5d1814e58>] __die+0x60/0xb0
[<ffffffd5d1814d64>] die+0x4c/0xe0
[<ffffffd5d181575c>] die_kernel_fault+0x74/0x88
[<ffffffd5d1864db4>] __do_kernel_fault+0x314/0x318
[<ffffffd5d2a3cdf8>] do_page_fault+0xa4/0x5f8
[<ffffffd5d2a3cd34>] do_translation_fault+0x34/0x54
[<ffffffd5d1864524>] do_mem_abort+0x50/0xa8
[<ffffffd5d2a297dc>] el1_abort+0x3c/0x64
[<ffffffd5d2a29718>] el1h_64_sync_handler+0x44/0xcc
[<ffffffd5d181133c>] el1h_64_sync+0x80/0x88
[<ffffffd5d255c1dc>] ufshcd_add_command_trace+0x23c/0x320
[<ffffffd5d255bad8>] ufshcd_compl_one_cqe+0xa4/0x404
[<ffffffd5d2572968>] ufshcd_mcq_poll_cqe_lock+0xac/0x104
[<ffffffd5d11c7460>] ufs_mtk_mcq_intr+0x54/0x74 [ufs_mediatek_mod]
[<ffffffd5d19ab92c>] __handle_irq_event_percpu+0xc8/0x348
[<ffffffd5d19abca8>] handle_irq_event+0x3c/0xa8
[<ffffffd5d19b1f0c>] handle_fasteoi_irq+0xf8/0x294
[<ffffffd5d19aa778>] generic_handle_domain_irq+0x54/0x80
[<ffffffd5d18102bc>] gic_handle_irq+0x1d4/0x330
[<ffffffd5d1838210>] call_on_irq_stack+0x44/0x68
[<ffffffd5d183af30>] do_interrupt_handler+0x78/0xd8
[<ffffffd5d2a29c00>] el1_interrupt+0x48/0xa8
[<ffffffd5d2a29ba8>] el1h_64_irq_handler+0x14/0x24
[<ffffffd5d18113c4>] el1h_64_irq+0x80/0x88
[<ffffffd5d2527fb4>] arch_local_irq_enable+0x4/0x1c
[<ffffffd5d25282e4>] cpuidle_enter+0x34/0x54
[<ffffffd5d195a678>] do_idle+0x1dc/0x2f8
[<ffffffd5d195a7c4>] cpu_startup_entry+0x30/0x3c
[<ffffffd5d18155c4>] secondary_start_kernel+0x134/0x1ac
[<ffffffd5d18640bc>] __secondary_switched+0xc4/0xcc
Signed-off-by: Peter Wang <peter.wang@mediatek.com>
---
drivers/ufs/core/ufshcd.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
index ec175a099459..44efb03765b9 100644
--- a/drivers/ufs/core/ufshcd.c
+++ b/drivers/ufs/core/ufshcd.c
@@ -515,8 +515,8 @@ static void ufshcd_add_command_trace(struct ufs_hba *hba, struct scsi_cmnd *cmd,
if (hba->mcq_enabled) {
struct ufs_hw_queue *hwq = ufshcd_mcq_req_to_hwq(hba, rq);
-
- hwq_id = hwq->id;
+ if (hwq)
+ hwq_id = hwq->id;
} else {
doorbell = ufshcd_readl(hba, REG_UTP_TRANSFER_REQ_DOOR_BELL);
}
--
2.45.2
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH v1] ufs: core: Fix possible NULL pointer dereference in ufshcd_add_command_trace()
2026-02-23 6:56 [PATCH v1] ufs: core: Fix possible NULL pointer dereference in ufshcd_add_command_trace() peter.wang
@ 2026-02-23 17:13 ` Bart Van Assche
2026-02-24 5:29 ` Peter Wang (王信友)
2026-02-24 16:50 ` Bart Van Assche
2026-02-25 2:08 ` Martin K. Petersen
2 siblings, 1 reply; 9+ messages in thread
From: Bart Van Assche @ 2026-02-23 17:13 UTC (permalink / raw)
To: peter.wang, linux-scsi, martin.petersen, avri.altman, alim.akhtar,
jejb
Cc: wsd_upstream, linux-mediatek, chun-hung.wu, alice.chao, cc.chou,
chaotian.jing, tun-yu.yu, eddie.huang, naomi.chu, ed.tsai
On 2/22/26 10:56 PM, peter.wang@mediatek.com wrote:
> diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
> index ec175a099459..44efb03765b9 100644
> --- a/drivers/ufs/core/ufshcd.c
> +++ b/drivers/ufs/core/ufshcd.c
> @@ -515,8 +515,8 @@ static void ufshcd_add_command_trace(struct ufs_hba *hba, struct scsi_cmnd *cmd,
>
> if (hba->mcq_enabled) {
> struct ufs_hw_queue *hwq = ufshcd_mcq_req_to_hwq(hba, rq);
> -
> - hwq_id = hwq->id;
> + if (hwq)
> + hwq_id = hwq->id;
> } else {
> doorbell = ufshcd_readl(hba, REG_UTP_TRANSFER_REQ_DOOR_BELL);
> }
This will cause "-1" to be assigned to hwq_id instead of a queue number
if a request has already been completed. Wouldn't it be better to
introduce a new helper function that returns READ_ONCE(req->mq_hctx)
->queue_num instead of making the above change?
