commit 8ddc0c26916574395447ebf4cff684314f6873a9 Author: Xingui Yang Date: Thu Mar 5 14:40:39 2026 +0800 scsi: hisi_sas: Fix NULL pointer exception during user_scan() user_scan() invokes updated sas_user_scan() for channel 0, and if successful, iteratively scans remaining channels (1 to shost->max_channel) via scsi_scan_host_selected() in commit 37c4e72b0651 ("scsi: Fix sas_user_scan() to handle wildcard and multi-channel scans"). However, hisi_sas supports only one channel, and the current value of max_channel is 1. sas_user_scan() for channel 1 will trigger the following NULL pointer exception: [ 441.554662] Unable to handle kernel NULL pointer dereference at virtual address 00000000000008b0 [ 441.554699] Mem abort info: [ 441.554710] ESR = 0x0000000096000004 [ 441.554718] EC = 0x25: DABT (current EL), IL = 32 bits [ 441.554723] SET = 0, FnV = 0 [ 441.554726] EA = 0, S1PTW = 0 [ 441.554730] FSC = 0x04: level 0 translation fault [ 441.554735] Data abort info: [ 441.554737] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 441.554742] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 441.554747] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 441.554752] user pgtable: 4k pages, 48-bit VAs, pgdp=00000828377a6000 [ 441.554757] [00000000000008b0] pgd=0000000000000000, p4d=0000000000000000 [ 441.554769] Internal error: Oops: 0000000096000004 [#1] SMP [ 441.629589] Modules linked in: arm_spe_pmu arm_smmuv3_pmu tpm_tis_spi hisi_uncore_sllc_pmu hisi_uncore_pa_pmu hisi_uncore_l3c_pmu hisi_uncore_hha_pmu hisi_uncore_ddrc_pmu hisi_uncore_cpa_pmu hns3_pmu hisi_ptt hisi_pcie_pmu tpm_tis_core spidev spi_hisi_sfc_v3xx hisi_uncore_pmu spi_dw_mmio fuse hclge hclge_common hisi_sec2 hisi_hpre hisi_zip hisi_qm hns3 hisi_sas_v3_hw sm3_ce sbsa_gwdt hnae3 hisi_sas_main uacce hisi_dma i2c_hisi dm_mirror dm_region_hash dm_log dm_mod [ 441.670819] CPU: 46 UID: 0 PID: 6994 Comm: bash Kdump: loaded Not tainted 7.0.0-rc2+ #84 PREEMPT [ 441.691327] pstate: 81400009 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 441.698277] pc : sas_find_dev_by_rphy+0x44/0x118 [ 441.702896] lr : sas_find_dev_by_rphy+0x3c/0x118 [ 441.707502] sp : ffff80009abbba40 [ 441.710805] x29: ffff80009abbba40 x28: ffff082819a40008 x27: ffff082810c37c08 [ 441.717930] x26: ffff082810c37c28 x25: ffff082819a40290 x24: ffff082810c37c00 [ 441.725054] x23: 0000000000000000 x22: 0000000000000001 x21: ffff082819a40000 [ 441.732179] x20: ffff082819a40290 x19: 0000000000000000 x18: 0000000000000020 [ 441.739304] x17: 0000000000000000 x16: ffffb5dad6bda690 x15: 00000000ffffffff [ 441.746428] x14: ffff082814c3b26c x13: 00000000ffffffff x12: ffff082814c3b26a [ 441.753553] x11: 00000000000000c0 x10: 000000000000003a x9 : ffffb5dad5ea94f4 [ 441.760678] x8 : 000000000000003a x7 : ffff80009abbbab0 x6 : 0000000000000030 [ 441.767802] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 [ 441.774926] x2 : ffff08280f35a300 x1 : ffffb5dad7127180 x0 : 0000000000000000 [ 441.782053] Call trace: [ 441.784488] sas_find_dev_by_rphy+0x44/0x118 (P) [ 441.789095] sas_target_alloc+0x24/0xb0 [ 441.792920] scsi_alloc_target+0x290/0x330 [ 441.797010] __scsi_scan_target+0x88/0x258 [ 441.801096] scsi_scan_channel+0x74/0xb8 [ 441.805008] scsi_scan_host_selected+0x170/0x188 [ 441.809615] sas_user_scan+0xfc/0x148 [ 441.813267] store_scan+0x10c/0x180 [ 441.816743] dev_attr_store+0x20/0x40 [ 441.820398] sysfs_kf_write+0x84/0xa8 [ 441.824054] kernfs_fop_write_iter+0x130/0x1c8 [ 441.828487] vfs_write+0x2c0/0x370 [ 441.831880] ksys_write+0x74/0x118 [ 441.835271] __arm64_sys_write+0x24/0x38 [ 441.839182] invoke_syscall+0x50/0x120 [ 441.842919] el0_svc_common.constprop.0+0xc8/0xf0 [ 441.847611] do_el0_svc+0x24/0x38 [ 441.850913] el0_svc+0x38/0x158 [ 441.854043] el0t_64_sync_handler+0xa0/0xe8 [ 441.858214] el0t_64_sync+0x1ac/0x1b0 [ 441.861865] Code: aa1303e0 97ff70a8 34ffff80 d10a4273 (f9445a75) [ 441.867946] ---[ end trace 0000000000000000 ]--- Therefore, set max_channel to 0. Fixes: e21fe3a52692 ("scsi: hisi_sas: add initialisation for v3 pci-based controller") Signed-off-by: Xingui Yang Signed-off-by: Yihang Li Link: https://patch.msgid.link/20260305064039.4096775-1-liyihang9@huawei.com Signed-off-by: Martin K. Petersen commit c0b7da13a04bd70ef6070bfb9ea85f582294560a Author: Vladimir Riabchun Date: Tue Feb 10 11:08:22 2026 +0100 scsi: qla2xxx: Completely fix fcport double free In qla24xx_els_dcmd_iocb() sp->free is set to qla2x00_els_dcmd_sp_free(). When an error happens, this function is called by qla2x00_sp_release(), when kref_put() releases the first and the last reference. qla2x00_els_dcmd_sp_free() frees fcport by calling qla2x00_free_fcport(). Doing it one more time after kref_put() is a bad idea. Fixes: 82f522ae0d97 ("scsi: qla2xxx: Fix double free of fcport") Fixes: 4895009c4bb7 ("scsi: qla2xxx: Prevent command send on chip reset") Signed-off-by: Vladimir Riabchun Signed-off-by: Farhat Abbas Link: https://patch.msgid.link/aYsDln9NFQQsPDgg@vova-pc Signed-off-by: Martin K. Petersen commit b0bd84c39289ef6a6c3827dd52c875659291970a Author: Wang Shuaiwei Date: Sat Mar 7 11:51:28 2026 +0800 scsi: ufs: core: Fix SError in ufshcd_rtc_work() during UFS suspend In __ufshcd_wl_suspend(), cancel_delayed_work_sync() is called to cancel the UFS RTC work, but it is placed after ufshcd_vops_suspend(hba, pm_op, POST_CHANGE). This creates a race condition where ufshcd_rtc_work() can still be running while ufshcd_vops_suspend() is executing. When UFSHCD_CAP_CLK_GATING is not supported, the condition !hba->clk_gating.active_reqs is always true, causing ufshcd_update_rtc() to be executed. Since ufshcd_vops_suspend() typically performs clock gating operations, executing ufshcd_update_rtc() at that moment triggers an SError. The kernel panic trace is as follows: Kernel panic - not syncing: Asynchronous SError Interrupt Call trace: dump_backtrace+0xec/0x128 show_stack+0x18/0x28 dump_stack_lvl+0x40/0xa0 dump_stack+0x18/0x24 panic+0x148/0x374 nmi_panic+0x3c/0x8c arm64_serror_panic+0x64/0x8c do_serror+0xc4/0xc8 el1h_64_error_handler+0x34/0x4c el1h_64_error+0x68/0x6c el1_interrupt+0x20/0x58 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x68/0x6c ktime_get+0xc4/0x12c ufshcd_mcq_sq_stop+0x4c/0xec ufshcd_mcq_sq_cleanup+0x64/0x1dc ufshcd_clear_cmd+0x38/0x134 ufshcd_issue_dev_cmd+0x298/0x4d0 ufshcd_exec_dev_cmd+0x1a4/0x1c4 