commit add4c4850363d7c1b72e8fce9ccb21fdd2cf5dc9 Author: jackysliu <1972843537@qq.com> Date: Tue Jun 24 19:58:24 2025 +0800 scsi: bfa: Double-free fix When the bfad_im_probe() function fails during initialization, the memory pointed to by bfad->im is freed without setting bfad->im to NULL. Subsequently, during driver uninstallation, when the state machine enters the bfad_sm_stopping state and calls the bfad_im_probe_undo() function, it attempts to free the memory pointed to by bfad->im again, thereby triggering a double-free vulnerability. Set bfad->im to NULL if probing fails. Signed-off-by: jackysliu <1972843537@qq.com> Link: https://lore.kernel.org/r/tencent_3BB950D6D2D470976F55FC879206DE0B9A09@qq.com Signed-off-by: Martin K. Petersen commit 063bec4444d54e5f35d11949c5c90eaa1ff84c11 Author: Thomas Fourier Date: Fri Jun 27 16:24:47 2025 +0200 scsi: isci: Fix dma_unmap_sg() nents value The dma_unmap_sg() functions should be called with the same nents as the dma_map_sg(), not the value the map function returned. Fixes: ddcc7e347a89 ("isci: fix dma_unmap_sg usage") Signed-off-by: Thomas Fourier Link: https://lore.kernel.org/r/20250627142451.241713-2-fourier.thomas@gmail.com Signed-off-by: Martin K. Petersen commit 0141618727bc929fe868153d21797f10ce5bef3f Author: Thomas Fourier Date: Fri Jun 27 15:48:18 2025 +0200 scsi: mvsas: Fix dma_unmap_sg() nents value The dma_unmap_sg() functions should be called with the same nents as the dma_map_sg(), not the value the map function returned. Fixes: b5762948263d ("[SCSI] mvsas: Add Marvell 6440 SAS/SATA driver") Signed-off-by: Thomas Fourier Link: https://lore.kernel.org/r/20250627134822.234813-2-fourier.thomas@gmail.com Signed-off-by: Martin K. Petersen commit 3a988d0b65d7d1713ce7596eae288a293f3b938e Author: Thomas Fourier Date: Fri Jun 27 13:41:13 2025 +0200 scsi: elx: efct: Fix dma_unmap_sg() nents value The dma_unmap_sg() functions should be called with the same nents as the dma_map_sg(), not the value the map function returned. Fixes: 692e5d73a811 ("scsi: elx: efct: LIO backend interface routines") Signed-off-by: Thomas Fourier Link: https://lore.kernel.org/r/20250627114117.188480-2-fourier.thomas@gmail.com Signed-off-by: Martin K. Petersen commit 25236d4844ad8631a3ff12f1b33aaa27ac74172d Author: Ewan D. Milne Date: Mon Jul 7 16:22:25 2025 -0400 scsi: scsi_transport_fc: Change to use per-rport devloss_work_q Configurations with large numbers of FC rports per host instance are taking a very long time to complete all devloss work. Increase potential parallelism by using a per-rport devloss_work_q for dev_loss_work and fast_io_fail_work. Signed-off-by: Ewan D. Milne Link: https://lore.kernel.org/r/20250707202225.1203189-1-emilne@redhat.com Reviewed-by: Hannes Reinecke Signed-off-by: Martin K. Petersen commit 01aad16c2257ab8ff33b152b972c9f2e1af47912 Author: André Draszik Date: Mon Jul 7 18:05:27 2025 +0100 scsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPE On Google gs101, the number of UTP transfer request slots (nutrs) is 32, and in this case the driver ends up programming the UTRL_NEXUS_TYPE incorrectly as 0. This is because the left hand side of the shift is 1, which is of type int, i.e. 31 bits wide. Shifting by more than that width results in undefined behaviour. Fix this by switching to the BIT() macro, which applies correct type casting as required. This ensures the correct value is written to UTRL_NEXUS_TYPE (0xffffffff on gs101), and it also fixes a UBSAN shift warning: UBSAN: shift-out-of-bounds in drivers/ufs/host/ufs-exynos.c:1113:21 shift exponent 32 is too large for 32-bit type 'int' For consistency, apply the same change to the nutmrs / UTMRL_NEXUS_TYPE write. Fixes: 55f4b1f73631 ("scsi: ufs: ufs-exynos: Add UFS host support for Exynos SoCs") Cc: stable@vger.kernel.org Signed-off-by: André Draszik Link: https://lore.kernel.org/r/20250707-ufs-exynos-shift-v1-1-1418e161ae40@linaro.org Reviewed-by: Bart Van Assche Reviewed-by: Peter Griffin Signed-off-by: Martin K. Petersen commit 6070bd558aee1eb5114e1676165bf0ccaa08240a Author: Bagas Sanjaya Date: Wed Jul 2 10:58:23 2025 +0700 scsi: core: Fix kernel doc for scsi_track_queue_full() Sphinx reports indentation warning on scsi_track_queue_full() return values: Documentation/driver-api/scsi:101: ./drivers/scsi/scsi.c:247: ERROR: Unexpected indentation. [docutils] Fix the warning by making the return values listing a bullet list. Fixes: eb44820c28bc ("[SCSI] Add Documentation and integrate into docbook build") Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Bagas Sanjaya Link: https://lore.kernel.org/r/20250702035822.18072-2-bagasdotme@gmail.com Signed-off-by: Martin K. Petersen commit 023a293b9cd0bb86a9b50cd7688a3d9d266826db Author: Thomas Fourier Date: Mon Jun 30 13:18:02 2025 +0200 scsi: ibmvscsi_tgt: Fix dma_unmap_sg() nents value The dma_unmap_sg() functions should be called with the same nents as the dma_map_sg(), not the value the map function returned. Fixes: 88a678bbc34c ("ibmvscsis: Initial commit of IBM VSCSI Tgt Driver") Signed-off-by: Thomas Fourier Link: https://lore.kernel.org/r/20250630111803.94389-2-fourier.thomas@gmail.com Signed-off-by: Martin K. Petersen commit 278577d85081717e6acb36af094d8556fcde56e5 Author: Ankit Dange Date: Sat Jun 28 18:23:20 2025 +0530 scsi: ibmvscsi_tgt: Fix typo in comment Correct the misspelling of "transitition" to "transition" in a comment in ibmvscsi_tgt.c for clarity. Signed-off-by: Ankit Dange Link: https://lore.kernel.org/r/20250628125320.295824-1-ankitdange37@gmail.com Signed-off-by: Martin K. Petersen commit e1c9a704f2c53acf4d55e43281339560781102e7 Author: Ranjan Kumar Date: Sat Jun 28 01:15:39 2025 +0530 scsi: mpi3mr: Update driver version to 8.14.0.5.50 Updated driver version to 8.14.0.5.50 Signed-off-by: Ranjan Kumar Link: https://lore.kernel.org/r/20250627194539.48851-5-ranjan.kumar@broadcom.com Signed-off-by: Martin K. Petersen commit c91e140c82eb58724c435f623702e51cc7896646 Author: Ranjan Kumar Date: Sat Jun 28 01:15:38 2025 +0530 scsi: mpi3mr: Serialize admin queue BAR writes on 32-bit systems On 32-bit systems, 64-bit BAR writes to admin queue registers are performed as two 32-bit writes. Without locking, this can cause partial writes when accessed concurrently. Updated per-queue spinlocks is used to serialize these writes and prevent race conditions. Fixes: 824a156633df ("scsi: mpi3mr: Base driver code") Cc: stable@vger.kernel.org Signed-off-by: Ranjan Kumar Link: https://lore.kernel.org/r/20250627194539.48851-4-ranjan.kumar@broadcom.com Signed-off-by: Martin K. Petersen commit 6853885b21cb1d7157cc14c9d30cc17141565bae Author: Ranjan Kumar Date: Sat Jun 28 01:15:37 2025 +0530 scsi: mpi3mr: Drop unnecessary volatile from __iomem pointers The volatile qualifier is redundant for __iomem pointers. Cleaned up usage in mpi3mr_writeq() and sysif_regs pointer as per Upstream compliance. Signed-off-by: Ranjan Kumar Link: https://lore.kernel.org/r/20250627194539.48851-3-ranjan.kumar@broadcom.com Signed-off-by: Martin K. Petersen commit e6327c4acf925bb6d6d387d76fc3bd94471e10d8 Author: Ranjan Kumar Date: Sat Jun 28 01:15:36 2025 +0530 scsi: mpi3mr: Fix race between config read submit and interrupt completion The "is_waiting" flag was updated after calling complete(), which could lead to a race where the waiting thread wakes up before the flag is cleared. This may cause a missed wakeup or stale state check. Reorder the operations to update "is_waiting" before signaling completion to ensure consistent state. Fixes: 824a156633df ("scsi: mpi3mr: Base driver code") Cc: stable@vger.kernel.org Co-developed-by: Chandrakanth Patil Signed-off-by: Chandrakanth Patil Signed-off-by: Ranjan Kumar Link: https://lore.kernel.org/r/20250627194539.48851-2-ranjan.kumar@broadcom.com Signed-off-by: Martin K. Petersen commit 5a6f304f39c24c1a2c3023fbfda81b0042354c3f Author: Nitin Rawat Date: Mon Jul 14 13:23:36 2025 +0530 scsi: ufs: ufs-qcom: Enable QUnipro Internal Clock Gating Enable internal clock gating for Qualcomm UFS host controller by setting the following attributes to 1 during host controller initialization: - DL_VS_CLK_CFG - PA_VS_CLK_CFG_REG - DME_VS_CORE_CLK_CTRL.DME_HW_CGC_EN This change is necessary to support the internal clock gating mechanism in Qualcomm UFS host controller. This is power saving feature and hence driver can continue to function correctly despite any error in enabling these feature. Signed-off-by: Nitin Rawat Link: https://lore.kernel.org/r/20250714075336.2133-4-quic_nitirawa@quicinc.com Signed-off-by: Martin K. Petersen commit c49601642f95c8c6787acb07881f2495bc8aeb27 Author: Nitin Rawat Date: Mon Jul 14 13:23:35 2025 +0530 scsi: ufs: core: Add ufshcd_dme_rmw() to modify DME attributes Introduce ufshcd_dme_rmw() API to read, modify, and write DME attributes in UFS host controllers using a mask and value. Signed-off-by: Nitin Rawat Link: https://lore.kernel.org/r/20250714075336.2133-3-quic_nitirawa@quicinc.com Reviewed-by: Bart Van Assche Signed-off-by: Martin K. Petersen commit 7a9d5195a7f5871a4ad4e55fc567a2b3bee49a59 Author: Bao D. Nguyen Date: Mon Jul 14 13:23:34 2025 +0530 scsi: ufs: ufs-qcom: Update esi_vec_mask for HW major version >= 6 The MCQ feature and ESI are supported by all Qualcomm UFS controller versions 6 and above. Therefore, update the ESI vector mask in the UFS_MEM_CFG3 register for platforms with major version number of 6 or higher. Reviewed-by: Manivannan Sadhasivam Signed-off-by: Bao D. Nguyen Signed-off-by: Nitin Rawat Link: https://lore.kernel.org/r/20250714075336.2133-2-quic_nitirawa@quicinc.com Signed-off-by: Martin K. Petersen commit 8314312c5286e53045a6c37128ea9ddd9cd5e217 Author: Bart Van Assche Date: Tue Jun 24 14:05:40 2025 -0700 scsi: core: Use scsi_cmd_priv() instead of open-coding it Improve code readability without modifying the behavior of the code. Cc: Hannes Reinecke Cc: John Garry Signed-off-by: Bart Van Assche Link: https://lore.kernel.org/r/20250624210541.512910-4-bvanassche@acm.org Reviewed-by: John Garry Signed-off-by: Martin K. Petersen commit b152f199fa43ef96ecb29cefafa1e9b0e02b6f3d Author: Xose Vazquez Perez Date: Tue Jun 24 21:09:25 2025 +0200 scsi: qla2xxx: Remove firmware URL The historic QLogic firmware URL redirects to a Marvell page that only provides drivers. Refer to linux-firmware instead. Cc: Nilesh Javali Cc: James E.J. Bottomley Cc: Martin K. Petersen Cc: QLOGIC ML Cc: LINUX SCSI ML Signed-off-by: Xose Vazquez Perez Link: https://lore.kernel.org/r/20250624190926.115009-1-xose.vazquez@gmail.com Signed-off-by: Martin K. Petersen commit cc59f3b68542a2ef05e7afd0cc329ff8b8a649d0 Author: Bart Van Assche Date: Mon Jun 23 14:59:01 2025 -0700 scsi: ufs: core: Improve return value documentation Some functions return a negative value to indicate an error while other functions return a value != 0 to indicate an error. Document the return value behavior where