Thanks,
Bart.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH v1] ufs: core: Fix possible NULL pointer dereference in ufshcd_add_command_trace()
2026-02-23 17:13 ` Bart Van Assche
@ 2026-02-24 5:29 ` Peter Wang (王信友)
2026-02-24 16:48 ` Bart Van Assche
0 siblings, 1 reply; 9+ messages in thread
From: Peter Wang (王信友) @ 2026-02-24 5:29 UTC (permalink / raw)
To: linux-scsi@vger.kernel.org, jejb@linux.ibm.com,
avri.altman@sandisk.com, bvanassche@acm.org,
alim.akhtar@samsung.com, martin.petersen@oracle.com
Cc: Alice Chao (趙珮均),
Eddie Huang (黃智傑),
CC Chou (周志杰),
Ed Tsai (蔡宗軒), wsd_upstream,
Chaotian Jing (井朝天),
Chun-Hung Wu (巫駿宏),
Naomi Chu (朱詠田),
linux-mediatek@lists.infradead.org,
Tun-yu Yu (游敦聿)
On Mon, 2026-02-23 at 09:13 -0800, Bart Van Assche wrote:
> This will cause "-1" to be assigned to hwq_id instead of a queue
> number
> if a request has already been completed. Wouldn't it be better to
> introduce a new helper function that returns READ_ONCE(req->mq_hctx)
> ->queue_num instead of making the above change?
>
> Thanks,
>
> Bart.
Hi Bart,
The default value of hwq_id is 0:
u32 hwq_id = 0;
Additionally, since READ_ONCE(req->mq_hctx) could be NULL,
ufshcd_mcq_req_to_hwq already takes this into account, as shown below:
struct ufs_hw_queue *ufshcd_mcq_req_to_hwq(struct ufs_hba *hba,
struct request *req)
{
struct blk_mq_hw_ctx *hctx = READ_ONCE(req->mq_hctx);
return hctx ? &hba->uhq[hctx->queue_num] : NULL;
}
Therefore, there is no need to assign hwq_id separately.
Thanks
Peter
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH v1] ufs: core: Fix possible NULL pointer dereference in ufshcd_add_command_trace()
2026-02-24 5:29 ` Peter Wang (王信友)
@ 2026-02-24 16:48 ` Bart Van Assche
2026-02-25 5:53 ` Peter Wang (王信友)
0 siblings, 1 reply; 9+ messages in thread
From: Bart Van Assche @ 2026-02-24 16:48 UTC (permalink / raw)
To: Peter Wang (王信友), linux-scsi@vger.kernel.org,
jejb@linux.ibm.com, martin.petersen@oracle.com
Cc: linux-mediatek@lists.infradead.org
On 2/23/26 9:29 PM, Peter Wang (王信友) wrote:
> Therefore, there is no need to assign hwq_id separately.
Hi Peter,
That's not what I proposed. When ignoring the NULL test, this is what
the current ufshcd_add_command_trace() implementation does:
hwq_id = hba->uhq[READ_ONCE(req->mq_hctx)->queue_num].id;
That's more complicated than necessary. This should be sufficient
(again ignoring the NULL test):
hwq_id = READ_ONCE(req->mq_hctx)->queue_num;
Anyway, since the proposed change probably only results in a small
performance improvement, let's proceed with the current patch.