ufshcd_query_attr+0xbc/0x19c ufshcd_rtc_work+0x10c/0x1c8 process_scheduled_works+0x1c4/0x45c worker_thread+0x32c/0x3e8 kthread+0x120/0x1d8 ret_from_fork+0x10/0x20 Fix this by moving cancel_delayed_work_sync() before the call to ufshcd_vops_suspend(hba, pm_op, PRE_CHANGE), ensuring the UFS RTC work is fully completed or cancelled at that point. Cc: Bean Huo Fixes: 6bf999e0eb41 ("scsi: ufs: core: Add UFS RTC support") Reviewed-by: Bart Van Assche Signed-off-by: Wang Shuaiwei Link: https://patch.msgid.link/20260307035128.3419687-1-wangshuaiwei1@xiaomi.com Signed-off-by: Martin K. Petersen commit 4ce7ada40c008fa21b7e52ab9d04e8746e2e9325 Author: Junxiao Bi Date: Wed Mar 4 08:46:03 2026 -0800 scsi: core: Fix error handling for scsi_alloc_sdev() After scsi_sysfs_device_initialize() was called, error paths must call __scsi_remove_device(). Fixes: 1ac22c8eae81 ("scsi: core: Fix refcount leak for tagset_refcnt") Cc: stable@vger.kernel.org Signed-off-by: Junxiao Bi Reviewed-by: John Garry Reviewed-by: Bart Van Assche Link: https://patch.msgid.link/20260304164603.51528-1-junxiao.bi@oracle.com Signed-off-by: Martin K. Petersen commit a4d72d2dd0cbc3ff20f66a9168dd68b191c57409 Author: Mike Christie Date: Sun Feb 22 17:27:04 2026 -0600 scsi: vhost-scsi: Report direction completion support This has vhost-scsi report that it supports direct completions. When using a worker task per queue or group of queues with fast backends then enabling direct completion and submissions increases performance 20-30% with workloads like: fio --filename=/dev/sdb --direct=1 --rw=randrw --bs=8K \ --ioengine=libaio --iodepth=128 --numjobs=$jobs As jobs matches and passes the number of vCPUs in the VM then the benefit increases. However, when using a single worker then queueing completions and submissions is best as the worker is busy handling mapping data and setting/tearing down commands. Signed-off-by: Mike Christie Link: https://patch.msgid.link/20260222232946.7637-5-michael.christie@oracle.com Signed-off-by: Martin K. Petersen commit e1502d990c8e26fa679b3253ff7db51483e6eb82 Author: Mike Christie Date: Sun Feb 22 17:27:03 2026 -0600 scsi: target: Allow userspace to set the completion type This allows userspace to request if we complete in the backend context or the frontend driver. It works the same as submission where you can write 0 to 2 to complete_type: 0 - Use the fabric driver's preference. 1 - Complete from the backend calling context if the fabric supports it. 2 - Queue the completion to LIO's completion workqueue. Signed-off-by: Mike Christie Link: https://patch.msgid.link/20260222232946.7637-4-michael.christie@oracle.com Signed-off-by: Martin K. Petersen commit 89663fb2e53822863de9cf4bca9636989da96615 Author: Mike Christie Date: Sun Feb 22 17:27:02 2026 -0600 scsi: target: Use driver completion preference by default This has us use the driver's completion preference by default. There is no behavior changes with this patch and we queue completion to LIO's completion workqueue by default. Signed-off-by: Mike Christie Link: https://patch.msgid.link/20260222232946.7637-3-michael.christie@oracle.com Signed-off-by: Martin K. Petersen commit 06933066d88a3093953b062922c016a67d2cdbf8 Author: Mike Christie Date: Sun Feb 22 17:27:01 2026 -0600 scsi: target: Add support for completing commands from backend context To complete a command several drivers just drop their reference and add it to list to be processed by a driver specific thread. So there's no need to go from backend context to the LIO thread then to the driver's thread. When avoiding the LIO thread, IOPS can increase from 20-30% for workloads like: fio --filename=/dev/sdb --direct=1 --rw=randrw --bs=8K \ --ioengine=libaio --iodepth=128 --numjobs=$jobs where increasing jobs increases the performance improvement (this is using NVMe drives with LIO's submit_type=1 to directly submit). Add the infrastructure so drivers and userspace can control how to complete a command like is done for the submission path. In this commit there is no behavior change and we continue to defer to the LIO workqueue thread. In the subsequent commits we will allow drivers to report what they support and allow userspace to control the behavior. Signed-off-by: Mike Christie Link: https://patch.msgid.link/20260222232946.7637-2-michael.christie@oracle.com Signed-off-by: Martin K. Petersen commit 7179e626b76eb42f2529c6f6dd6ba88ea2445372 Author: Swarna Prabhu Date: Wed Feb 18 20:37:42 2026 -0800 scsi: sd: Enable sector size > PAGE_SIZE in SCSI sd driver The WRITE SAME(16) and WRITE SAME(10) SCSI commands use a page from a dedicated mempool (sd_page_pool) for their payload. This pool was initialized to allocate single pages, which was sufficient as long as the device sector size did not exceed the PAGE_SIZE. Given that block layer now supports block size upto 64KB, i.e. beyond PAGE_SIZE, initialize a large page pool in sd_probe() if a higher sector device is attached, ensuring atomicity. Adapt sd_set_special_bvec() to use large page pool when a higher sector size device is attached. Hence enable sector sizes > PAGE_SIZE in SCSI sd driver. Reviewed-by: Damien Le Moal Signed-off-by: Swarna Prabhu Co-developed-by: Pankaj Raghav Signed-off-by: Pankaj Raghav Link: https://patch.msgid.link/20260219043741.276729-2-sw.prabhu6@gmail.com Signed-off-by: Martin K. Petersen commit 14d4ac19d1895397532eec407433c5d74d9da53b Author: Prithvi Tambewagh Date: Mon Feb 16 11:50:02 2026 +0530 scsi: target: Fix recursive locking in __configfs_open_file() In flush_write_buffer, &p->frag_sem is acquired and then the loaded store function is called, which, here, is target_core_item_dbroot_store(). This function called filp_open(), following which these functions were called (in reverse order), according to the call trace: down_read __configfs_open_file do_dentry_open vfs_open do_open path_openat do_filp_open file_open_name filp_open target_core_item_dbroot_store flush_write_buffer configfs_write_iter target_core_item_dbroot_store() tries to validate the new file path by trying to open the file path provided to it; however, in this case, the bug report shows: db_root: not a directory: /sys/kernel/config/target/dbroot indicating that the same configfs file was tried to be opened, on which it is currently working on. Thus, it is trying to acquire frag_sem