this documentation is missing and fix the return value documentation where necessary. Add warnings to detect mismatches between documentation and implementation. This matters because several sysfs callback functions only work correctly if a negative value is returned upon error. Signed-off-by: Bart Van Assche Link: https://lore.kernel.org/r/20250623215909.4169007-1-bvanassche@acm.org Signed-off-by: Martin K. Petersen commit 021f243627ead17eb6500170256d3d9be787dad8 Author: Bart Van Assche Date: Tue Jun 24 11:16:44 2025 -0700 scsi: ufs: core: Fix spelling of a sysfs attribute name Change "resourse" into "resource" in the name of a sysfs attribute. Fixes: d829fc8a1058 ("scsi: ufs: sysfs: unit descriptor") Signed-off-by: Bart Van Assche Link: https://lore.kernel.org/r/20250624181658.336035-1-bvanassche@acm.org Reviewed-by: Avri Altman Signed-off-by: Martin K. Petersen commit 4937e604ca24c41cae3296d069c871c2f3f519c8 Author: Christoph Hellwig Date: Tue Jun 24 14:52:28 2025 +0200 scsi: core: Enforce unlimited max_segment_size when virt_boundary_mask is set The virt_boundary_mask limit requires an unlimited max_segment_size for bio splitting to not corrupt data. Historically, the block layer tried to validate this, although the check was half-hearted until the addition of the atomic queue limits API. The full blown check then triggered issues with stacked devices incorrectly inheriting limits such as the virt boundary and got disabled in commit b561ea56a264 ("block: allow device to have both virt_boundary_mask and max segment size") instead of fixing the issue properly. Ensure that the SCSI mid layer doesn't set the default low max_segment_size limit for this case, and check for invalid max_segment_size values in the host template, similar to the original block layer check given that SCSI devices can't be stacked. This fixes reported data corruption on storvsc, although as far as I can tell storvsc always failed to properly set the max_segment_size limit as the SCSI APIs historically applied that when setting up the host, while storvsc only set the virt_boundary_mask when configuring the scsi_device. Fixes: 81988a0e6b03 ("storvsc: get rid of bounce buffer") Fixes: b561ea56a264 ("block: allow device to have both virt_boundary_mask and max segment size") Reported-by: Ming Lei Signed-off-by: Christoph Hellwig Link: https://lore.kernel.org/r/20250624125233.219635-3-hch@lst.de Reviewed-by: John Garry Reviewed-by: Ming Lei Reviewed-by: Hannes Reinecke Reviewed-by: Bart Van Assche Signed-off-by: Martin K. Petersen commit 844c6a160e69cc6d1da4b666f8672f6fc5f4f862 Author: Christoph Hellwig Date: Tue Jun 24 14:52:27 2025 +0200 scsi: RDMA/srp: Don't set a max_segment_size when virt_boundary_mask is set virt_boundary_mask implies an unlimited max_segment_size. Setting both can lead to data corruption because __blk_rq_map_sg() can split requests so that the virt_boundary_mask is not respected if max_segment_size is not UINT_MAX. Signed-off-by: Christoph Hellwig Link: https://lore.kernel.org/r/20250624125233.219635-2-hch@lst.de Reviewed-by: Hannes Reinecke Reviewed-by: John Garry Acked-by: Bart Van Assche Signed-off-by: Martin K. Petersen commit 26b971d58ab9f0d5003ac750a97bb88cec7aa2e1 Author: mrigendrachaubey Date: Sun Jun 22 11:27:09 2025 +0530 scsi: scsi_devinfo: Remove redundant 'found' Remove the unnecessary 'found' flag in scsi_devinfo_lookup_by_key(). The loop can return the matching entry directly when found, and fall through to return ERR_PTR(-EINVAL) otherwise. Signed-off-by: mrigendrachaubey Link: https://lore.kernel.org/r/20250622055709.7893-1-mrigendra.chaubey@gmail.com Reviewed-by: Bart Van Assche Signed-off-by: Martin K. Petersen commit 6243146bb019a200c54a98c96b85f4b9012f2140 Author: Arnd Bergmann Date: Fri Jun 20 19:32:22 2025 +0200 scsi: qla2xxx: Avoid stack frame size warning in qla_dfs The qla2x00_dfs_tgt_port_database_show() function constructs a fake fc_port_t object on the stack, which--depending on the configuration--is large enough to exceed the stack size warning limit: drivers/scsi/qla2xxx/qla_dfs.c:176:1: error: stack frame size (1392) exceeds limit (1280) in 'qla2x00_dfs_tgt_port_database_show' [-Werror,-Wframe-larger-than] Rework this function to no longer need the structure but instead call a custom helper function that just prints the data directly from the port_database_24xx structure. Signed-off-by: Arnd Bergmann Link: https://lore.kernel.org/r/20250620173232.864179-1-arnd@kernel.org Signed-off-by: Martin K. Petersen commit ed575d4bca6ac84129046455803028a91e81cc64 Author: Randy Dunlap Date: Fri Jun 20 09:21:58 2025 -0700 scsi: mpi3mr: Fix kernel-doc issues in mpi3mr_app.c Fix all kernel-doc problems in mpi3mr_app.c: mpi3mr_app.c:809: warning: Excess function parameter 'data' description in 'mpi3mr_set_trigger_data_in_hdb' mpi3mr_app.c:836: warning: Excess function parameter 'data' description in 'mpi3mr_set_trigger_data_in_all_hdb' mpi3mr_app.c:3395: warning: No description found for return value of 'sas_ncq_prio_supported_show' mpi3mr_app.c:3413: warning: No description found for return value of 'sas_ncq_prio_enable_show' Fixes: fc4444941140 ("scsi: mpi3mr: HDB allocation and posting for hardware and firmware buffers") Fixes: d8d08d1638ce ("scsi: mpi3mr: Trigger support") Fixes: 90e6f08915ec ("scsi: mpi3mr: Fix ATA NCQ priority support") Signed-off-by: Randy Dunlap Link: https://lore.kernel.org/r/20250620162158.776795-1-rdunlap@infradead.org