On 11/13/23 20:37, SEO HOYOUNG wrote:
> diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
> index 9a730a794b66..55f4c0eeda7b 100644
> --- a/drivers/ufs/core/ufshcd.c
> +++ b/drivers/ufs/core/ufshcd.c
> @@ -7574,6 +7574,10 @@ int ufshcd_try_to_abort_task(struct ufs_hba *hba, int tag)
> goto out;
> }
>
> + if (!ufshcd_cmd_inflight(lrbp->cmd) ||
> + test_bit(SCMD_STATE_COMPLETE, &lrbp->cmd->state))
> + goto out;
> +
> err = ufshcd_clear_cmd(hba, tag);
> if (err)
> dev_err(hba->dev, "%s: Failed clearing cmd at tag %d, err %d\n",
I think that the above approach is racy: the state of lrbp->cmd can
change after it has been checked and before ufshcd_clear_cmd() is called.
Thanks,
Bart.