From nobody Mon Jun 8 14:37:13 2026 Received: from mailout3.samsung.com (mailout3.samsung.com [203.254.224.33]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 212122E4257 for ; Fri, 29 May 2026 01:07:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=203.254.224.33 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780016882; cv=none; b=BibfmNQfn/VMHVxFgS+V4G3rdB6jD/43MIZGzw5G2jmzxxhKmAfGzX0sI7RzofUlbGi3N/6gRX94ANvCccMe8kd6NEZetZ9IqIX49difK6KGAFufdU/3jw9i7aBMh0L1oEsnClPbwQ0RABkkiGMaonpPtc3dx5cumHprWw1N0Tw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780016882; c=relaxed/simple; bh=L77pmz1V3vnh4bA9TbLP5qAiczzAS690ZaZPsb4vMtI=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:Content-Type: References; b=GSxLlNtOfvKJQoPf1LspwQ17A0Jj8qqNGaO4roKzkyC4Qr4akcDzJEaoLB0i2zZffaXGMewa6OlYAMhSKpMc7l0Hh0Ar1opLQ869erNBeAt9rl6cLVAt+geu+Hg+NcqBXAmCinpzBObY0i42HX2GWoF7/ZMt5japeLm9Q+5Gjbg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=samsung.com; spf=pass smtp.mailfrom=samsung.com; dkim=pass (1024-bit key) header.d=samsung.com header.i=@samsung.com header.b=RY8PK652; arc=none smtp.client-ip=203.254.224.33 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=samsung.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=samsung.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=samsung.com header.i=@samsung.com header.b="RY8PK652" Received: from epcas1p3.samsung.com (unknown [182.195.41.47]) by mailout3.samsung.com (KnoxPortal) with ESMTP id 20260529010750epoutp035e7e6f6bd9d181af8c31d6b605bf83b8~z4_m1OFl01671116711epoutp030 for ; Fri, 29 May 2026 01:07:50 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 mailout3.samsung.com 20260529010750epoutp035e7e6f6bd9d181af8c31d6b605bf83b8~z4_m1OFl01671116711epoutp030 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=samsung.com; s=mail20170921; t=1780016870; bh=bmOyx7LCKnUdi3eeyYD25VmIw0e+LrVRhm1f7vD2kMg=; h=From:To:Cc:Subject:Date:References:From; b=RY8PK652LxgdU9HbM2ydBSd4sG98n1XrsTmt/XVPUt6d+pGU8uDUF3q6mUzMCOZtM bqDXvh6paubFh+XSFeDoFuijr487FXl+N1G6jHaBih7C4oj1MOpCf4jhUtHoyXMhOP tJXnoYRRGJGJczNVH5Vtd4OxMLD5QT6GGqjIvKn4= Received: from epsnrtp02.localdomain (unknown [182.195.42.154]) by epcas1p1.samsung.com (KnoxPortal) with ESMTPS id 20260529010750epcas1p13b07e1698d96cced0f9e29ba6b425a3a~z4_mYWJSs3009830098epcas1p1N; Fri, 29 May 2026 01:07:50 +0000 (GMT) Received: from epcas1p3.samsung.com (unknown [182.195.38.192]) by epsnrtp02.localdomain (Postfix) with ESMTP id 4gRQFf0VxCz2SSKj; Fri, 29 May 2026 01:07:50 +0000 (GMT) Received: from epsmtip2.samsung.com (unknown [182.195.34.31]) by epcas1p2.samsung.com (KnoxPortal) with ESMTPA id 20260529010749epcas1p2bf38209e55149f0681550c220e541e92~z4_l1uhbb1847218472epcas1p2n; Fri, 29 May 2026 01:07:49 +0000 (GMT) Received: from cw9316lee.. (unknown [10.253.101.98]) by epsmtip2.samsung.com (KnoxPortal) with ESMTPA id 20260529010749epsmtip2edba16e6f42d45f98c45931bf48c751f~z4_lyGJWk1235712357epsmtip2-; Fri, 29 May 2026 01:07:49 +0000 (GMT) From: Chanwoo Lee To: alim.akhtar@samsung.com, avri.altman@wdc.com, bvanassche@acm.org, James.Bottomley@HansenPartnership.com, martin.petersen@oracle.com, peter.wang@mediatek.com, vamshigajjela@google.com, alok.a.tiwari@oracle.com, beanhuo@micron.com, can.guo@oss.qualcomm.com, adrian.hunter@intel.com, linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Chanwoo Lee Subject: [PATCH v2] scsi: ufs: core: Fix NULL pointer dereference in scsi_cmd_priv() calls Date: Fri, 29 May 2026 10:07:39 +0900 Message-ID: <20260529010739.295391-1-cw9316.lee@samsung.