Cc: Sathya Prakash Cc: Kashyap Desai Cc: Sumit Saxena Cc: Sreekanth Reddy Cc: Ranjan Kumar Cc: mpi3mr-linuxdrv.pdl@broadcom.com Cc: Damien Le Moal Cc: James E.J. Bottomley Cc: Martin K. Petersen Reviewed-by: Damien Le Moal Signed-off-by: Martin K. Petersen commit 8889676cd62161896f1d861ce294adc29c4f2cb5 Author: jackysliu <1972843537@qq.com> Date: Thu Jun 19 12:03:02 2025 +0800 scsi: sd: Fix VPD page 0xb7 length check sd_read_block_limits_ext() currently assumes that vpd->len excludes the size of the page header. However, vpd->len describes the size of the entire VPD page, therefore the sanity check is incorrect. In practice this is not really a problem since we don't attach VPD pages unless they actually report data trailing the header. But fix the length check regardless. This issue was identified by Wukong-Agent (formerly Tencent Woodpecker), a code security AI agent, through static code analysis. [mkp: rewrote patch description] Signed-off-by: jackysliu <1972843537@qq.com> Link: https://lore.kernel.org/r/tencent_ADA5210D1317EEB6CD7F3DE9FE9DA4591D05@qq.com Fixes: 96b171d6dba6 ("scsi: core: Query the Block Limits Extension VPD page") Signed-off-by: Martin K. Petersen commit 00f452a1b084efbe8dcb60a29860527944a002a1 Author: Thomas Fourier Date: Wed Jun 18 09:17:37 2025 +0200 scsi: qla4xxx: Fix missing DMA mapping error in qla4xxx_alloc_pdu() dma_map_XXX() can fail and should be tested for errors with dma_mapping_error(). Fixes: b3a271a94d00 ("[SCSI] qla4xxx: support iscsiadm session mgmt") Signed-off-by: Thomas Fourier Link: https://lore.kernel.org/r/20250618071742.21822-2-fourier.thomas@gmail.com Signed-off-by: Martin K. Petersen commit c3b214719a87735d4f67333a8ef3c0e31a34837c Author: Thomas Fourier Date: Tue Jun 17 18:11:11 2025 +0200 scsi: qla2xxx: Fix DMA mapping test in qla24xx_get_port_database() dma_map_XXX() functions return as error values DMA_MAPPING_ERROR which is often ~0. The error value should be tested with dma_mapping_error() like it was done in qla26xx_dport_diagnostics(). Fixes: 818c7f87a177 ("scsi: qla2xxx: Add changes in preparation for vendor extended FDMI/RDP") Signed-off-by: Thomas Fourier Link: https://lore.kernel.org/r/20250617161115.39888-2-fourier.thomas@gmail.com Signed-off-by: Martin K. Petersen commit c7ee6c8f2f1e3d4b8efa6ac957289676a3f5cd51 Author: Salomon Dushimirimana Date: Mon Jun 16 19:00:18 2025 +0000 scsi: pm80xx: Add controller SCSI host fatal error uevents Add pm80xx_fatal_error_uevent_emit() which is called when the pm80xx driver encouters a fatal error. The uevent has the following additional custom key/value pair sets: - DRIVER: driver name, pm80xx in this case - HBA_NUM: the scsi host id of the device - EVENT_TYPE: to indicate a fatal error - REPORTED_BY: either driver or firmware The uevent is anchored to the kernel object that represents the SCSI controller, which includes other useful core variables, such as, ACTION, DEVPATH, SUBSYSTEM, and more. The fatal_error_uevent_emit() function is called when the controller fatal error state changes. Since this doesn't happen often for a specific SCSI host, there is no worries of a uevent storm. Signed-off-by: Salomon Dushimirimana Link: https://lore.kernel.org/r/20250616190018.2136260-1-salomondush@google.com Signed-off-by: Martin K. Petersen commit f14371aceef9eb57bd5c8107b436b97350cee454 Author: Justin Tee Date: Wed Jun 18 12:21:38 2025 -0700 scsi: lpfc: Copyright updates for 14.4.0.10 patches Update copyrights to 2025 for files modified in the 14.4.0.10 patch set. Signed-off-by: Justin Tee Link: https://lore.kernel.org/r/20250618192138.124116-14-justintee8345@gmail.com Signed-off-by: Martin K. Petersen commit 81f2d701670f75c09dca8de4e26ddf77bf32d0f9 Author: Justin Tee Date: Wed Jun 18 12:21:37 2025 -0700 scsi: lpfc: Update lpfc version to 14.4.0.10 Update lpfc version to 14.4.0.10 Signed-off-by: Justin Tee Link: https://lore.kernel.org/r/20250618192138.124116-13-justintee8345@gmail.com Signed-off-by: Martin K. Petersen commit e03bc287623f024ebff5ceb6ae65e4884fba5df4 Author: Justin Tee Date: Wed Jun 18 12:21:36 2025 -0700 scsi: lpfc: Modify end-of-life adapters' model descriptions Obsolete adapters' model description strings are updated to indicate that they are no longer supported. End-of-life adapters will still remain probed by the lpfc driver based on PCI id. Signed-off-by: Justin Tee Link: https://lore.kernel.org/r/20250618192138.124116-12-justintee8345@gmail.com Signed-off-by: Martin K. Petersen commit 5d655969100dd87e59c22d892985545a7f2c1a70 Author: Justin Tee Date: Wed Jun 18 12:21:35 2025 -0700 scsi: lpfc: Revise CQ_CREATE_SET mailbox bitfield definitions The CQ_CREATE_SET mailbox command's bitfields are updated. Rename the cqe_cnt and separate high/low bitfield names to help resolve confusion between two similar bitfield definitions. Corresponding usages of the newly defined bitfields are updated as well. Signed-off-by: Justin Tee Link: https://lore.kernel.org/r/20250618192138.124116-11-justintee8345@gmail.com Signed-off-by: Martin K. Petersen commit a28d10a15600e3eae19035774cabad06008a8a59 Author: Justin Tee Date: Wed Jun 18 12:21:34 2025 -0700 scsi: lpfc: Move clearing of HBA_SETUP flag to before lpfc_sli4_queue_unset Move clearing of HBA_SETUP flag out of lpfc_sli_brdrestart_s4 and before lpfc_sli4_queue_unset. lpfc_sli4_queue_unset kfrees phba queues, so clear the HBA_SETUP atomic flag to signal that the phba struct