ANDROID: scsi: ufs: Fix a race condition related to device command processing

Without this patch, the following race can be triggered between
ufshcd_wait_for_dev_cmd() and ufshcd_compl_one_cqe():
* A device management takes longer than the timeout passed to
  ufshcd_wait_for_dev_cmd().
* ufshcd_clear_cmd() does not clear the device management command.
* ufshcd_wait_for_dev_cmd() clears hba->dev_cmd.complete.
* ufshcd_compl_one_cqe() checks hba->dev_cmd.complete before it is
  cleared and calls complete(hba->dev_cmd.complete) after that
  pointer has been cleared.

This patch fixes the following UBSAN complaint:

Internal error: UBSAN: array index out of bounds: 00000000f2005512 [#1] PREEMPT SMP
Kernel panic - not syncing: UBSAN: array index out of bounds: Fatal exception in interrupt
Call trace:
 panic+0x180/0x36c
 die+0x2e8/0x308
 ubsan_handler+0x2c/0x44
 brk_handler+0x94/0x110
 do_debug_exception+0xa4/0x140
 el1_dbg+0x58/0x70
 el1h_64_sync_handler+0x3c/0x90
 el1h_64_sync+0x68/0x6c
 queued_spin_lock_slowpath+0x2e8/0x488
 _raw_spin_lock_irqsave+0x78/0x80
 complete+0x24/0xb8
 ufshcd_compl_one_cqe+0x13c/0x4f0
 ufshcd_mcq_poll_cqe_lock+0xb4/0x108
 ufshcd_intr+0x2f4/0x444
 __handle_irq_event_percpu+0xbc/0x250
 handle_irq_event+0x48/0xb0
 handle_fasteoi_irq+0x160/0x2d8
 generic_handle_domain_irq+0x44/0x60

Bug: 303649600
Bug: 394687694
Bug: 394722283
Bug: 396768187
Bug: 397077931
Bug: 397202659
Bug: 397254543
Bug: 397410047
Bug: 397438938
Fixes: f10cf63 ("ANDROID: scsi: ufs: add UFSHCD_ANDROID_QUIRK_SET_IID_TO_ONE")
Change-Id: I1054e4b512e309fedff52feb07779ac7717efe24
Signed-off-by: Bart Van Assche <[email protected]>

Author: Bart Van Assche

drivers/ufs/core/ufs-mcq.c

@@ -524,7 +524,7 @@ int ufshcd_mcq_sq_cleanup(struct ufs_hba *hba, int task_tag)
 		goto unlock;
 
 	/* SQCTI = EXT_IID, IID, LUN, Task Tag */
-	nexus = lrbp->lun << 8 | task_tag;
+	nexus = lrbp->ucd_req_ptr->header.iid << 16 | lrbp->lun << 8 | task_tag;
 	opr_sqd_base = mcq_opr_base(hba, OPR_SQD, id);
 	writel(nexus, opr_sqd_base + REG_SQCTI);