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-CMS-MailID: 20260529010749epcas1p2bf38209e55149f0681550c220e541e92 X-Msg-Generator: CA Content-Type: text/plain; charset="utf-8" CMS-TYPE: 101P cpgsPolicy: CPGSC10-711,Y X-CFilter-Loop: Reflected X-CMS-RootMailID: 20260529010749epcas1p2bf38209e55149f0681550c220e541e92 References: ufshcd_tag_to_cmd() may return NULL if no command is associated with the given tag. However, several callers dereference the returned cmd pointer via scsi_cmd_priv() without checking for NULL first, leading to a potential NULL pointer dereference. Fix this by adding NULL checks for cmd before calling scsi_cmd_priv() and moving the lrbp initialization after the NULL check. Signed-off-by: Chanwoo Lee Reviewed-by: Bart Van Assche Reviewed-by: Peter Wang --- Changes in v2: - Dropped moving scsi_cmd_priv()/scsi_cmd_to_rq() calls after NULL checks in ufshcd_mcq_sq_cleanup() and ufshcd_compl_one_cqe() since the derived pointers are not dereferenced before the check (Bart Van Assche) drivers/ufs/core/ufs-mcq.c | 7 ++++++- drivers/ufs/core/ufshcd.c | 13 +++++++++++-- 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/drivers/ufs/core/ufs-mcq.c b/drivers/ufs/core/ufs-mcq.c index c1b1d67a1ddc..13b60a2d06db 100644 --- a/drivers/ufs/core/ufs-mcq.c +++ b/drivers/ufs/core/ufs-mcq.c @@ -637,7 +637,7 @@ static bool ufshcd_mcq_sqe_search(struct ufs_hba *hba, struct ufs_hw_queue *hwq, int task_tag) { struct scsi_cmnd *cmd =3D ufshcd_tag_to_cmd(hba, task_tag); - struct ufshcd_lrb *lrbp =3D scsi_cmd_priv(cmd); + struct ufshcd_lrb *lrbp; struct utp_transfer_req_desc *utrd; __le64 cmd_desc_base_addr; bool ret =3D false; @@ -647,6 +647,11 @@ static bool ufshcd_mcq_sqe_search(struct ufs_hba *hba, if (hba->quirks & UFSHCD_QUIRK_MCQ_BROKEN_RTC) return true; =20 + if (!cmd) + return false; + + lrbp =3D scsi_cmd_priv(cmd); + mutex_lock(&hwq->sq_mutex); =20 ufshcd_mcq_sq_stop(hba, hwq); diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c index 9e0336098e26..7481c71c71b8 100644 --- a/drivers/ufs/core/ufshcd.c +++ b/drivers/ufs/core/ufshcd.c @@ -7893,8 +7893,12 @@ static void ufshcd_set_req_abort_skip(struct ufs_hba= *hba, unsigned long bitmap) =20 for_each_set_bit(tag, &bitmap, hba->nutrs) { struct scsi_cmnd *cmd =3D ufshcd_tag_to_cmd(hba, tag); - struct ufshcd_lrb *lrbp =3D scsi_cmd_priv(cmd); + struct ufshcd_lrb *lrbp; =20 + if (!cmd) + continue; + + lrbp =3D scsi_cmd_priv(cmd); lrbp->req_abort_skip =3D true; } } @@ -7915,11 +7919,16 @@ static void ufshcd_set_req_abort_skip(struct ufs_hb= a *hba, unsigned long bitmap) int ufshcd_try_to_abort_task(struct ufs_hba *hba, int tag) { struct scsi_cmnd *cmd =3D ufshcd_tag_to_cmd(hba, tag); - struct ufshcd_lrb *lrbp =3D scsi_cmd_priv(cmd); + struct ufshcd_lrb *lrbp; int err; int poll_cnt; u8 resp =3D 0xF; =20 + if (!cmd) + return -EINVAL; + + lrbp =3D scsi_cmd_priv(cmd); + for (poll_cnt =3D 100; poll_cnt; poll_cnt--) { err =3D ufshcd_issue_tm_cmd(hba, lrbp->lun, tag, UFS_QUERY_TASK, &resp); --=20 2.43.0