is no longer initialized. Also, add a check for the HBA_SETUP flag in the lpfc_sli4_io_xri_aborted routine before dereferencing the ELS WQ. Signed-off-by: Justin Tee Link: https://lore.kernel.org/r/20250618192138.124116-10-justintee8345@gmail.com Signed-off-by: Martin K. Petersen commit 1cced5779e7a3ff7ec025fc47c76a7bd3bb38877 Author: Justin Tee Date: Wed Jun 18 12:21:33 2025 -0700 scsi: lpfc: Ensure HBA_SETUP flag is used only for SLI4 in dev_loss_tmo_callbk For SLI3, the HBA_SETUP flag is never set so the lpfc_dev_loss_tmo_callbk always early returns. Add a phba->sli_rev check for SLI4 mode so that the SLI3 path can flow through the original dev_loss_tmo worker thread design to lpfc_dev_loss_tmo_handler instead of early return. Signed-off-by: Justin Tee Link: https://lore.kernel.org/r/20250618192138.124116-9-justintee8345@gmail.com Signed-off-by: Martin K. Petersen commit 320c3a12b40c94326f401705cdf224e8a661f1a2 Author: Justin Tee Date: Wed Jun 18 12:21:32 2025 -0700 scsi: lpfc: Relocate clearing initial phba flags from link up to link down hdlr Port wide initialization flags FLOGI_ISSUED and RHBA_CMPL make more sense to be cleared upon a link down event rather than waiting for a link up event. By moving clearing of these initializatin flags to a link down handler, future confusion on the state of initialization is avoided. Signed-off-by: Justin Tee Link: https://lore.kernel.org/r/20250618192138.124116-8-justintee8345@gmail.com Signed-off-by: Martin K. Petersen commit 5a00dfc58bfe5fcff079bf90d1cc0254cab8e33e Author: Justin Tee Date: Wed Jun 18 12:21:31 2025 -0700 scsi: lpfc: Simplify error handling for failed lpfc_get_sli4_parameters cmd There are unnecessary checks on an HBA's interface type and family before erroring out a failed lpfc_get_sli4_parameters mailbox command. Simplify the error handling by logging a message and proceeding to memory free labels. Signed-off-by: Justin Tee Link: https://lore.kernel.org/r/20250618192138.124116-7-justintee8345@gmail.com Signed-off-by: Martin K. Petersen commit 6b61ec3dd472f8fd367f116e61771030f4d410db Author: Justin Tee Date: Wed Jun 18 12:21:30 2025 -0700 scsi: lpfc: Early return out of FDMI cmpl for locally rejected statuses If an FDMI request completes with local reject status and the request is not retryable, there's no need to parse an FDMI response payload. Insert an early return statement for such cases. Signed-off-by: Justin Tee Link: https://lore.kernel.org/r/20250618192138.124116-6-justintee8345@gmail.com Signed-off-by: Martin K. Petersen commit 37c893e36b1b538aea15bcef6330e1d4a7b77583 Author: Justin Tee Date: Wed Jun 18 12:21:29 2025 -0700 scsi: lpfc: Skip RSCN processing when FC_UNLOADING flag is set During rmmod, all ndlp objects are cleaned up and marked with the NLP_DROPPED flag indicating that an ndlp object is currently being released. Thus, if an RSCN is received during driver unload, then walking the fc_nodes list to process the RSCN is unnecessary because the ndlp objects are very shortly going to be released. In the lpfc_rscn_recovery_check routine, early return if the driver is in the middle of unloading by checking for the FC_UNLOADING flag. Signed-off-by: Justin Tee Link: https://lore.kernel.org/r/20250618192138.124116-5-justintee8345@gmail.com Signed-off-by: Martin K. Petersen commit 6698796282e828733cde3329c887b4ae9e5545e9 Author: Justin Tee Date: Wed Jun 18 12:21:28 2025 -0700 scsi: lpfc: Check for hdwq null ptr when cleaning up lpfc_vport structure If a call to lpfc_sli4_read_rev() from lpfc_sli4_hba_setup() fails, the resultant cleanup routine lpfc_sli4_vport_delete_fcp_xri_aborted() may occur before sli4_hba.hdwqs are allocated. This may result in a null pointer dereference when attempting to take the abts_io_buf_list_lock for the first hardware queue. Fix by adding a null ptr check on phba->sli4_hba.hdwq and early return because this situation means there must have been an error during port initialization. Signed-off-by: Justin Tee Link: https://lore.kernel.org/r/20250618192138.124116-4-justintee8345@gmail.com Signed-off-by: Martin K. Petersen commit 5459bd49f05f7f0f420cb8564ea58cc12afc360e Author: Justin Tee Date: Wed Jun 18 12:21:27 2025 -0700 scsi: lpfc: Update debugfs trace ring initialization messages Initialization parameters for trace rings used in debugfs are sometimes automatically adjusted. This patch corrects and updates the corresponding log messages. Signed-off-by: Justin Tee Link: https://lore.kernel.org/r/20250618192138.124116-3-justintee8345@gmail.com Signed-off-by: Martin K. Petersen commit e6d4486edd4a840e0ec9de4a35dee3448ca5a940 Author: Justin Tee Date: Wed Jun 18 12:21:26 2025 -0700 scsi: lpfc: Revise logging format for failed CT MIB requests Unsupported and rejected CT MIB request log messages are changed to KERN_WARNING level. Also, remove extra space in log message. Signed-off-by: Justin Tee Link: https://lore.kernel.org/r/20250618192138.124116-2-justintee8345@gmail.com Signed-off-by: Martin K. Petersen commit 85d6fbc47c3087c5d048e6734926b0c36af34fe9 Author: Thomas Fourier Date: Wed Jun 18 08:57:04 2025 +0200 scsi: fnic: Fix missing DMA mapping error in fnic_send_frame() dma_map_XXX() can fail and should be tested for errors with dma_mapping_error(). Fixes: a63e78eb2b0f ("scsi: fnic: Add support for fabric based solicited requests and responses") Signed-off-by: Thomas Fourier Link: https://lore.kernel.org/r/20250618065715.14740-2-fourier.thomas@gmail.com