1. Patchew
  2. linux
  3. View series

[PATCH v2] scsi: ufs: core: Fix NULL pointer dereference in scsi_cmd_priv() calls

Chanwoo Lee posted 1 patch 1 week, 3 days ago 
drivers/ufs/core/ufs-mcq.c |  7 ++++++-
drivers/ufs/core/ufshcd.c  | 13 +++++++++++--
2 files changed, 17 insertions(+), 3 deletions(-)
[PATCH v2] scsi: ufs: core: Fix NULL pointer dereference in scsi_cmd_priv() calls
Posted by Chanwoo Lee 1 week, 3 days ago 
ufshcd_tag_to_cmd() may return NULL if no command is associated with
the given tag. However, several callers dereference the returned cmd
pointer via scsi_cmd_priv() without checking for NULL first, leading
to a potential NULL pointer dereference.

Fix this by adding NULL checks for cmd before calling scsi_cmd_priv()
and moving the lrbp initialization after the NULL check.

Signed-off-by: Chanwoo Lee <cw9316.lee@samsung.com>
---
Changes in v2:
- Dropped moving scsi_cmd_priv()/scsi_cmd_to_rq() calls after NULL
  checks in ufshcd_mcq_sq_cleanup() and ufshcd_compl_one_cqe() since
  the derived pointers are not dereferenced before the check
  (Bart Van Assche)

 drivers/ufs/core/ufs-mcq.c |  7 ++++++-
 drivers/ufs/core/ufshcd.c  | 13 +++++++++++--
 2 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/drivers/ufs/core/ufs-mcq.c b/drivers/ufs/core/ufs-mcq.c
index c1b1d67a1ddc..13b60a2d06db 100644
--- a/drivers/ufs/core/ufs-mcq.c
+++ b/drivers/ufs/core/ufs-mcq.c
@@ -637,7 +637,7 @@ static bool ufshcd_mcq_sqe_search(struct ufs_hba *hba,
 				  struct ufs_hw_queue *hwq, int task_tag)
 {
 	struct scsi_cmnd *cmd = ufshcd_tag_to_cmd(hba, task_tag);
-	struct ufshcd_lrb *lrbp = scsi_cmd_priv(cmd);
+	struct ufshcd_lrb *lrbp;
 	struct utp_transfer_req_desc *utrd;
 	__le64  cmd_desc_base_addr;
 	bool ret = false;
@@ -647,6 +647,11 @@ static bool ufshcd_mcq_sqe_search(struct ufs_hba *hba,
 	if (hba->quirks & UFSHCD_QUIRK_MCQ_BROKEN_RTC)
 		return true;
 
+	if (!cmd)
+		return false;
+
+	lrbp = scsi_cmd_priv(cmd);
+
 	mutex_lock(&hwq->sq_mutex);
 
 	ufshcd_mcq_sq_stop(hba, hwq);
diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
index 9e0336098e26..7481c71c71b8 100644
--- a/drivers/ufs/core/ufshcd.c
+++ b/drivers/ufs/core/ufshcd.c
@@ -7893,8 +7893,12 @@ static void ufshcd_set_req_abort_skip(struct ufs_hba *hba, unsigned long bitmap)
 
 	for_each_set_bit(tag, &bitmap, hba->nutrs) {
 		struct scsi_cmnd *cmd = ufshcd_tag_to_cmd(hba, tag);
-		struct ufshcd_lrb *lrbp = scsi_cmd_priv(cmd);
+		struct ufshcd_lrb *lrbp;
 
+		if (!cmd)
+			continue;
+
+		lrbp = scsi_cmd_priv(cmd);
 		lrbp->req_abort_skip = true;
 	}
 }
@@ -7915,11 +7919,16 @@ static void ufshcd_set_req_abort_skip(struct ufs_hba *hba, unsigned long bitmap)
 int ufshcd_try_to_abort_task(struct ufs_hba *hba, int tag)
 {
 	struct scsi_cmnd *cmd = ufshcd_tag_to_cmd(hba, tag);
-	struct ufshcd_lrb *lrbp = scsi_cmd_priv(cmd);
+	struct ufshcd_lrb *lrbp;
 	int err;
 	int poll_cnt;
 	u8 resp = 0xF;
 
+	if (!cmd)
+		return -EINVAL;
+
+	lrbp = scsi_cmd_priv(cmd);
+
 	for (poll_cnt = 100; poll_cnt; poll_cnt--) {
 		err = ufshcd_issue_tm_cmd(hba, lrbp->lun, tag, UFS_QUERY_TASK,
 					  &resp);
-- 
2.43.0
Re: [PATCH v2] scsi: ufs: core: Fix NULL pointer dereference in scsi_cmd_priv() calls
Posted by Martin K. Petersen 6 days, 11 hours ago 
Chanwoo,

> ufshcd_tag_to_cmd() may return NULL if no command is associated with
> the given tag. However, several callers dereference the returned cmd
> pointer via scsi_cmd_priv() without checking for NULL first, leading
> to a potential NULL pointer dereference.
>
> Fix this by adding NULL checks for cmd before calling scsi_cmd_priv()
> and moving the lrbp initialization after the NULL check.

Applied to 7.2/scsi-staging, thanks!

-- 
Martin K. Petersen
Re: [PATCH v2] scsi: ufs: core: Fix NULL pointer dereference in scsi_cmd_priv() calls
Posted by Bart Van Assche 1 week, 2 days ago 
On 5/28/26 6:07 PM, Chanwoo Lee wrote:
> ufshcd_tag_to_cmd() may return NULL if no command is associated with
> the given tag. However, several callers dereference the returned cmd
> pointer via scsi_cmd_priv() without checking for NULL first, leading
> to a potential NULL pointer dereference.
> 
> Fix this by adding NULL checks for cmd before calling scsi_cmd_priv()
> and moving the lrbp initialization after the NULL check.

Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Re: [PATCH v2] scsi: ufs: core: Fix NULL pointer dereference in scsi_cmd_priv() calls
Posted by Peter Wang (王信友) 1 week, 3 days ago 
On Fri, 2026-05-29 at 10:07 +0900, Chanwoo Lee wrote:
> ufshcd_tag_to_cmd() may return NULL if no command is associated with
> the given tag. However, several callers dereference the returned cmd
> pointer via scsi_cmd_priv() without checking for NULL first, leading
> to a potential NULL pointer dereference.
> 
> Fix this by adding NULL checks for cmd before calling scsi_cmd_priv()
> and moving the lrbp initialization after the NULL check.
> 
> Signed-off-by: Chanwoo Lee <cw9316.lee@samsung.com>
> ---

Reviewed-by: Peter Wang <peter.wang@mediatek.com>

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.