CVE-2025-37828

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: ufs: mcq: Add NULL check in ufshcd_mcq_abort()<br /> <br /> A race can occur between the MCQ completion path and the abort handler:<br /> once a request completes, __blk_mq_free_request() sets rq-&gt;mq_hctx to<br /> NULL, meaning the subsequent ufshcd_mcq_req_to_hwq() call in<br /> ufshcd_mcq_abort() can return a NULL pointer. If this NULL pointer is<br /> dereferenced, the kernel will crash.<br /> <br /> Add a NULL check for the returned hwq pointer. If hwq is NULL, log an<br /> error and return FAILED, preventing a potential NULL-pointer<br /> dereference. As suggested by Bart, the ufshcd_cmd_inflight() check is<br /> removed.<br /> <br /> This is similar to the fix in commit 74736103fb41 ("scsi: ufs: core: Fix<br /> ufshcd_abort_one racing issue").<br /> <br /> This is found by our static analysis tool KNighter.