Reviewed-by: Karan Tilak Kumar Reviewed-by: John Menghini Signed-off-by: Martin K. Petersen commit 18b5cb6f1fdda4454f55a31f7c78d94da62be495 Author: Karan Tilak Kumar Date: Tue Jun 17 17:34:31 2025 -0700 scsi: fnic: Set appropriate logging level for log message Replace KERN_INFO with KERN_DEBUG for a log message. Reviewed-by: Sesidhar Baddela Reviewed-by: Arulprabhu Ponnusamy Reviewed-by: Gian Carlo Boffa Reviewed-by: Arun Easi Signed-off-by: Karan Tilak Kumar Link: https://lore.kernel.org/stable/20250612002212.4144-1-kartilak%40cisco.com Link: https://lore.kernel.org/r/20250618003431.6314-4-kartilak@cisco.com Reviewed-by: John Meneghini Signed-off-by: Martin K. Petersen commit 9b9b8594654a79e3d4166356fd86cd5397477b24 Author: Karan Tilak Kumar Date: Tue Jun 17 17:34:30 2025 -0700 scsi: fnic: Add and improve logs in FDMI and FDMI ABTS paths Add logs in FDMI and FDMI ABTS paths. Modify log text in these paths. Reviewed-by: Sesidhar Baddela Reviewed-by: Arulprabhu Ponnusamy Reviewed-by: Gian Carlo Boffa Reviewed-by: Arun Easi Reviewed-by: John Meneghini Signed-off-by: Karan Tilak Kumar Link: https://lore.kernel.org/r/20250618003431.6314-3-kartilak@cisco.com Signed-off-by: Martin K. Petersen commit 74f46a0524f8d2f01dc7ca95bb5fc463a8603e72 Author: Karan Tilak Kumar Date: Tue Jun 17 17:34:29 2025 -0700 scsi: fnic: Turn off FDMI ACTIVE flags on link down When the link goes down and comes up, FDMI requests are not sent out anymore. Fix bug by turning off FNIC_FDMI_ACTIVE when the link goes down. Fixes: 09c1e6ab4ab2 ("scsi: fnic: Add and integrate support for FDMI") Reviewed-by: Sesidhar Baddela Reviewed-by: Arulprabhu Ponnusamy Reviewed-by: Gian Carlo Boffa Reviewed-by: Arun Easi Tested-by: Karan Tilak Kumar Cc: stable@vger.kernel.org Signed-off-by: Karan Tilak Kumar Link: https://lore.kernel.org/r/20250618003431.6314-2-kartilak@cisco.com Reviewed-by: John Meneghini Signed-off-by: Martin K. Petersen commit a35b29bdedb4d2ae3160d4d6684a6f1ecd9ca7c2 Author: Karan Tilak Kumar Date: Tue Jun 17 17:34:28 2025 -0700 scsi: fnic: Fix crash in fnic_wq_cmpl_handler when FDMI times out When both the RHBA and RPA FDMI requests time out, fnic reuses a frame to send ABTS for each of them. On send completion, this causes an attempt to free the same frame twice that leads to a crash. Fix crash by allocating separate frames for RHBA and RPA, and modify ABTS logic accordingly. Tested by checking MDS for FDMI information. Tested by using instrumented driver to: - Drop PLOGI response - Drop RHBA response - Drop RPA response - Drop RHBA and RPA response - Drop PLOGI response + ABTS response - Drop RHBA response + ABTS response - Drop RPA response + ABTS response - Drop RHBA and RPA response + ABTS response for both of them Fixes: 09c1e6ab4ab2 ("scsi: fnic: Add and integrate support for FDMI") Reviewed-by: Sesidhar Baddela Reviewed-by: Arulprabhu Ponnusamy Reviewed-by: Gian Carlo Boffa Tested-by: Arun Easi Co-developed-by: Arun Easi Signed-off-by: Arun Easi Tested-by: Karan Tilak Kumar Cc: stable@vger.kernel.org Signed-off-by: Karan Tilak Kumar Link: https://lore.kernel.org/r/20250618003431.6314-1-kartilak@cisco.com Reviewed-by: John Meneghini Signed-off-by: Martin K. Petersen commit 15592a11d5a5c8411ac8494ec49736b658f6fbff Author: Damien Le Moal Date: Fri Jun 6 14:27:47 2025 +0900 scsi: mpt3sas: Correctly handle ATA device errors With the ATA error model, an NCQ command failure always triggers an abort (termination) of all NCQ commands queued on the device. In such case, the SAT or the host must handle the failed command according to the command sense data and immediately retry all other NCQ commands that were aborted due to the failed NCQ command. For SAS HBAs controlled by the mpt3sas driver, NCQ command aborts are not handled by the HBA SAT and sent back to the host, with an ioc log information equal to 0x31080000 (IOC_LOGINFO_PREFIX_PL with the PL code PL_LOGINFO_CODE_SATA_NCQ_FAIL_ALL_CMDS_AFTR_ERR). The function _scsih_io_done() always forces a retry of commands terminated with the status MPI2_IOCSTATUS_SCSI_IOC_TERMINATED using the SCSI result DID_SOFT_ERROR, regardless of the log_info for the command. This correctly forces the retry of collateral NCQ abort commands, but with the retry counter for the command being incremented. If a command to an ATA device is subject to too many retries due to other NCQ commands failing (e.g. read commands trying to access unreadable sectors), the collateral NCQ abort commands may be terminated with an error as they run out of retries. This violates the SAT specification and causes hard-to-debug command errors. Solve this issue by modifying the handling of the MPI2_IOCSTATUS_SCSI_IOC_TERMINATED status to check if a command is for an ATA device and if the command loginfo indicates an NCQ collateral abort. If that is the case, force the command retry using the SCSI result DID_IMM_RETRY to avoid incrementing the command retry count. Signed-off-by: Damien Le Moal Link: https://lore.kernel.org/r/20250606052747.742998-3-dlemoal@kernel.org Tested-by: Yafang Shao Signed-off-by: Martin K. Petersen commit 04caad5a7ba86e830d04750417a15bad8ac2613c Author: Damien Le Moal Date: Fri Jun 6 14:27:46 2025 +0900 scsi: mpi3mr: Correctly handle ATA device errors With the ATA error model, an NCQ command failure always triggers an abort (termination) of all NCQ commands queued on the device. In such case, the SAT or the host must handle the failed command according to the command sense data and immediately retry all other NCQ commands that were aborted due to the failed NCQ command. For SAS HBAs controlled by the mpi3mr driver, NCQ command aborts are not handled by the HBA SAT and sent back to the host, with an ioc log information equal to 0x31080000 (IOC_LOGINFO_PREFIX_PL with the PL code PL_LOGINFO_CODE_SATA_NCQ_FAIL_ALL_CMDS_AFTR_ERR). The function mpi3mr_process_op_reply_desc() always forces a retry of commands terminated with the status MPI3_IOCSTATUS_SCSI_IOC_TERMINATED using the SCSI result DID_SOFT_ERROR, regardless of the ioc_loginfo for the command. This correctly forces the retry of collateral NCQ abort commands, but with the retry counter for the command being incremented. If a command to an ATA device is subject to too many retries due to other NCQ commands failing (e.g. read commands trying to access unreadable sectors), the collateral NCQ abort commands may be terminated with an error as they run out of retries. This violates the SAT specification and causes hard-to-debug command errors. Solve this issue by modifying the handling of the MPI3_IOCSTATUS_SCSI_IOC_TERMINATED status to check if a command is for an ATA device and if the command ioc_loginfo indicates an NCQ collateral abort. If that is the case, force the command retry using the SCSI result DID_IMM_RETRY to avoid incrementing the command retry count. Signed-off-by: Damien Le Moal Link: https://lore.kernel.org/r/20250606052747.742998-2-dlemoal@kernel.org Tested-by: Yafang Shao Signed-off-by: Martin K. Petersen commit 258a0a19621793b811356fc9d1849f950629d669 Author: Francisco Gutierrez Date: Tue Jun 17 21:04:43 2025 +0000 scsi: pm80xx: Free allocated tags after failure This change frees resources after an error is detected. Signed-off-by: Francisco Gutierrez Link: https://lore.kernel.org/r/20250617210443.989058-1-frankramirez@google.com Acked-by: Jack Wang Signed-off-by: Martin K. Petersen commit d56d980d9b2829572e634b9ab60dfa0239b1c6a7 Author: Avri Altman Date: Tue Jun 17 12:56:10 2025 +0300 scsi: ufs: Clear ucd_rsp_ptr for UPIU requests once Previously, the response buffer (ucd_rsp_ptr) was cleared in multiple UPIU preparation functions. Do it once. Signed-off-by: Avri Altman Link: https://lore.kernel.org/r/20250617095611.89229-2-avri.altman@sandisk.com Reviewed-by: Bart Van Assche Signed-off-by: Martin K. Petersen commit 2e083cd802294693a5414e4557a183dd7e442e71 Author: anvithdosapati Date: Mon Jun 16 08:57:34 2025 +0000 scsi: ufs: core: Fix clk scaling to be conditional in reset and restore In ufshcd_host_reset_and_restore(), scale up clocks only when clock scaling is supported. Without this change CPU latency is voted for 0 (ufshcd_pm_qos_update) during resume unconditionally. Signed-off-by: anvithdosapati Link: https://lore.kernel.org/r/20250616085734.2133581-1-anvithdosapati@google.com Fixes: a3cd5ec55f6c ("scsi: ufs: add load based scaling of UFS gear") Cc: stable@vger.kernel.org Reviewed-by: Bart Van Assche Signed-off-by: Martin K. Petersen commit 752eb816b55adb0673727ba0ed96609a17895654 Author: Chen Yu Date: Wed Jun 4 12:25:56 2025 +0800 scsi: megaraid_sas: Fix invalid node index On a system with DRAM interleave enabled, out-of-bound access is detected: megaraid_sas 0000:3f:00.0: requested/available msix 128/128 poll_queue 0 ------------[ cut here ]------------ UBSAN: array-index-out-of-bounds in ./arch/x86/include/asm/topology.h:72:28 index -1 is out of range for type 'cpumask *[1024]' dump_stack_lvl+0x5d/0x80 ubsan_epilogue+0x5/0x2b __ubsan_handle_out_of_bounds.cold+0x46/0x4b megasas_alloc_irq_vectors+0x149/0x190 [megaraid_sas] megasas_probe_one.cold+0xa4d/0x189c [megaraid_sas] local_pci_probe+0x42/0x90 pci_device_probe+0xdc/0x290 really_probe+0xdb/0x340 __driver_probe_device+0x78/0x110 driver_probe_device+0x1f/0xa0 __driver_attach+0xba/0x1c0 bus_for_each_dev+0x8b/0xe0 bus_add_driver+0x142/0x220 driver_register+0x72/0xd0 megasas_init+0xdf/0xff0 [megaraid_sas] do_one_initcall+0x57/0x310 do_init_module+0x90/0x250 init_module_from_file+0x85/0xc0 idempotent_init_module+0x114/0x310 __x64_sys_finit_module+0x65/0xc0 do_syscall_64+0x82/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e Fix it accordingly. Signed-off-by: Chen Yu Link: https://lore.kernel.org/r/20250604042556.3731059-1-yu.c.chen@intel.com Fixes: 8049da6f3943 ("scsi: megaraid_sas: Use irq_set_affinity_and_hint()") Cc: stable@vger.kernel.org Signed-off-by: Martin K. Petersen commit 76549adb4260e5966db533c73fbf5a4648038c1d Author: Thomas Weißschuh Date: Wed Jun 11 11:58:06 2025 +0200 scsi: Don't use %pK through printk() In the past %pK was preferable to %p as it would not leak raw pointer values into the kernel log. Since commit ad67b74d2469 ("printk: hash addresses printed with %p") the regular %p has been improved to avoid this issue. Furthermore, restricted pointers ("%pK") were never meant to be used through printk(). They can still unintentionally leak raw pointers or acquire sleeping locks in atomic contexts. Switch to the regular pointer formatting which is safer and easier to reason about. Signed-off-by: Thomas Weißschuh Link: https://lore.kernel.org/r/20250611-restricted-pointers-scsi-v1-1-fe31bfbc4910@linutronix.de Signed-off-by: Martin K. Petersen commit b1ba03c49a711c30e24735733dfd68f2422fa150 Author: Damien Le Moal Date: Wed Jun 11 18:34:21 2025 +0900 scsi: core: Remember if a device is an ATA device