semaphore of the same file of which it already holds the semaphore obtained in flush_write_buffer(), leading to acquiring the semaphore in a nested manner and a possibility of recursive locking. Fix this by modifying target_core_item_dbroot_store() to use kern_path() instead of filp_open() to avoid opening the file using filesystem-specific function __configfs_open_file(), and further modifying it to make this fix compatible. Reported-by: syzbot+f6e8174215573a84b797@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=f6e8174215573a84b797 Tested-by: syzbot+f6e8174215573a84b797@syzkaller.appspotmail.com Cc: stable@vger.kernel.org Signed-off-by: Prithvi Tambewagh Reviewed-by: Dmitry Bogdanov Link: https://patch.msgid.link/20260216062002.61937-1-activprithvi@gmail.com Signed-off-by: Martin K. Petersen commit 50209dec14f8c594a9ef26237b7e7ddd39e12a40 Author: Yang Erkun Date: Tue Jan 27 14:20:44 2026 +0800 scsi: sg: Remove deprecated sg-big-buff These deprecated sysctl has been broken since commit 26d1c80fd61e ("scsi/sg: move sg-big-buff sysctl to scsi/sg.c") and nobody has found this. I believe it's time to remove it, which will allow us to clean up a significant amount of code. Signed-off-by: Yang Erkun Reviewed-by: Bart Van Assche Link: https://patch.msgid.link/20260127062044.3034148-4-yangerkun@huawei.com Signed-off-by: Martin K. Petersen commit d06a310b45e153872033dd0cf19d5a2279121099 Author: Yang Erkun Date: Tue Jan 27 14:20:43 2026 +0800 scsi: sg: Resolve soft lockup issue when opening /dev/sgX The parameter def_reserved_size defines the default buffer size reserved for each Sg_fd and should be restricted to a range between 0 and 1,048,576 (see https://tldp.org/HOWTO/SCSI-Generic-HOWTO/proc.html). Although the function sg_proc_write_dressz enforces this limit, it is possible to bypass it by directly modifying the module parameter as shown below, which then causes a soft lockup: echo -1 > /sys/module/sg/parameters/def_reserved_size exec 4<> /dev/sg0 watchdog: BUG: soft lockup - CPU#5 stuck for 26 seconds! [bash:537] Modules loaded: CPU: 5 UID: 0 PID: 537 Command: bash, kernel version 6.19.0-rc3+ #134, PREEMPT disabled Hardware: QEMU Standard PC (i440FX + PIIX, 1996), BIOS version 1.16.1-2.fc37 dated 04/01/2014 ... Call Trace: sg_build_reserve+0x5c/0xa0 sg_add_sfp+0x168/0x270 sg_open+0x16e/0x340 chrdev_open+0xbe/0x230 do_dentry_open+0x175/0x480 vfs_open+0x34/0xf0 do_open+0x265/0x3d0 path_openat+0x110/0x290 do_filp_open+0xc3/0x170 do_sys_openat2+0x71/0xe0 __x64_sys_openat+0x6d/0xa0 do_syscall_64+0x62/0x310 entry_SYSCALL_64_after_hwframe+0x76/0x7e The fix is to use module_param_cb to validate and reject invalid values assigned to def_reserved_size. Fixes: 6460e75a104d ("[SCSI] sg: fixes for large page_size") Signed-off-by: Yang Erkun Reviewed-by: Bart Van Assche Link: https://patch.msgid.link/20260127062044.3034148-3-yangerkun@huawei.com Signed-off-by: Martin K. Petersen commit 3033c471aaf675254efaa0da431e95d91a104b41 Author: Yang Erkun Date: Tue Jan 27 14:20:42 2026 +0800 scsi: sg: Fix sysctl sg-big-buff register during sg_init() Commit 26d1c80fd61e ("scsi/sg: move sg-big-buff sysctl to scsi/sg.c") made a mistake. sysctl sg-big-buff was not created because the call to register_sg_sysctls() was placed on the wrong code path. Fixes: 26d1c80fd61e ("scsi/sg: move sg-big-buff sysctl to scsi/sg.c") Signed-off-by: Yang Erkun Reviewed-by: Bart Van Assche Link: https://patch.msgid.link/20260127062044.3034148-2-yangerkun@huawei.com Signed-off-by: Martin K. Petersen commit 94c125bafa00042daf6d63b4fdd78384abc121fc Author: Igor Pylypiv Date: Mon Feb 9 13:21:51 2026 -0800 scsi: core: Add 'serial' sysfs attribute for SCSI/SATA Add a 'serial' sysfs attribute for SCSI and SATA devices. This attribute exposes the Unit Serial Number, which is derived from the Device Identification Vital Product Data (VPD) page 0x80. Whitespace is stripped from the retrieved serial number to handle the different alignment (right-aligned for SCSI, potentially left-aligned for SATA). As noted in SAT-5 10.5.3, "Although SPC-5 defines the PRODUCT SERIAL NUMBER field as right-aligned, ACS-5 does not require its SERIAL NUMBER field to be right-aligned. Therefore, right-alignment of the PRODUCT SERIAL NUMBER field for the translation is not assured." This attribute is used by tools such as lsblk to display the serial number of block devices. [mkp: length adjustment] Signed-off-by: Igor Pylypiv Reviewed-by: Bart Van Assche Reviewed-by: Hannes Reinecke Link: https://patch.msgid.link/20260209212151.342151-1-ipylypiv@google.com Signed-off-by: Martin K. Petersen commit 80bf3b28d32b431f84f244a8469488eb6d96afbb Author: Florian Fuchs Date: Fri Feb 27 19:18:23 2026 +0100 scsi: devinfo: Add BLIST_SKIP_IO_HINTS for Iomega ZIP The Iomega ZIP 100 (Z100P2) can't process IO Advice Hints Grouping mode page query. It immediately switches to the status phase 0xb8 after receiving the subpage code 0x05 of MODE_SENSE_10 command, which fails imm_out() and turns into DID_ERROR of this command, which leads to unusable device. This was tested with an Iomega ZIP 100 (Z100P2) connected with a StarTech PEX1P2 AX99100 PCIe parallel port card. Prior to this fix, Test Unit Ready fails and the drive can't be used: IMM: returned SCSI status b8 sd 7:0:6:0: [sdh] Test Unit Ready failed: Result: hostbyte=0x01 driverbyte=DRIVER_OK Signed-off-by: Florian Fuchs Link: https://patch.msgid.link/20260227181823.892932-1-fuchsfl@gmail.com Signed-off-by: Martin K. Petersen commit 690d41fae92f0f255b1059d586bf064c63b5bfc3 Author: Pradeep P V K Date: Wed Feb 11 18:59:24 2026 +0530 scsi: ufs: qcom,sc7180-ufshc: dt-bindings: Add UFSHC compatible for x1e80100 Add UFS Host Controller (UFSHC) compatible for x1e80100 SoC. Use SM8550 as a fallback since x1e80100 is fully compatible with it. Qualcomm UFSHC is no longer compatible with JEDEC UFS-2.0 binding. Avoid using the "jedec,ufs-2.0" string in the compatible property. [mkp: conflict resolution] Acked-by: Manivannan Sadhasivam Reviewed-by: Krzysztof Kozlowski Signed-off-by: Pradeep P V K Link: https://patch.msgid.link/20260211132926.3716716-2-pradeep.pragallapati@oss.qualcomm.com Signed-off-by: Martin K. Petersen commit cf44b6369b8350e46e66bb69ef975c5aa22cec5e Author: Luca Weiss Date: Mon Jan 12 14:53:15 2026 +0100 scsi: ufs: qcom,sc7180-ufshc: dt-bindings: Document