Bart.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH v1] ufs: core: Fix possible NULL pointer dereference in ufshcd_add_command_trace()
2026-02-23 6:56 [PATCH v1] ufs: core: Fix possible NULL pointer dereference in ufshcd_add_command_trace() peter.wang
2026-02-23 17:13 ` Bart Van Assche
@ 2026-02-24 16:50 ` Bart Van Assche
2026-02-25 2:08 ` Martin K. Petersen
2 siblings, 0 replies; 9+ messages in thread
From: Bart Van Assche @ 2026-02-24 16:50 UTC (permalink / raw)
To: peter.wang, linux-scsi, martin.petersen, avri.altman, alim.akhtar,
jejb
Cc: wsd_upstream, linux-mediatek, chun-hung.wu, alice.chao, cc.chou,
chaotian.jing, tun-yu.yu, eddie.huang, naomi.chu, ed.tsai
On 2/22/26 10:56 PM, peter.wang@mediatek.com wrote:
> Kernel log excerpt:
> [ ... ]
>
> Signed-off-by: Peter Wang <peter.wang@mediatek.com>
Bug fixes should have a Fixes: tag. Once that tag has been added, feel
free to add:
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH v1] ufs: core: Fix possible NULL pointer dereference in ufshcd_add_command_trace()
2026-02-23 6:56 [PATCH v1] ufs: core: Fix possible NULL pointer dereference in ufshcd_add_command_trace() peter.wang
2026-02-23 17:13 ` Bart Van Assche
2026-02-24 16:50 ` Bart Van Assche
@ 2026-02-25 2:08 ` Martin K. Petersen
2026-02-25 19:45 ` Bart Van Assche
2 siblings, 1 reply; 9+ messages in thread
From: Martin K. Petersen @ 2026-02-25 2:08 UTC (permalink / raw)
To: linux-scsi, avri.altman, alim.akhtar, jejb, peter.wang
Cc: Martin K . Petersen, wsd_upstream, linux-mediatek, chun-hung.wu,
alice.chao, cc.chou, chaotian.jing, tun-yu.yu, eddie.huang,
naomi.chu, ed.tsai, bvanassche
On Mon, 23 Feb 2026 14:56:09 +0800, peter.wang@mediatek.com wrote:
> The kernel log indicates a crash in ufshcd_add_command_trace,
> due to a NULL pointer dereference when accessing hwq->id.
> This can happen if ufshcd_mcq_req_to_hwq() returns NULL.
>
> This patch adds a NULL check for hwq before accessing its
> id field to prevent a kernel crash.
>
> [...]
Applied to 7.0/scsi-fixes, thanks!
[1/1] ufs: core: Fix possible NULL pointer dereference in ufshcd_add_command_trace()
https://git.kernel.org/mkp/scsi/c/30df81f2228d
--
Martin K. Petersen
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH v1] ufs: core: Fix possible NULL pointer dereference in ufshcd_add_command_trace()
2026-02-24 16:48 ` Bart Van Assche
@ 2026-02-25 5:53 ` Peter Wang (王信友)
0 siblings, 0 replies; 9+ messages in thread
From: Peter Wang (王信友) @ 2026-02-25 5:53 UTC (permalink / raw)
To: linux-scsi@vger.kernel.org, jejb@linux.ibm.com,
bvanassche@acm.org, martin.petersen@oracle.com
Cc: linux-mediatek@lists.infradead.org
On Tue, 2026-02-24 at 08:48 -0800, Bart Van Assche wrote:
> Hi Peter,
>
> That's not what I proposed. When ignoring the NULL test, this is what
> the current ufshcd_add_command_trace() implementation does:
>
> hwq_id = hba->uhq[READ_ONCE(req->mq_hctx)->queue_num].id;
>
> That's more complicated than necessary. This should be sufficient
> (again ignoring the NULL test):
>
> hwq_id = READ_ONCE(req->mq_hctx)->queue_num;
>
> Anyway, since the proposed change probably only results in a small
> performance improvement, let's proceed with the current patch.
>
> Bart.
