Message ID | 20241111-ufs_bug_fix-v1-1-45ad8b62f02e@linaro.org (mailing list archive) |
---|---|
State | New |
Delegated to: | Geert Uytterhoeven |
Headers | show |
Series | scsi: ufs: Bug fixes for ufs core and platform drivers | expand |
On Mon, 2024-11-11 at 23:18 +0530, Manivannan Sadhasivam via B4 Relay wrote: > External email : Please do not click links or open attachments until > you have verified the sender or the content. > > > From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org> > > Currently, RTC work is only cancelled during __ufshcd_wl_suspend(). > When > ufshcd is removed in ufshcd_remove(), RTC work is not cancelled. Due > to > this, any further trigger of the RTC work after ufshcd_remove() would > result in a NULL pointer dereference as below: > > Unable to handle kernel NULL pointer dereference at virtual address > 00000000000002a4 > Workqueue: events ufshcd_rtc_work > Call trace: > _raw_spin_lock_irqsave+0x34/0x8c > pm_runtime_get_if_active+0x24/0xb4 > ufshcd_rtc_work+0x124/0x19c > process_scheduled_works+0x18c/0x2d8 > worker_thread+0x144/0x280 > kthread+0x11c/0x128 > ret_from_fork+0x10/0x20 > > Since RTC work accesses the ufshcd internal structures, it should be > cancelled > when ufshcd is removed. So do that in ufshcd_remove(), as per the > order in > ufshcd_init(). > > Cc: stable@vger.kernel.org # 6.8 > Fixes: 6bf999e0eb41 ("scsi: ufs: core: Add UFS RTC support") > Signed-off-by: Manivannan Sadhasivam < > manivannan.sadhasivam@linaro.org> > --- > drivers/ufs/core/ufshcd.c | 1 + > 1 file changed, 1 insertion(+) > > Reviewed-by: Peter Wang <peter.wang@mediatek.com>
Reviewed-by: Bean Huo <beanhuo@micron.com>
diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c index f5846598d80e..cc2555333512 100644 --- a/drivers/ufs/core/ufshcd.c +++ b/drivers/ufs/core/ufshcd.c @@ -10225,6 +10225,7 @@ void ufshcd_remove(struct ufs_hba *hba) ufs_hwmon_remove(hba); ufs_bsg_remove(hba); ufs_sysfs_remove_nodes(hba->dev); + cancel_delayed_work_sync(&hba->ufs_rtc_update_work); blk_mq_destroy_queue(hba->tmf_queue); blk_put_queue(hba->tmf_queue); blk_mq_free_tag_set(&hba->tmf_tag_set);