the Milos UFS Controller Document the UFS Controller on the Milos SoC. Reviewed-by: Krzysztof Kozlowski Signed-off-by: Luca Weiss Link: https://patch.msgid.link/20260112-milos-ufs-v2-2-d3ce4f61f030@fairphone.com Signed-off-by: Martin K. Petersen commit dbd53975ed4132d161b6a97ebe785a262380182d Author: Ranjan Kumar Date: Wed Feb 25 13:56:22 2026 +0530 scsi: mpi3mr: Clear reset history on ready and recheck state after timeout The driver retains reset history even after the IOC has successfully reached the READY state. That leaves stale reset information active during normal operation and can mislead recovery and diagnostics. In addition, if the IOC becomes READY just as the ready timeout loop exits, the driver still follows the failure path and may retry or report failure incorrectly. Clear reset history once READY is confirmed so driver state matches actual IOC status. After the timeout loop, recheck the IOC state and treat READY as success instead of failing. Signed-off-by: Ranjan Kumar Link: https://patch.msgid.link/20260225082622.82588-1-ranjan.kumar@broadcom.com Signed-off-by: Martin K. Petersen commit 5e0d4fdb98f3ab4c25aabda00b31dd5d4a806638 Author: Randy Dunlap Date: Tue Feb 24 15:49:54 2026 -0800 scsi: lpfc: ELIMINATE kernel-doc warnings in lpfc.h Avoid all kernel-doc warnings in lpfc.h: - Use the correct function parameter name - Add a '*' to a kernel-doc line - Repair the function Returns: comments Fixes these warnings: Warning: drivers/scsi/lpfc/lpfc.h:1674 No description found for return value of 'lpfc_next_online_cpu' Warning: drivers/scsi/lpfc/lpfc.h:1686 No description found for return value of 'lpfc_next_present_cpu' Warning: drivers/scsi/lpfc/lpfc.h:1700 function parameter 'eq' not described in 'lpfc_sli4_mod_hba_eq_delay' Warning: drivers/scsi/lpfc/lpfc.h:1755 bad line: -------------------------- Warning: drivers/scsi/lpfc/lpfc.h:1759 No description found for return value of 'lpfc_is_vmid_enabled' Signed-off-by: Randy Dunlap Reviewed-by: Justin Tee Link: https://patch.msgid.link/20260224234954.3606638-1-rdunlap@infradead.org Signed-off-by: Martin K. Petersen commit 1ac22c8eae81366101597d48360718dff9b9d980 Author: Junxiao Bi Date: Mon Feb 23 15:27:28 2026 -0800 scsi: core: Fix refcount leak for tagset_refcnt This leak will cause a hang when tearing down the SCSI host. For example, iscsid hangs with the following call trace: [130120.652718] scsi_alloc_sdev: Allocation failure during SCSI scanning, some SCSI devices might not be configured PID: 2528 TASK: ffff9d0408974e00 CPU: 3 COMMAND: "iscsid" #0 [ffffb5b9c134b9e0] __schedule at ffffffff860657d4 #1 [ffffb5b9c134ba28] schedule at ffffffff86065c6f #2 [ffffb5b9c134ba40] schedule_timeout at ffffffff86069fb0 #3 [ffffb5b9c134bab0] __wait_for_common at ffffffff8606674f #4 [ffffb5b9c134bb10] scsi_remove_host at ffffffff85bfe84b #5 [ffffb5b9c134bb30] iscsi_sw_tcp_session_destroy at ffffffffc03031c4 [iscsi_tcp] #6 [ffffb5b9c134bb48] iscsi_if_recv_msg at ffffffffc0292692 [scsi_transport_iscsi] #7 [ffffb5b9c134bb98] iscsi_if_rx at ffffffffc02929c2 [scsi_transport_iscsi] #8 [ffffb5b9c134bbf0] netlink_unicast at ffffffff85e551d6 #9 [ffffb5b9c134bc38] netlink_sendmsg at ffffffff85e554ef Fixes: 8fe4ce5836e9 ("scsi: core: Fix a use-after-free") Cc: stable@vger.kernel.org Signed-off-by: Junxiao Bi Reviewed-by: Mike Christie Reviewed-by: Bart Van Assche Link: https://patch.msgid.link/20260223232728.93350-1-junxiao.bi@oracle.com Signed-off-by: Martin K. Petersen commit e521b77688365e0ed495baa6dae4905428a9f517 Author: Bart Van Assche Date: Mon Feb 23 14:00:30 2026 -0800 scsi: megaraid_sas: Protect more code with instance->reset_mutex megasas_get_device_list() and megasas_get_snapdump_properties() may unlock instance->reset_mutex indirectly. Hence, hold reset_mutex while calling these functions. Cc: Kashyap Desai Cc: Sumit Saxena Cc: Shivasharan S Cc: Chandrakanth patil Cc: James E.J. Bottomley Cc: Martin K. Petersen Cc: megaraidlinux.pdl@broadcom.com Cc: linux-scsi@vger.kernel.org Signed-off-by: Bart Van Assche Link: https://patch.msgid.link/20260223220102.2158611-31-bart.vanassche@linux.dev Signed-off-by: Martin K. Petersen commit fc803a39c42ad3887796cb3afbf7bdd4221199bf Author: Bart Van Assche Date: Mon Feb 23 14:00:29 2026 -0800 scsi: fnic: Make fnic_queuecommand() easier to analyze Move a spin_unlock_irqrestore() call such that the io_lock_acquired variable can be eliminated. This patch prepares for enabling the Clang thread-safety analyzer. Cc: Satish Kharat Cc: Sesidhar Baddela Cc: Karan Tilak Kumar Cc: James E.J. Bottomley Cc: Martin K. Petersen Cc: linux-scsi@vger.kernel.org Signed-off-by: Bart Van Assche Reviewed-by: Karan Tilak Kumar Link: https://patch.msgid.link/20260223220102.2158611-30-bart.vanassche@linux.dev Signed-off-by: Martin K. Petersen commit 2f38fd99c0004676d835ae96ac4f3b54edc02c82 Author: wangshuaiwei Date: Tue Feb 24 14:32:28 2026 +0800 scsi: ufs: core: Fix shift out of bounds when MAXQ=32 According to JESD223F, the maximum number of queues (MAXQ) is 32. When MCQ is enabled and ESI is disabled, nr_hw_queues=32 causes a shift overflow problem. Fix this by using 64-bit intermediate values to handle the nr_hw_queues=32 case safely. Signed-off-by: wangshuaiwei Reviewed-by: Bart Van Assche Link: https://patch.msgid.link/20260224063228.50112-1-wangshuaiwei1@xiaomi.com Signed-off-by: Martin K. Petersen commit 47e088c9d1a06e0f762ac7ea62ae48c9e16c4def Author: Karan Tilak Kumar Date: Tue Feb 17 14:39:43 2026 -0800 scsi: fnic: Bump up version number Bump up version number. Tested-by: Karan Tilak Kumar Reviewed-by: Sesidhar Baddela Reviewed-by: Arulprabhu Ponnusamy Reviewed-by: Gian Carlo Boffa Reviewed-by: Arun Easi Reviewed-by: Hannes Reinecke Signed-off-by: Karan Tilak Kumar Link: https://patch.msgid.link/20260217223943.7938-5-kartilak@cisco.com Signed-off-by: Martin K. Petersen commit 927b5282df6463fea8eeb1342e58cec0fa03b35e Author: Karan Tilak Kumar Date: Tue Feb 17 14:39:42 2026 -0800 scsi: fnic: Refactor in_remove flag and call to fnic_fcpio_reset() Modify logic to remove unnecessary acquire/release of spinlock to set in_remove flag. There's also no need to check for init status to call fnic_fcpio_reset. Tested-by: Karan Tilak Kumar Reviewed-by: Sesidhar Baddela Reviewed-by: Arulprabhu Ponnusamy Reviewed-by: Gian Carlo Boffa Reviewed-by: Arun Easi Reviewed-by: Hannes Reinecke Signed-off-by: Karan Tilak Kumar Co-developed-by: Hannes Reinecke Link: https://patch.msgid.link/20260217223943.7938-4-kartilak@cisco.com Signed-off-by: Martin K. Petersen commit 31eda39bfd468a0fbabc0179e913c0755377e3b5 Author: Karan Tilak Kumar Date: Tue Feb 17 14:39:41 2026 -0800 scsi: fnic: Rename fnic_scsi_fcpio_reset() The function has no dependency on SCSI/FCP, so rename it to fnic_fcpio_reset() and move it to fnic_fcs.c Tested-by: Karan Tilak Kumar Reviewed-by: Sesidhar Baddela Reviewed-by: Arulprabhu Ponnusamy Reviewed-by: Gian Carlo Boffa Reviewed-by: Arun Easi Reviewed-by: Hannes Reinecke Reviewed-by: Lee Duncan Signed-off-by: Karan Tilak Kumar Co-developed-by: Hannes Reinecke Link: https://patch.msgid.link/20260217223943.7938-3-kartilak@cisco.com Signed-off-by: Martin K. Petersen commit a59d1caf1ded07e38a0f6e98c6491a75faedd70f Author: Karan Tilak Kumar Date: Tue Feb 17 14:39:40 2026 -0800 scsi: fnic: Do not use GFP_ZERO for mempools One cannot use the GFP_ZERO flag for mempool allocation, so use memset() instead. Tested-by: Karan Tilak Kumar Reviewed-by: Sesidhar Baddela Reviewed-by: Arulprabhu Ponnusamy Reviewed-by: Gian Carlo Boffa Reviewed-by: Arun Easi Reviewed-by: Hannes Reinecke Reviewed-by: Lee Duncan Signed-off-by: Karan Tilak Kumar Co-developed-by: Hannes Reinecke Link: https://patch.msgid.link/20260217223943.7938-2-kartilak@cisco.com Signed-off-by: Martin K. Petersen commit 0e07baae55bc319e4e9559fee352b9252a467db6 Author: Karan Tilak Kumar Date: Tue Feb 17 14:39:39 2026 -0800 scsi: fnic: Use mempool for receive frames The receive frames are constantly replenished so we should rather use a mempool here. fip_frame_queue is an rxq. Deallocate it in fnic_free_rxq(). Tested-by: Karan Tilak Kumar Reviewed-by: Sesidhar Baddela Reviewed-by: Arulprabhu Ponnusamy Reviewed-by: Gian Carlo Boffa Reviewed-by: Arun Easi Reviewed-by: Hannes Reinecke Signed-off-by: Karan Tilak Kumar Co-developed-by: Hannes Reinecke Link: https://patch.msgid.link/20260217223943.7938-1-kartilak@cisco.com Signed-off-by: Martin K. Petersen commit f707860ebc84dd07148c3855e2f0fa9f41a3ed4a Author: Peter Wang Date: Tue Feb 10 15:17:30 2026 +0800 scsi: ufs: core: Support UFSHCI 4.1 CQ entry tag The UFSHCI 4.1 specification introduces a new completion queue (CQ) entry format, allowing the tag to be obtained directly. Signed-off-by: Peter Wang Reviewed-by: Bean Huo Reviewed-by: Bart Van Assche Link: https://patch.msgid.link/20260210071834.1837878-1-peter.wang@mediatek.com Signed-off-by: Martin K. Petersen commit 3abe4113e784b4a1135fe0e89828afecbfebf862 Author: Peter Wang Date: Tue Feb 10 14:41:44 2026 +0800 scsi: ufs: core: Add debug log for MCQ command timeout It is difficult to debug situations where an MCQ command timeout occurs, the corresponding CQ tag response is received, but the request is not completed. Add a one-line log to indicate when the CQ entry is abnormal. Signed-off-by: Peter Wang Reviewed-by: Bart Van Assche Link: https://patch.msgid.link/20260210070837.1820710-3-peter.wang@mediatek.com Signed-off-by: Martin K. Petersen commit 01517654bc258efb2610e53e99fa4ef641d134b9 Author: Peter Wang Date: Tue Feb 10 14:41:43 2026 +0800 scsi: ufs: core: Add debug log for UIC command timeout It is difficult to debug when a UIC command timeout occurs simultaneously with a UIC command complete interrupt. Currently, we only see the timeout log without any debug information, making it unclear whether the UFS device failed to respond or the host entered an incorrect state. Add a one-line log to cover this situation. Signed-off-by: Peter Wang Reviewed-by: Bart Van Assche Link: https://patch.msgid.link/20260210070837.1820710-2-peter.wang@mediatek.com Signed-off-by: Martin K. Petersen commit 931c105de11c2e0e9675fbc061b16a9c5f134dcf Author: Thorsten Blum Date: Tue Feb 24 15:48:27 2026 +0100 scsi: BusLogic: Replace deprecated strcpy() + strcat() in blogic_rdconfig() strcpy() is deprecated [1] and using strcat() is discouraged. Replace them with scnprintf(). No functional changes. Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strcpy [1] Signed-off-by: Thorsten Blum Link: https://patch.msgid.link/20260224144828.585577-1-thorsten.blum@linux.dev Signed-off-by: Martin K. Petersen commit 6446e8c2b6c76b4d253c46352540ca1f5fa3f854 Author: Justin Tee Date: Thu Feb 12 13:30:08 2026 -0800 scsi: lpfc: Update lpfc version to 14.4.0.14 Update lpfc version to 14.4.0.14. Signed-off-by: Justin Tee Link: https://patch.msgid.link/20260212213008.149873-14-justintee8345@gmail.com Signed-off-by: Martin K. Petersen commit 107cb8ed4f44eeb17f9624e183603c0b885ef039 Author: Justin Tee Date: Thu Feb 12 13:30:07 2026 -0800 scsi: lpfc: Update copyright year string for 2026 Update copyright string to 2026 for this version patch set. Signed-off-by: Justin Tee Link: https://patch.msgid.link/20260212213008.149873-13-justintee8345@gmail.com Signed-off-by: Martin K. Petersen commit 5807d96c46d5ccfb4c247f16653e616e8c90ae06 Author: Justin Tee Date: Thu Feb 12 13:30:06 2026 -0800 scsi: lpfc: Restrict first burst to non-FCoE and SLI4 adapters only First burst is only supported on adapters running in SLI4 mode and that are non-FCoE based. Include sli_rev and FCoE mode checks before setting the write transfer ready disabled bit in PRLIs. Signed-off-by: Justin Tee Link: https://patch.msgid.link/20260212213008.149873-12-justintee8345@gmail.com Signed-off-by: Martin K. Petersen commit 9714c5463fd1d963fe30193ed75b9578e84278ab Author: Justin Tee Date: Thu Feb 12 13:30:05 2026 -0800 scsi: lpfc: Update class of service bit field to 3 bits for WQE submissions WQE submissions only require a 3 bit field when specifying the class of service to use. So, update WQE submission paths to use a 3 bit field instead of 0x0f as the bit mask. A NLP_FCP_CLASS_MASK bitmask is defined to ensure only a 3 bit mask is used. Signed-off-by: Justin Tee Link: https://patch.msgid.link/20260212213008.149873-11-justintee8345@gmail.com Signed-off-by: Martin K. Petersen commit 559a6c2ab097695f7b3cd4fdd5f6aca81ae3da09 Author: Justin Tee Date: Thu Feb 12 13:30:04 2026 -0800 scsi: lpfc: Add clean up of aborted NVMe commands during PCI fcn reset When handling a PCI function reset, notification to the NVMe transport layer is skipped for outstanding aborted NVMe I/O. Introduce a new routine called