[PATCH v1] ufs: core: Fix possible NULL pointer dereference in ufshcd_add_command_trace()
Bart Van Assche
bvanassche at acm.org
Mon Feb 23 09:13:25 PST 2026
On 2/22/26 10:56 PM, peter.wang at mediatek.com wrote:
> diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
> index ec175a099459..44efb03765b9 100644
> --- a/drivers/ufs/core/ufshcd.c
> +++ b/drivers/ufs/core/ufshcd.c
> @@ -515,8 +515,8 @@ static void ufshcd_add_command_trace(struct ufs_hba *hba, struct scsi_cmnd *cmd,
>
> if (hba->mcq_enabled) {
> struct ufs_hw_queue *hwq = ufshcd_mcq_req_to_hwq(hba, rq);
> -
> - hwq_id = hwq->id;
> + if (hwq)
> + hwq_id = hwq->id;
> } else {
> doorbell = ufshcd_readl(hba, REG_UTP_TRANSFER_REQ_DOOR_BELL);
> }
This will cause "-1" to be assigned to hwq_id instead of a queue number
if a request has already been completed. Wouldn't it be better to
introduce a new helper function that returns READ_ONCE(req->mq_hctx)
->queue_num instead of making the above change?
Thanks,
Bart.
More information about the Linux-mediatek
mailing list