The branch main has been updated by jaeyoon: URL: https://cgit.FreeBSD.org/src/commit/?id=ef2d7cc11d04728f2b97d2b0188d77be77d5c252
commit ef2d7cc11d04728f2b97d2b0188d77be77d5c252 Author: Jaeyoon Choi <[email protected]> AuthorDate: 2026-01-05 02:35:52 +0000 Commit: Jaeyoon Choi <[email protected]> CommitDate: 2026-01-05 02:35:52 +0000 ufshci: Fix task management queue num_trackers on failure path Fix a kernel panic caused by the task management queue using the transfer request queue’s num_entries value. Sponsored by: Samsung Electronic Reviewed by: imp Differential Revision: https://reviews.freebsd.org/D54243 --- sys/dev/ufshci/ufshci_ctrlr.c | 8 ++------ sys/dev/ufshci/ufshci_private.h | 2 +- sys/dev/ufshci/ufshci_req_queue.c | 14 +++++--------- 3 files changed, 8 insertions(+), 16 deletions(-) diff --git a/sys/dev/ufshci/ufshci_ctrlr.c b/sys/dev/ufshci/ufshci_ctrlr.c index ce0da4cab907..0d7994a033c5 100644 --- a/sys/dev/ufshci/ufshci_ctrlr.c +++ b/sys/dev/ufshci/ufshci_ctrlr.c @@ -17,12 +17,8 @@ ufshci_ctrlr_fail(struct ufshci_controller *ctrlr) { ctrlr->is_failed = true; - ufshci_req_queue_fail(ctrlr, - ctrlr->task_mgmt_req_queue.qops.get_hw_queue( - &ctrlr->task_mgmt_req_queue)); - ufshci_req_queue_fail(ctrlr, - ctrlr->transfer_req_queue.qops.get_hw_queue( - &ctrlr->transfer_req_queue)); + ufshci_req_queue_fail(ctrlr, &ctrlr->task_mgmt_req_queue); + ufshci_req_queue_fail(ctrlr, &ctrlr->transfer_req_queue); } static void diff --git a/sys/dev/ufshci/ufshci_private.h b/sys/dev/ufshci/ufshci_private.h index bcb2bcef0230..0665f29d3896 100644 --- a/sys/dev/ufshci/ufshci_private.h +++ b/sys/dev/ufshci/ufshci_private.h @@ -499,7 +499,7 @@ int ufshci_utmr_req_queue_enable(struct ufshci_controller *ctrlr); void ufshci_utr_req_queue_disable(struct ufshci_controller *ctrlr); int ufshci_utr_req_queue_enable(struct ufshci_controller *ctrlr); void ufshci_req_queue_fail(struct ufshci_controller *ctrlr, - struct ufshci_hw_queue *hwq); + struct ufshci_req_queue *req_queue); int ufshci_req_queue_submit_request(struct ufshci_req_queue *req_queue, struct ufshci_request *req, bool is_admin); void ufshci_req_queue_complete_tracker(struct ufshci_tracker *tr); diff --git a/sys/dev/ufshci/ufshci_req_queue.c b/sys/dev/ufshci/ufshci_req_queue.c index df7e4b159278..33008c6b1230 100644 --- a/sys/dev/ufshci/ufshci_req_queue.c +++ b/sys/dev/ufshci/ufshci_req_queue.c @@ -199,11 +199,10 @@ ufshci_req_queue_manual_complete_request(struct ufshci_req_queue *req_queue, void ufshci_req_queue_fail(struct ufshci_controller *ctrlr, - struct ufshci_hw_queue *hwq) + struct ufshci_req_queue *req_queue) { - struct ufshci_req_queue *req_queue; + struct ufshci_hw_queue *hwq = req_queue->qops.get_hw_queue(req_queue); struct ufshci_tracker *tr; - struct ufshci_request *req; int i; if (!mtx_initialized(&hwq->qlock)) @@ -211,16 +210,13 @@ ufshci_req_queue_fail(struct ufshci_controller *ctrlr, mtx_lock(&hwq->qlock); - req_queue = &ctrlr->transfer_req_queue; - - for (i = 0; i < req_queue->num_entries; i++) { + for (i = 0; i < req_queue->num_trackers; i++) { tr = hwq->act_tr[i]; - req = tr->req; if (tr->slot_state == UFSHCI_SLOT_STATE_RESERVED) { mtx_unlock(&hwq->qlock); - ufshci_req_queue_manual_complete_request(req_queue, req, - UFSHCI_DESC_ABORTED, + ufshci_req_queue_manual_complete_request(req_queue, + tr->req, UFSHCI_DESC_ABORTED, UFSHCI_RESPONSE_CODE_GENERAL_FAILURE); mtx_lock(&hwq->qlock); } else if (tr->slot_state == UFSHCI_SLOT_STATE_SCHEDULED) {