lpfc_nvme_flush_abts_list(), which notifies upper NVMe transport layer of outstanding aborted NVMe I/O that are not planned to be completed normally due to a PCI function reset request. Signed-off-by: Justin Tee Link: https://patch.msgid.link/20260212213008.149873-10-justintee8345@gmail.com Signed-off-by: Martin K. Petersen commit 2da10bcaa58a389ca60f8e788180e0dca00739bc Author: Justin Tee Date: Thu Feb 12 13:30:03 2026 -0800 scsi: lpfc: Fix incorrect txcmplq_cnt during cleanup in lpfc_sli_abort_ring() When a port is offline in lpfc_sli_abort_ring, the phba->txcmplq is cleared but the phba->txcmplq_cnt is not reset to zero. This can sometimes result in a phba->txcmplq_cnt that never reaches zero, which hangs the cleanup process. Update lpfc_sli_abort_ring so that txcmplq_cnt is reset to zero and also ensure that the LPFC_IO_ON_TXCMPLQ flag is properly cleared. Signed-off-by: Justin Tee Link: https://patch.msgid.link/20260212213008.149873-9-justintee8345@gmail.com Signed-off-by: Martin K. Petersen commit 6b0bcf4b6430688984fe1ee69fce7165a3e24b92 Author: Justin Tee Date: Thu Feb 12 13:30:02 2026 -0800 scsi: lpfc: Cleanup error exit paths in lpfc_fdmi_cmd() and associated messages Error labels in lpfc_fdmi_cmd() accidentally return success status and can potentially leak memory. Change error exit path status to return a non-zero value using a common exit path for failure cases. The error path also frees allocated memory and provides logging. Signed-off-by: Justin Tee Link: https://patch.msgid.link/20260212213008.149873-8-justintee8345@gmail.com Signed-off-by: Martin K. Petersen commit f6bfb8d149336661bb80e62980da9a45b920403c Author: Justin Tee Date: Thu Feb 12 13:30:01 2026 -0800 scsi: lpfc: Remove unnecessary ndlp kref get in lpfc_check_nlp_post_devloss When NLP_IN_RECOV_POST_DEV_LOSS is set, the initial node reference remains held while recovery is in progress. Taking a reference when NLP_IN_RECOV_POST_DEV_LOSS is cleared results in an additional reference being held. This causes an extra reference when cleaning up lpfc_vport instances. Thus, remove the extraneous ndlp kref get in lpfc_check_nlp_post_devloss. Signed-off-by: Justin Tee Link: https://patch.msgid.link/20260212213008.149873-7-justintee8345@gmail.com Signed-off-by: Martin K. Petersen commit 70b468d41b822e4b510761120be3924df966a62d Author: Justin Tee Date: Thu Feb 12 13:30:00 2026 -0800 scsi: lpfc: Reduce pointer chasing when accessing vmid_flag For all FLOGI completions, the vport->phba->pport pointer is actually a pointer to the original vport pointer because FLOGIs always complete on the physical lpfc_vport object. Thus, we can reduce the vport->phba->pport->vmid_flag dereference to simply vport->vmid_flag. Signed-off-by: Justin Tee Link: https://patch.msgid.link/20260212213008.149873-6-justintee8345@gmail.com Signed-off-by: Martin K. Petersen commit f8c599ad90f53dbe2246935f90ff49693c26b34f Author: Justin Tee Date: Thu Feb 12 13:29:59 2026 -0800 scsi: lpfc: Use min_t() instead of min() in lpfc_sli4_driver_resource_setup The member called cfg_sg_dma_buf_size is declared as a u32, while the min comparator's second argument called SLI4_PAGE_SIZE is a #define. Proper comparison should be using the same type, therefore change to use min_t. Signed-off-by: Justin Tee Link: https://patch.msgid.link/20260212213008.149873-5-justintee8345@gmail.com Signed-off-by: Martin K. Petersen commit 5f442e54e9ef662aaad736ca1af13f20d0448f08 Author: Justin Tee Date: Thu Feb 12 13:29:58 2026 -0800 scsi: lpfc: Add log messages to fabric login error labels Should fabric login or related initialization mailbox commands fail, there are no log messages to notify which step encountered an issue. Update error label paths to log when unexpected fabric login issues occur. Signed-off-by: Justin Tee Link: https://patch.msgid.link/20260212213008.149873-4-justintee8345@gmail.com Signed-off-by: Martin K. Petersen commit b4082ac8e62ca669beabddff47238cdb33ea47dc Author: Justin Tee Date: Thu Feb 12 13:29:57 2026 -0800 scsi: lpfc: Log discarded and insufficient RQE buffer events An RCQE with statuses indicating that an RQE is dropped or when there are insufficient buffers to receive new RQEs are currently occuring silently. Add a new log message to warn when such events occur. Signed-off-by: Justin Tee Link: https://patch.msgid.link/20260212213008.149873-3-justintee8345@gmail.com Signed-off-by: Martin K. Petersen commit 8ecb3ec244acd7db2a6c071d53eb4870619fb5e6 Author: Justin Tee Date: Thu Feb 12 13:29:56 2026 -0800 scsi: lpfc: Update log message when ndlp kref get is unsuccessful If kref_get_unless_zero on ndlp->kref is unsuccessful, then there's no point to log kref_read(&ndlp->kref) because it will of course be zero. In such cases, ndlp->vport would also be an invalid pointer. Thus, use pr_info() instead of lpfc_printf_vlog() to log when a kref get is attempted on an ndlp with a zero kref. Signed-off-by: Justin Tee Link: https://patch.msgid.link/20260212213008.149873-2-justintee8345@gmail.com Signed-off-by: Martin K. Petersen commit 62c015373e1cdb1cdca824bd2dbce2dac0819467 Author: Peter Wang Date: Mon Feb 23 18:37:57 2026 +0800 scsi: ufs: core: Move link recovery for hibern8 exit failure to wl_resume Move the link recovery trigger from ufshcd_uic_pwr_ctrl() to __ufshcd_wl_resume(). Ensure link recovery is only attempted when hibern8 exit fails during resume, not during hibern8 enter in suspend. Improve error handling and prevent unnecessary link recovery attempts. Fixes: 35dabf4503b9 ("scsi: ufs: core: Use link recovery when h8 exit fails during runtime resume") Signed-off-by: Peter Wang Reviewed-by: Bart Van Assche Link: https://patch.msgid.link/20260223103906.2533654-1-peter.wang@mediatek.com Signed-off-by: Martin K. Petersen commit 30df81f2228d65bddf492db3929d9fcaffd38fc5 Author: Peter Wang Date: Mon Feb 23 14:56:09 2026 +0800 scsi: ufs: core: Fix possible NULL pointer dereference in ufshcd_add_command_trace() The kernel log indicates a crash in ufshcd_add_command_trace, due to a NULL pointer dereference when accessing hwq->id. This can happen if ufshcd_mcq_req_to_hwq() returns NULL. This patch adds a NULL check for hwq before accessing its id field to prevent a kernel crash. Kernel log excerpt: [] notify_die+0x4c/0x8c [] __die+0x60/0xb0 [] die+0x4c/0xe0 [] die_kernel_fault+0x74/0x88 [] __do_kernel_fault+0x314/0x318 [] do_page_fault+0xa4/0x5f8 [] do_translation_fault+0x34/0x54 [] do_mem_abort+0x50/0xa8 [] el1_abort+0x3c/0x64 [] el1h_64_sync_handler+0x44/0xcc [] el1h_64_sync+0x80/0x88 [] ufshcd_add_command_trace+0x23c/0x320 [] ufshcd_compl_one_cqe+0xa4/0x404 [] ufshcd_mcq_poll_cqe_lock+0xac/0x104 [] ufs_mtk_mcq_intr+0x54/0x74 [ufs_mediatek_mod] [] __handle_irq_event_percpu+0xc8/0x348 [] handle_irq_event+0x3c/0xa8 [] handle_fasteoi_irq+0xf8/0x294 [] generic_handle_domain_irq+0x54/0x80 [] gic_handle_irq+0x1d4/0x330 [] call_on_irq_stack+0x44/0x68 [] do_interrupt_handler+0x78/0xd8 [] el1_interrupt+0x48/0xa8 [] el1h_64_irq_handler+0x14/0x24 [] el1h_64_irq+0x80/0x88 [] arch_local_irq_enable+0x4/0x1c [] cpuidle_enter+0x34/0x54 [] do_idle+0x1dc/0x2f8 [] cpu_startup_entry+0x30/0x3c [] secondary_start_kernel+0x134/0x1ac [] __secondary_switched+0xc4/0xcc Signed-off-by: Peter Wang Reviewed-by: Bart Van Assche Link: https://patch.msgid.link/20260223065657.2432447-1-peter.wang@mediatek.com Signed-off-by: Martin K. Petersen commit 97af85787c1964a7e7b146c5d4e021f089af47ea Author: Karan Tilak Kumar Date: Tue Feb 17 12:46:58 2026 -0800 scsi: snic: MAINTAINERS: Update snic maintainers Update snic maintainers. Signed-off-by: Karan Tilak Kumar Link: https://patch.msgid.link/20260217204658.5465-1-kartilak@cisco.com Signed-off-by: Martin K. Petersen commit af3973e7b4fd91e6884b312526168869fb013d68 Author: Thomas Fourier Date: Mon Feb 16 15:10:55 2026 +0100 scsi: snic: Remove unused linkstatus The (struct vnic_dev).linkstatus buffer is freed in svnic_dev_unregister() and referenced in svnic_dev_link_status() but never alloc'd. This means (struct vnic_dev).linkstatus is always null and the dealloc the reference in svnic_dev_link_status() is dead code. Signed-off-by: Thomas Fourier Acked-by: Karan Tilak Kumar Link: https://patch.msgid.link/20260216141056.59429-2-fourier.thomas@gmail.com Signed-off-by: Martin K. Petersen commit 38353c26db28efd984f51d426eac2396d299cca7 Author: Salomon Dushimirimana Date: Fri Feb 13 19:28:06 2026 +0000 scsi: pm8001: Fix use-after-free in pm8001_queue_command() Commit e29c47fe8946 ("scsi: pm8001: Simplify pm8001_task_exec()") refactors pm8001_queue_command(), however it introduces a potential cause of a double free scenario when it changes the function to return -ENODEV in case of phy down/device gone state. In this path, pm8001_queue_command() updates task status and calls task_done to indicate to upper layer that the task has been handled. However, this also frees the underlying SAS task. A -ENODEV is then returned to the caller. When libsas sas_ata_qc_issue() receives this error value, it assumes the task wasn't handled/queued by LLDD and proceeds to clean up and free the task again, resulting in a double free. Since pm8001_queue_command() handles the SAS task in this case, it should return 0 to the caller indicating that the task has been handled. Fixes: e29c47fe8946 ("scsi: pm8001: Simplify pm8001_task_exec()") Signed-off-by: Salomon Dushimirimana Reviewed-by: Damien Le Moal Link: https://patch.msgid.link/20260213192806.439432-1-salomondush@google.com Signed-off-by: Martin K. Petersen commit fa96392ebebc8fade2b878acb14cce0f71016503 Author: Ranjan Kumar Date: Thu Feb 12 12:30:26 2026 +0530 scsi: mpi3mr: Add NULL checks when resetting request and reply queues The driver encountered a crash during resource cleanup when the reply and request queues were NULL due to freed memory. This issue occurred when the creation of reply or request queues failed, and the driver freed the memory first, but attempted to mem set the content of the freed memory, leading to a system crash. Add NULL pointer checks for reply and request queues before accessing the reply/request memory during cleanup Signed-off-by: Ranjan Kumar Link: https://patch.msgid.link/20260212070026.30263-1-ranjan.kumar@broadcom.com Signed-off-by: Martin K. Petersen commit 5b313760059c9df7d60aba7832279bcb81b4aec0 Author: Won Jung Date: Wed Feb 11 15:01:05 2026 +0900 scsi: ufs: core: Reset urgent_bkops_lvl to allow runtime PM power mode Ensures that UFS Runtime PM can achieve power saving after System PM suspend by resetting hba->urgent_bkops_lvl. Also modify the ufshcd_bkops_exception_event_handler to avoid setting urgent_bkops_lvl when status is 0, which helps maintain optimal power management. On UFS devices supporting UFSHCD_CAP_AUTO_BKOPS_SUSPEND, a BKOPS exception event can lead to a situation where UFS Runtime PM can't enter low-power mode states even after the BKOPS exception has been resolved. BKOPS exception with bkops status 0 occurs, the driver logs: "ufshcd_bkops_exception_event_handler: device raised urgent BKOPS exception for bkops status 0" When a BKOPS exception occurs, ufshcd_bkops_exception_event_handler() reads the BKOPS status and sets hba->urgent_bkops_lvl to BKOPS_STATUS_NO_OP(0). This allows the device to perform Runtime PM without changing the UFS power mode. (__ufshcd_wl_suspend(hba, UFS_RUNTIME_PM)) During system PM suspend, ufshcd_disable_auto_bkops() is called, disabling auto bkops. After UFS System PM Resume, when runtime PM attempts to suspend again, ufshcd_urgent_bkops() is invoked. Since hba->urgent_bkops_lvl remains at BKOPS_STATUS_NO_OP(0), ufshcd_enable_auto_bkops() is triggered. However, in ufshcd_bkops_ctrl(), the driver compares the current BKOPS status with hba->urgent_bkops_lvl, and only enables auto bkops if curr_status >= hba->urgent_bkops_lvl. Since both values are 0, the condition is met As a result, __ufshcd_wl_suspend(hba, UFS_RUNTIME_PM) skips power mode transitions and remains in an active state, preventing power saving even though no urgent BKOPS condition exists. Signed-off-by: Won Jung Reviewed-by: Peter Wang Link: https://patch.msgid.link/1891546521.01770806581968.JavaMail.epsvc@epcpadp2new Signed-off-by: Martin K. Petersen commit 70ca8caa96ce473647054f5c7b9dab5423902402 Author: Tomas Henzl Date: Tue Feb 10 20:18:50 2026 +0100 scsi: ses: Fix devices attaching to different hosts On a multipath SAS system some devices don't end up with correct symlinks from the SCSI device to its enclosure. Some devices even have enclosure links pointing to enclosures attached to different SCSI hosts. ses_match_to_enclosure() calls enclosure_for_each_device() which iterates over all enclosures on the system, not just enclosures