scsi: ufs: fix NULL pointer dereference when aborting command

If there is a race between command completion and the scsi timeout, the scsi timeout ignores the command completion and proceed with aborting the command. Since the command completion happen in interrupt context, it would be prioritized and ufshcd might free resources before abort initiated by scsi is completed. Hence, if the abort routine refers to the command info saved in lrbp it would cause NULL pointer dereference. Fix this by using the command info provided by scsi layer in the ufshcd_abort() argument. Change-Id: Ie915880b1c239ef9080cfb5cb74f19329b3a82d4 Signed-off-by: Sujit Reddy Thumma <sthumma@codeaurora.org>
author: Sujit Reddy Thumma <sthumma@codeaurora.org> 2013-11-22 09:39:34 +0530
committer: David Keitel <dkeitel@codeaurora.org> 2016-03-22 10:56:12 -0700
commit: ada4c78516d1dbd86c3a8c2fcfbd50e0be69dfd1 (patch)
tree: ff0cf53f4c75f853b99751aefc699a6dffa46e8a
parent: 953a9f7f36069b8d84d78d2811c4c3568def7f8e (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
index d238b2183a20..626e5b131dd6 100644
--- a/drivers/scsi/ufs/ufshcd.c
+++ b/drivers/scsi/ufs/ufshcd.c
@@ -4090,7 +4090,7 @@ static int ufshcd_abort(struct scsi_cmnd *cmd)
 
 	/* Print Transfer Request of aborted task */
 	dev_err(hba->dev, "%s: Device abort task at tag %d", __func__, tag);
-	scsi_print_command(hba->lrb[tag].cmd);
+	scsi_print_command(cmd);
 	ufshcd_print_host_regs(hba);
 	ufshcd_print_trs(hba, 1 << tag, true);
author	Sujit Reddy Thumma <sthumma@codeaurora.org>	2013-11-22 09:39:34 +0530
committer	David Keitel <dkeitel@codeaurora.org>	2016-03-22 10:56:12 -0700
commit	ada4c78516d1dbd86c3a8c2fcfbd50e0be69dfd1 (patch)
tree	ff0cf53f4c75f853b99751aefc699a6dffa46e8a
parent	953a9f7f36069b8d84d78d2811c4c3568def7f8e (diff)