scsi_add_lun() tests the device vendor string of SCSI devices to detect if a SCSI device is in fact an ATA device, in order to correctly handle SATL power management. The function scsi_cdl_enable() also requires knowing if a SCSI device is an ATA device to control the state of the device CDL feature but this function does that by testing for the presence of the VPD page 89h (ATA INFORMATION page). sd_read_write_same() also has a similar test. Simplify these different methods by adding the is_ata field to struct scsi_device to remember that a SCSI device is in fact an ATA one based on the device vendor name test. This field can also allow low level SCSI host adapter drivers to take special actions for ATA devices (e.g. to better handle ATA NCQ errors). With this, simplify scsi_cdl_enable() and sd_read_write_same(). Signed-off-by: Damien Le Moal Link: https://lore.kernel.org/r/20250611093421.2901633-1-dlemoal@kernel.org Reviewed-by: Igor Pylypiv Signed-off-by: Martin K. Petersen commit 0ec996edf4fdb727340ec9f50e2795042c23cd86 Author: André Draszik Date: Fri Jun 6 16:29:43 2025 +0100 scsi: mpt3sas: Drop unused variable in mpt3sas_send_mctp_passthru_req() With W=1, gcc complains correctly: mpt3sas_ctl.c: In function ‘mpt3sas_send_mctp_passthru_req’: mpt3sas_ctl.c:2917:29: error: variable ‘mpi_reply’ set but not used [-Werror=unused-but-set-variable] 2917 | MPI2DefaultReply_t *mpi_reply; | ^~~~~~~~~ Drop the unused assignment and variable. Signed-off-by: André Draszik Link: https://lore.kernel.org/r/20250606-mpt3sas-v1-1-906ffe49fb6b@linaro.org Signed-off-by: Martin K. Petersen commit 9d2c232d575a8c8dfa66276ed7edccfac482a4df Author: Kassey Li Date: Wed May 21 09:17:11 2025 +0800 scsi: trace: Show rtn in string for scsi_dispatch_cmd_error() By default the scsi_dispatch_cmd_error() return value is displayed in decimal: kworker/3:1H-183 [003] .... 51.035474: scsi_dispatch_cmd_error: host_no=0 channel=0 id=0 lun=4 data_sgl=1 prot_sgl=0 prot_op=SCSI_PROT_NORMAL cmnd=(READ_10 lba=3907214 txlen=1 protect=0 raw=28 00 00 3b 9e 8e 00 00 01 00) rtn=4181 However, these numbers are not particularly helpful wrt. debugging errors. Especially since the kernel code consistently uses the following defines in hexadecimal: SCSI_MLQUEUE_HOST_BUSY 0x1055 SCSI_MLQUEUE_DEVICE_BUSY 0x1056 SCSI_MLQUEUE_EH_RETRY 0x1057 SCSI_MLQUEUE_TARGET_BUSY 0x1058 Switch to using the string form of these values in the trace output: dd-1059 [007] ..... 31.689529: scsi_dispatch_cmd_error: host_no=0 channel=0 id=0 lun=4 data_sgl=65 prot_sgl=0 prot_op=SCSI_PROT_NORMAL driver_tag=23 scheduler_tag=117 cmnd=(READ_10 lba=0 txlen=128 protect=0 raw=28 00 00 00 00 00 00 00 80 00) rtn=SCSI_MLQUEUE_DEVICE_BUSY Signed-off-by: Kassey Li Link: https://lore.kernel.org/r/20250521011711.1983625-1-quic_yingangl@quicinc.com Signed-off-by: Martin K. Petersen commit ae7795a8c2582b5fb7971132753810a3f158e7b2 Author: Huan Tang Date: Fri May 23 14:46:04 2025 +0800 scsi: ufs: core: Add HID support Follow JESD220G, support HID(Host Initiated Defragmentation) through sysfs, the relevant sysfs nodes are as follows: 1. analysis_trigger 2. defrag_trigger 3. fragmented_size 4. defrag_size 5. progress_ratio 6. state The detailed definition of the six nodes can be found in the sysfs documentation. HID's execution policy is given to user-space. Signed-off-by: Huan Tang Signed-off-by: Wenxing Cheng Link: https://lore.kernel.org/r/20250523064604.800-1-tanghuan@vivo.com Suggested-by: Bart Van Assche Reviewed-by: Peter Wang Reviewed-by: Bean Huo Reviewed-by: Bart Van Assche Reviewed-by: Yangtao Li Signed-off-by: Martin K. Petersen commit c6503be73fa37034fac87c1ffed9f2a82adb5441 Author: Alok Tiwari Date: Sat Jun 7 09:22:56 2025 -0700 scsi: fc_transport: docs: Add documentation for FC Remote Ports This patch updates the scsi_fc_transport.rst documentation by replacing the outdated << To Be Supplied >> placeholder under the "FC Remote Ports (rports)" section with a detailed explanation of remote port functionality in the Fibre Channel (FC) transport class. The new documentation covers: - What rports are and their role in FC-based SCSI communication - Their representation in sysfs (/sys/class/fc_remote_ports/) - Common sysfs attributes such as (port_id, port_name, node_name, and port_state). - Their typical lifecycle (creation and removal) - Guidance for driver developers on using fc_remote_port_add() and fc_remote_port_delete() This change improves the completeness and usefulness of the FC transport documentation for developers and users interacting with Fibre Channel drivers in the Linux SCSI subsystem Signed-off-by: Alok Tiwari Link: https://lore.kernel.org/r/20250607162304.1765430-1-alok.a.tiwari@oracle.com Signed-off-by: Martin K. Petersen commit 8b0b14614c1566de7857d6ee29e27ec9ac740578 Author: Hannes Reinecke Date: Thu Jun 5 08:20:14 2025 +0200 scsi: fcoe: Remove fcoe_select_cpu() The function fcoe_select_cpu() is just used to distribute incoming skbs which start a new FC command sequence. But the network stack already received (and processed) that skb, and there is a _really_ good chance that all subsequent skbs for this sequence will be handled with the same CPU. So we should just use the CPU on which this skb was allocated on and save ourselves some overhead due to pointless scheduling. Signed-off-by: Hannes Reinecke Link: https://lore.kernel.org/r/20250605062014.105302-1-hare@kernel.org Signed-off-by: Martin K. Petersen