attached to the current SCSI host. Replace the iteration with a direct call to ses_enclosure_find_by_addr(). Reviewed-by: David Jeffery Signed-off-by: Tomas Henzl Link: https://patch.msgid.link/20260210191850.36784-1-thenzl@redhat.com Signed-off-by: Martin K. Petersen commit 2e6b5cd6a4b37a95b78cf8c39a979b58c915c8ed Author: Alexey Charkov Date: Mon Feb 9 19:17:34 2026 +0400 scsi: ufs: core: Fix RPMB region size detection for UFS 2.2 Older UFS spec devices (2.2 and earlier) do not expose per-region RPMB sizes, as only one RPMB region is supported. In such cases, the size of the single RPMB region can be deduced from the Logical Block Count and Logical Block Size fields in the RPMB Unit Descriptor. Add a fallback mechanism to calculate the RPMB region size from these fields if the device implements an older spec, so that the RPMB driver can work with such devices - otherwise it silently skips the whole RPMB. Section 14.1.4.6 (RPMB Unit Descriptor) Link: https://www.jedec.org/system/files/docs/JESD220C-2_2.pdf Cc: stable@vger.kernel.org Fixes: b06b8c421485 ("scsi: ufs: core: Add OP-TEE based RPMB driver for UFS devices") Reviewed-by: Bean Huo Signed-off-by: Alexey Charkov Link: https://patch.msgid.link/20260209-ufs-rpmb-v3-1-b1804e71bd38@flipper.net Signed-off-by: Martin K. Petersen commit 57297736c08233987e5d29ce6584c6ca2a831b12 Author: Jan Kiszka Date: Thu Jan 29 15:30:39 2026 +0100 scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT This resolves the follow splat and lock-up when running with PREEMPT_RT enabled on Hyper-V: [ 415.140818] BUG: scheduling while atomic: stress-ng-iomix/1048/0x00000002 [ 415.140822] INFO: lockdep is turned off. [ 415.140823] Modules linked in: intel_rapl_msr intel_rapl_common intel_uncore_frequency_common intel_pmc_core pmt_telemetry pmt_discovery pmt_class intel_pmc_ssram_telemetry intel_vsec ghash_clmulni_intel aesni_intel rapl binfmt_misc nls_ascii nls_cp437 vfat fat snd_pcm hyperv_drm snd_timer drm_client_lib drm_shmem_helper snd sg soundcore drm_kms_helper pcspkr hv_balloon hv_utils evdev joydev drm configfs efi_pstore nfnetlink vsock_loopback vmw_vsock_virtio_transport_common hv_sock vmw_vsock_vmci_transport vsock vmw_vmci efivarfs autofs4 ext4 crc16 mbcache jbd2 sr_mod sd_mod cdrom hv_storvsc serio_raw hid_generic scsi_transport_fc hid_hyperv scsi_mod hid hv_netvsc hyperv_keyboard scsi_common [ 415.140846] Preemption disabled at: [ 415.140847] [] storvsc_queuecommand+0x2e1/0xbe0 [hv_storvsc] [ 415.140854] CPU: 8 UID: 0 PID: 1048 Comm: stress-ng-iomix Not tainted 6.19.0-rc7 #30 PREEMPT_{RT,(full)} [ 415.140856] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 09/04/2024 [ 415.140857] Call Trace: [ 415.140861] [ 415.140861] ? storvsc_queuecommand+0x2e1/0xbe0 [hv_storvsc] [ 415.140863] dump_stack_lvl+0x91/0xb0 [ 415.140870] __schedule_bug+0x9c/0xc0 [ 415.140875] __schedule+0xdf6/0x1300 [ 415.140877] ? rtlock_slowlock_locked+0x56c/0x1980 [ 415.140879] ? rcu_is_watching+0x12/0x60 [ 415.140883] schedule_rtlock+0x21/0x40 [ 415.140885] rtlock_slowlock_locked+0x502/0x1980 [ 415.140891] rt_spin_lock+0x89/0x1e0 [ 415.140893] hv_ringbuffer_write+0x87/0x2a0 [ 415.140899] vmbus_sendpacket_mpb_desc+0xb6/0xe0 [ 415.140900] ? rcu_is_watching+0x12/0x60 [ 415.140902] storvsc_queuecommand+0x669/0xbe0 [hv_storvsc] [ 415.140904] ? HARDIRQ_verbose+0x10/0x10 [ 415.140908] ? __rq_qos_issue+0x28/0x40 [ 415.140911] scsi_queue_rq+0x760/0xd80 [scsi_mod] [ 415.140926] __blk_mq_issue_directly+0x4a/0xc0 [ 415.140928] blk_mq_issue_direct+0x87/0x2b0 [ 415.140931] blk_mq_dispatch_queue_requests+0x120/0x440 [ 415.140933] blk_mq_flush_plug_list+0x7a/0x1a0 [ 415.140935] __blk_flush_plug+0xf4/0x150 [ 415.140940] __submit_bio+0x2b2/0x5c0 [ 415.140944] ? submit_bio_noacct_nocheck+0x272/0x360 [ 415.140946] submit_bio_noacct_nocheck+0x272/0x360 [ 415.140951] ext4_read_bh_lock+0x3e/0x60 [ext4] [ 415.140995] ext4_block_write_begin+0x396/0x650 [ext4] [ 415.141018] ? __pfx_ext4_da_get_block_prep+0x10/0x10 [ext4] [ 415.141038] ext4_da_write_begin+0x1c4/0x350 [ext4] [ 415.141060] generic_perform_write+0x14e/0x2c0 [ 415.141065] ext4_buffered_write_iter+0x6b/0x120 [ext4] [ 415.141083] vfs_write+0x2ca/0x570 [ 415.141087] ksys_write+0x76/0xf0 [ 415.141089] do_syscall_64+0x99/0x1490 [ 415.141093] ? rcu_is_watching+0x12/0x60 [ 415.141095] ? finish_task_switch.isra.0+0xdf/0x3d0 [ 415.141097] ? rcu_is_watching+0x12/0x60 [ 415.141098] ? lock_release+0x1f0/0x2a0 [ 415.141100] ? rcu_is_watching+0x12/0x60 [ 415.141101] ? finish_task_switch.isra.0+0xe4/0x3d0 [ 415.141103] ? rcu_is_watching+0x12/0x60 [ 415.141104] ? __schedule+0xb34/0x1300 [ 415.141106] ? hrtimer_try_to_cancel+0x1d/0x170 [ 415.141109] ? do_nanosleep+0x8b/0x160 [ 415.141111] ? hrtimer_nanosleep+0x89/0x100 [ 415.141114] ? __pfx_hrtimer_wakeup+0x10/0x10 [ 415.141116] ? xfd_validate_state+0x26/0x90 [ 415.141118] ? rcu_is_watching+0x12/0x60 [ 415.141120] ? do_syscall_64+0x1e0/0x1490 [ 415.141121] ? do_syscall_64+0x1e0/0x1490 [ 415.141123] ? rcu_is_watching+0x12/0x60 [ 415.141124] ? do_syscall_64+0x1e0/0x1490 [ 415.141125] ? do_syscall_64+0x1e0/0x1490 [ 415.141127] ? irqentry_exit+0x140/0x7e0 [ 415.141129] entry_SYSCALL_64_after_hwframe+0x76/0x7e get_cpu() disables preemption while the spinlock hv_ringbuffer_write is using is converted to an rt-mutex under PREEMPT_RT. Signed-off-by: Jan Kiszka Tested-by: Florian Bezdeka Reviewed-by: Michael Kelley Tested-by: Michael Kelley Link: https://patch.msgid.link/0c7fb5cd-fb21-4760-8593-e04bade84744@siemens.com Signed-off-by: Martin K. Petersen commit bffda93a51b40afd67c11bf558dc5aae83ca0943 Author: Mathias Krause Date: Thu Feb 12 11:23:27 2026 -0800 scsi: lpfc: Properly set WC for DPP mapping Using set_memory_wc() to enable write-combining for the DPP portion of the MMIO mapping is wrong as set_memory_*() is meant to operate on RAM only, not MMIO mappings. In fact, as used currently triggers a BUG_ON() with enabled CONFIG_DEBUG_VIRTUAL. Simply map the DPP region separately and in addition to the already existing mappings, avoiding any possible negative side effects for these. Fixes: 1351e69fc6db ("scsi: lpfc: Add push-to-adapter support to sli4") Signed-off-by: Mathias Krause Signed-off-by: Justin Tee Reviewed-by: Mathias Krause Link: https://patch.msgid.link/20260212192327.141104-1-justintee8345@gmail.com Signed-off-by: Martin K. Petersen