Hi Bart,
OK, I understand your point. However, there really shouldn’t
be a significant performance difference.
As for the patch with the fixes tag, I don’t think it’s
necessarily an bug in that patch. It seems more like a corner
case that only occurs after errors happen consecutively.
Also, since Martin has already applied it, I won’t add the fixes
tag for now.
Thanks for the review.
Peter
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH v1] ufs: core: Fix possible NULL pointer dereference in ufshcd_add_command_trace()
2026-02-25 2:08 ` Martin K. Petersen
@ 2026-02-25 19:45 ` Bart Van Assche
2026-02-28 22:37 ` Martin K. Petersen
0 siblings, 1 reply; 9+ messages in thread
From: Bart Van Assche @ 2026-02-25 19:45 UTC (permalink / raw)
To: Martin K. Petersen, linux-scsi, avri.altman, alim.akhtar, jejb,
peter.wang
Cc: wsd_upstream, linux-mediatek, chun-hung.wu, alice.chao, cc.chou,
chaotian.jing, tun-yu.yu, eddie.huang, naomi.chu, ed.tsai
On 2/24/26 6:08 PM, Martin K. Petersen wrote:
> Applied to 7.0/scsi-fixes, thanks!
>
> [1/1] ufs: core: Fix possible NULL pointer dereference in ufshcd_add_command_trace()
> https://git.kernel.org/mkp/scsi/c/30df81f2228d
Hi Martin,
Do you agree that the following should be added to this patch?
Fixes: 4a52338bf288 ("scsi: ufs: core: Add trace event for MCQ")
From commit 4a52338bf288:
@@ -456,9 +458,16 @@ static void ufshcd_add_command_trace(struct ufs_hba
*hba, unsigned int tag,
}
intr = ufshcd_readl(hba, REG_INTERRUPT_STATUS);
- doorbell = ufshcd_readl(hba, REG_UTP_TRANSFER_REQ_DOOR_BELL);
+
+ if (is_mcq_enabled(hba)) {
+ struct ufs_hw_queue *hwq = ufshcd_mcq_req_to_hwq(hba, rq);
+
+ hwq_id = hwq->id;
+ } else {
+ doorbell = ufshcd_readl(hba,
REG_UTP_TRANSFER_REQ_DOOR_BELL);
+ }
trace_ufshcd_command(dev_name(hba->dev), str_t, tag,
- doorbell, transfer_len, intr, lba, opcode,
group_id);
+ doorbell, hwq_id, transfer_len, intr, lba,
opcode, group_id);
}
Thanks,
Bart.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH v1] ufs: core: Fix possible NULL pointer dereference in ufshcd_add_command_trace()
2026-02-25 19:45 ` Bart Van Assche
@ 2026-02-28 22:37 ` Martin K. Petersen
0 siblings, 0 replies; 9+ messages in thread
From: Martin K. Petersen @ 2026-02-28 22:37 UTC (permalink / raw)
To: Bart Van Assche
Cc: Martin K. Petersen, linux-scsi, avri.altman, alim.akhtar, jejb,
peter.wang, wsd_upstream, linux-mediatek, chun-hung.wu,
alice.chao, cc.chou, chaotian.jing, tun-yu.yu, eddie.huang,
naomi.chu, ed.tsai
Hi Bart!
> Do you agree that the following should be added to this patch?
>
> Fixes: 4a52338bf288 ("scsi: ufs: core: Add trace event for MCQ")
If I hadn't already applied the patch I would add the tag. However, with
"Fix" and "NULL pointer dereference" in the title, hopefully some AI
will pick it up.
Worst case we can Cc: stable once Linus has pulled it...
--
Martin K. Petersen
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2026-02-28 22:37 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-23 6:56 [PATCH v1] ufs: core: Fix possible NULL pointer dereference in ufshcd_add_command_trace() peter.wang
2026-02-23 17:13 ` Bart Van Assche
2026-02-24 5:29 ` Peter Wang (王信友)
2026-02-24 16:48 ` Bart Van Assche
2026-02-25 5:53 ` Peter Wang (王信友)
2026-02-24 16:50 ` Bart Van Assche
2026-02-25 2:08 ` Martin K. Petersen
2026-02-25 19:45 ` Bart Van Assche
2026-02-28 22:37 ` Martin K. Petersen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox