commit 901a5f309daba412e2a30364d7ec1492fa11c32c Author: Abdun Nihaal Date: Tue Dec 23 12:00:11 2025 +0530 scsi: xen: scsiback: Fix potential memory leak in scsiback_remove() Memory allocated for struct vscsiblk_info in scsiback_probe() is not freed in scsiback_remove() leading to potential memory leaks on remove, as well as in the scsiback_probe() error paths. Fix that by freeing it in scsiback_remove(). Cc: stable@vger.kernel.org Fixes: d9d660f6e562 ("xen-scsiback: Add Xen PV SCSI backend driver") Signed-off-by: Abdun Nihaal Reviewed-by: Juergen Gross Link: https://patch.msgid.link/20251223063012.119035-1-nihaal@cse.iitm.ac.in Signed-off-by: Martin K. Petersen commit 309a29b5965a0b2f36b3e245213eb43300a89ac2 Author: Colin Ian King Date: Fri Dec 19 21:44:28 2025 +0000 scsi: ufs: host: mediatek: Make read-only array scale_us static const Don't populate the read-only array scale_us on the stack at run time, instead make it static const. Signed-off-by: Colin Ian King Reviewed-by: Peter Wang Link: https://patch.msgid.link/20251219214428.492744-1-colin.i.king@gmail.com Signed-off-by: Martin K. Petersen commit ae62d62b1c740f7a5ea72082dc28f30ebf6b134d Author: Christophe JAILLET Date: Mon Dec 29 12:35:01 2025 +0100 scsi: target: Constify struct configfs_item_operations and configfs_group_operations 'struct configfs_item_operations' and 'configfs_group_operations' are not modified in this driver. Constifying these structures moves some data to a read-only section, so increases overall security, especially when the structure holds some function pointers. On a x86_64, with allmodconfig: Before: ====== text data bss dec hex filename 151831 80058 4832 236721 39cb1 drivers/target/target_core_configfs.o 45200 16658 0 61858 f1a2 drivers/target/target_core_fabric_configfs.o After: ===== text data bss dec hex filename 152599 79290 4832 236721 39cb1 drivers/target/target_core_configfs.o 46352 15506 0 61858 f1a2 drivers/target/target_core_fabric_configfs.o Signed-off-by: Christophe JAILLET Link: https://patch.msgid.link/a0f25237ae86b8c4dd7a3876c4ed2dc3de200173.1767008082.git.christophe.jaillet@wanadoo.fr Signed-off-by: Martin K. Petersen commit 8e8e8e7e8406e96a0189e116eb04f67f776f947f Author: ReBeating Date: Fri Dec 26 11:19:36 2025 +0800 scsi: target: sbp: Potential integer overflow in sbp_make_tpg() The variable tpgt in sbp_make_tpg() is defined as unsigned long and is assigned to tpgt->tport_tpgt, which is defined as u16. This may cause an integer overflow when tpgt is greater than USHRT_MAX (65535). I haven't tried to trigger it myself, but it is possible to trigger it by calling sbp_make_tpg() with a large value for tpgt. Modify the type of tpgt to match tpgt->tport_tpgt and adjusted the relevant code accordingly. This patch is similar to commit 59c816c1f24d ("vhost/scsi: potential memory corruption"). Signed-off-by: ReBeating Link: https://patch.msgid.link/20251226031936.852-1-rebeating@163.com Signed-off-by: Martin K. Petersen commit d0f6cfb491924d42c8f5336acb68a798e49b74b1 Author: Julia Lawall Date: Wed Dec 31 17:50:27 2025 +0100 scsi: bfa: Update outdated comment The function bfa_lps_is_brcd_fabric() was eliminated, being a one-line function, in commit f7f73812e950 ("[SCSI] bfa: clean up one line functions"). Replace the call in the comment by its inlined counterpart, referring to the parameter of the subsequent function. Signed-off-by: Julia Lawall Link: https://patch.msgid.link/20251231165027.142443-1-Julia.Lawall@inria.fr Signed-off-by: Martin K. Petersen commit 001556d298723f091751e9e887f63b642890aaca Author: Ranjan Kumar Date: Tue Dec 23 16:17:21 2025 +0530 scsi: mpt3sas: Update maintainer list As an active participant in the development of the mpt3sas driver, add myself to the maintainers list. Signed-off-by: Ranjan Kumar Link: https://patch.msgid.link/20251223104721.16882-1-ranjan.kumar@broadcom.com Signed-off-by: Martin K. Petersen commit ee229e7c256ab5d7b277abf8d48a732c10571750 Author: Bart Van Assche Date: Thu Dec 18 15:07:37 2025 -0800 scsi: ufs: core: Configure MCQ after link startup Commit f46b9a595fa9 ("scsi: ufs: core: Allocate the SCSI host earlier") did not only cause scsi_add_host() to be called earlier. It also swapped the order of link startup and enabling and configuring MCQ mode. Before that commit, the call chains for link startup and enabling MCQ were as follows: ufshcd_init() ufshcd_link_startup() ufshcd_add_scsi_host() ufshcd_mcq_enable() Apparently this change causes link startup to fail. Fix this by configuring MCQ after link startup has completed. Reported-by: Nitin Rawat Fixes: f46b9a595fa9 ("scsi: ufs: core: Allocate the SCSI host earlier") Signed-off-by: Bart Van Assche Reviewed-by: Peter Wang Link: https://patch.msgid.link/20251218230741.2661049-1-bvanassche@acm.org Signed-off-by: Martin K. Petersen commit 9a49157deeb23581fc5c8189b486340d7343264a Author: Brian Kao Date: Thu Dec 18 03:17:23 2025 +0000 scsi: core: Fix error handler encryption support Some low-level drivers (LLD) access block layer crypto fields, such as rq->crypt_keyslot and rq->crypt_ctx within `struct request`, to configure hardware for inline encryption. However, SCSI Error Handling (EH) commands (e.g., TEST UNIT READY, START STOP UNIT) should not involve any encryption setup. To prevent drivers from erroneously applying crypto settings during EH, this patch saves the original values of rq->crypt_keyslot and rq->crypt_ctx before an EH command is prepared via scsi_eh_prep_cmnd(). These fields in the 'struct request' are then set to NULL. The original values are restored in scsi_eh_restore_cmnd() after the EH command completes. This ensures that the block layer crypto context does not leak into EH command execution. Signed-off-by: Brian Kao Link: https://patch.msgid.link/20251218031726.2642834-1-powenkao@google.com Cc: stable@vger.kernel.org Reviewed-by: Bart Van Assche Signed-off-by: Martin K. Petersen commit 1523d50abad0ef8a261a5c38099b462629941156 Author: Miao Li Date: Thu Dec 18 10:31:29 2025 +0800 scsi: core: Correct documentation for scsi_test_unit_ready() If scsi_test_unit_ready() returns zero, TEST UNIT READY was executed successfully. Signed-off-by: Miao Li Link: https://patch.msgid.link/20251218023129.284307-1-limiao870622@163.com Signed-off-by: Martin K. Petersen commit be4b7e584a0cc6715fbb14dfb2a9a39bf07cfbab Author: Zhaoming Luo Date: Wed Dec 17 22:03:38 2025 +0800 scsi: ufs: dt-bindings: Fix several grammar errors Fix several grammar errors. Signed-off-by: Zhaoming Luo Reviewed-by: Rob Herring (Arm) Link: https://patch.msgid.link/20251217-fix-minor-grammar-err-v3-1-9be220cdd56a@posteo.com Signed-off-by: Martin K. Petersen commit 1732d10fa7edb611c8384ca0b841d6f79ddf5bed Author: Nilesh Javali Date: Wed Dec 10 15:46:04 2025 +0530 scsi: qla2xxx: Update version to 10.02.10.100-k Signed-off-by: Nilesh Javali Reviewed-by: Himanshu Madhani Link: https://patch.msgid.link/20251210101604.431868-13-njavali@marvell.com Signed-off-by: Martin K. Petersen commit c2c68225b1456f4d0d393b5a8778d51bb0d5b1d0 Author: Anil Gurumurthy Date: Wed Dec 10 15:46:03 2025 +0530 scsi: qla2xxx: Fix bsg_done() causing double free Kernel panic observed on system, [5353358.825191] BUG: unable to handle page fault for address: ff5f5e897b024000 [5353358.825194] #PF: supervisor write access in kernel mode [5353358.825195] #PF: error_code(0x0002) - not-present page [5353358.825196] PGD 100006067 P4D 0 [5353358.825198] Oops: 0002 [#1] PREEMPT SMP NOPTI [5353358.825200] CPU: 5 PID: 2132085 Comm: qlafwupdate.sub Kdump: loaded Tainted: G W L ------- --- 5.14.0-503.34.1.el9_5.x86_64 #1 [5353358.825203] Hardware name: HPE ProLiant DL360 Gen11/ProLiant DL360 Gen11, BIOS 2.44 01/17/2025 [5353358.825204] RIP: 0010:memcpy_erms+0x6/0x10 [5353358.825211] RSP: 0018:ff591da8f4f6b710 EFLAGS: 00010246 [5353358.825212] RAX: ff5f5e897b024000 RBX: 0000000000007090 RCX: 0000000000001000 [5353358.825213] RDX: 0000000000001000 RSI: ff591da8f4fed090 RDI: ff5f5e897b024000 [5353358.825214] RBP: 0000000000010000 R08: ff5f5e897b024000 R09: 0000000000000000 [5353358.825215] R10: ff46cf8c40517000 R11: 0000000000000001 R12: 0000000000008090 [5353358.825216] R13: ff591da8f4f6b720 R14: 0000000000001000 R15: 0000000000000000 [5353358.825218] FS: 00007f1e88d47740(0000) GS:ff46cf935f940000(0000) knlGS:0000000000000000 [5353358.825219] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [5353358.825220] CR2: ff5f5e897b024000 CR3: 0000000231532004 CR4: 0000000000771ef0 [5353358.825221] PKRU: 55555554 [5353358.825222] Call Trace: [5353358.825223] [5353358.825224] ? show_trace_log_lvl+0x1c4/0x2df [5353358.825229] ? show_trace_log_lvl+0x1c4/0x2df [5353358.825232] ? sg_copy_buffer+0xc8/0x110 [5353358.825236] ? __die_body.cold+0x8/0xd [5353358.825238] ? page_fault_oops+0x134/0x170 [5353358.825242] ? kernelmode_fixup_or_oops+0x84/0x110 [5353358.825244] ? exc_page_fault+0xa8/0x150 [5353358.825247] ? asm_exc_page_fault+0x22/0x30 [5353358.825252] ? memcpy_erms+0x6/0x10 [5353358.825253] sg_copy_buffer+0xc8/0x110 [5353358.825259] qla2x00_process_vendor_specific+0x652/0x1320 [qla2xxx] [5353358.825317] qla24xx_bsg_request+0x1b2/0x2d0 [qla2xxx] Most routines in qla_bsg.c call bsg_done() only for success cases. However a few invoke it for failure case as well leading to a double free. Validate before calling bsg_done(). Cc: stable@vger.kernel.org Signed-off-by: Anil Gurumurthy Signed-off-by: Nilesh Javali Reviewed-by: Himanshu Madhani Link: https://patch.msgid.link/20251210101604.431868-12-njavali@marvell.com Signed-off-by: Martin K. Petersen commit 42b2dab4340d39b71334151e10c6d7d9b0040ffa Author: Anil Gurumurthy Date: Wed Dec 10 15:46:02 2025 +0530 scsi: qla2xxx: Query FW again before proceeding with login Issue occurred during a continuous reboot test of several thousand iterations specific to a fabric topo with dual mode target where it sends a PLOGI/PRLI and then sends a LOGO. The initiator was also in the process of discovery and sent a PLOGI to the switch. It then queried a list of ports logged in via mbx 75h and the GPDB response indicated that the target was logged in. This caused a mismatch in the states between the driver and FW. Requery the FW for the state and proceed with the rest of discovery process. Fixes: a4239945b8ad ("scsi: qla2xxx: Add switch command to simplify fabric discovery") Cc: stable@vger.kernel.org Signed-off-by: Anil Gurumurthy Signed-off-by: Nilesh Javali Reviewed-by: Himanshu Madhani Link: https://patch.msgid.link/20251210101604.431868-11-njavali@marvell.com Signed-off-by: Martin K. Petersen commit b6df15aec8c3441357d4da0eaf4339eb20f5999f Author: Anil Gurumurthy Date: Wed Dec 10 15:46:01 2025 +0530 scsi: qla2xxx: Validate sp before freeing associated memory System crash with the following signature [154563.214890] nvme nvme2: NVME-FC{1}: controller connect complete [154564.169363] qla2xxx [0000:b0:00.1]-3002:2: nvme: Sched: Set ZIO exchange threshold to 3. [154564.169405] qla2xxx [0000:b0:00.1]-ffffff:2: SET ZIO Activity exchange threshold to 5. [154565.539974] qla2xxx [0000:b0:00.1]-5013:2: RSCN database changed – 0078 0080 0000. [154565.545744] qla2xxx [0000:b0:00.1]-5013:2: RSCN database changed – 0078 00a0 0000. [154565.545857] qla2xxx [0000:b0:00.1]-11a2:2: FEC=enabled (data rate). [154565.552760] qla2xxx [0000:b0:00.1]-11a2:2: FEC=enabled (data rate). [154565.553079] BUG: kernel NULL pointer dereference, address: 00000000000000f8 [154565.553080] #PF: supervisor read access in kernel mode [154565.553082] #PF: error_code(0x0000) - not-present page [154565.553084] PGD 80000010488ab067 P4D 80000010488ab067 PUD 104978a067 PMD 0 [154565.553089] Oops: 0000 1 PREEMPT SMP PTI [154565.553092] CPU: 10 PID: 858 Comm: qla2xxx_2_dpc Kdump: loaded Tainted: G OE ------- --- 5.14.0-503.11.1.el9_5.x86_64 #1 [154565.553096] Hardware name: HPE Synergy 660 Gen10/Synergy 660 Gen10 Compute Module, BIOS I43 09/30/2024 [154565.553097] RIP: 0010:qla_fab_async_scan.part.0+0x40b/0x870 [qla2xxx] [154565.553141] Code: 00 00 e8 58 a3 ec d4 49 89 e9 ba 12 20 00 00 4c 89 e6 49 c7 c0 00 ee a8 c0 48 c7 c1 66 c0 a9 c0 bf 00 80 00 10 e8 15 69 00 00 <4c> 8b 8d f8 00 00 00 4d 85 c9 74 35 49 8b 84 24 00 19 00 00 48 8b [154565.553143] RSP: 0018:ffffb4dbc8aebdd0 EFLAGS: 00010286 [154565.553145] RAX: 0000000000000000 RBX: ffff8ec2cf0908d0 RCX: 0000000000000002 [154565.553147] RDX: 0000000000000000 RSI: ffffffffc0a9c896 RDI: ffffb4dbc8aebd47 [154565.553148] RBP: 0000000000000000 R08: ffffb4dbc8aebd45 R09: 0000000000ffff0a [154565.553150] R10: 0000000000000000 R11: 000000000000000f R12: ffff8ec2cf0908d0 [154565.553151] R13: ffff8ec2cf090900 R14: 0000000000000102 R15: ffff8ec2cf084000 [154565.553152] FS: 0000000000000000(0000) GS:ffff8ed27f800000(0000) knlGS:0000000000000000 [154565.553154] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [154565.553155] CR2: 00000000000000f8 CR3: 000000113ae0a005 CR4: 00000000007706f0 [154565.553157] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [154565.553158] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [154565.553159] PKRU: 55555554 [154565.553160] Call Trace: [154565.553162] [154565.553165] ? show_trace_log_lvl+0x1c4/0x2df [154565.553172] ? show_trace_log_lvl+0x1c4/0x2df [154565.553177] ? qla_fab_async_scan.part.0+0x40b/0x870 [qla2xxx] [154565.553215] ? __die_body.cold+0x8/0xd [154565.553218] ? page_fault_oops+0x134/0x170 [154565.553223] ? snprintf+0x49/0x70 [154565.553229] ? exc_page_fault+0x62/0x150 [154565.553238] ? asm_exc_page_fault+0x22/0x30 Check for sp being non NULL before freeing any associated memory Fixes: a4239945b8ad ("scsi: qla2xxx: Add switch command to simplify fabric discovery") Cc: stable@vger.kernel.org Signed-off-by: Anil Gurumurthy Signed-off-by: Nilesh Javali Reviewed-by: Himanshu Madhani Link: https://patch.msgid.link/20251210101604.431868-10-njavali@marvell.com Signed-off-by: Martin K. Petersen commit 7adbd2b7809066c75f0433e5e2a8e114b429f30f Author: Anil Gurumurthy Date: Wed Dec 10 15:46:00 2025 +0530 scsi: qla2xxx: Free sp in error path to fix system crash System crash seen during load/unload test in a loop, [61110.449331] qla2xxx [0000:27:00.0]-0042:0: Disabled MSI-X. [61110.467494] ============================================================================= [61110.467498] BUG qla2xxx_srbs (Tainted: G OE -------- --- ): Objects remaining in qla2xxx_srbs on __kmem_cache_shutdown() [61110.467501] ----------------------------------------------------------------------------- [61110.467502] Slab 0x000000000ffc8162 objects=51 used=1 fp=0x00000000e25d3d85 flags=0x57ffffc0010200(slab|head|node=1|zone=2|lastcpupid=0x1fffff) [61110.467509] CPU: 53 PID: 455206 Comm: rmmod Kdump: loaded Tainted: G OE -------- --- 5.14.0-284.11.1.el9_2.x86_64 #1 [61110.467513] Hardware name: HPE ProLiant DL385 Gen10 Plus v2/ProLiant DL385 Gen10 Plus v2, BIOS A42 08/17/2023 [61110.467515] Call Trace: [61110.467516] [61110.467519] dump_stack_lvl+0x34/0x48 [61110.467526] slab_err.cold+0x53/0x67 [61110.467534] __kmem_cache_shutdown+0x16e/0x320 [61110.467540] kmem_cache_destroy+0x51/0x160 [61110.467544] qla2x00_module_exit+0x93/0x99 [qla2xxx] [61110.467607] ? __do_sys_delete_module.constprop.0+0x178/0x280 [61110.467613] ? syscall_trace_enter.constprop.0+0x145/0x1d0 [61110.467616] ? do_syscall_64+0x5c/0x90 [61110.467619] ? exc_page_fault+0x62/0x150 [61110.467622] ? entry_SYSCALL_64_after_hwframe+0x63/0xcd [61110.467626] [61110.467627] Disabling lock debugging due to kernel taint [61110.467635] Object 0x0000000026f7e6e6 @offset=16000 [61110.467639] ------------[ cut here ]------------ [61110.467639] kmem_cache_destroy qla2xxx_srbs: Slab cache still has objects when called from qla2x00_module_exit+0x93/0x99 [qla2xxx] [61110.467659] WARNING: CPU: 53 PID: 455206 at mm/slab_common.c:520 kmem_cache_destroy+0x14d/0x160 [61110.467718] CPU: 53 PID: 455206 Comm: rmmod Kdump: loaded Tainted: G B OE -------- --- 5.14.0-284.11.1.el9_2.x86_64 #1 [61110.467720] Hardware name: HPE ProLiant DL385 Gen10 Plus v2/ProLiant DL385 Gen10 Plus v2, BIOS A42 08/17/2023 [61110.467721] RIP: 0010:kmem_cache_destroy+0x14d/0x160 [61110.467724] Code: 99 7d 07 00 48 89 ef e8 e1 6a 07 00 eb b3 48 8b 55 60 48 8b 4c 24 20 48 c7 c6 70 fc 66 90 48 c7 c7 f8 ef a1 90 e8 e1 ed 7c 00 <0f> 0b eb 93 c3 cc cc cc cc 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 [61110.467725] RSP: 0018:ffffa304e489fe80 EFLAGS: 00010282 [61110.467727] RAX: 0000000000000000 RBX: ffffffffc0d9a860 RCX: 0000000000000027 [61110.467729] RDX: ffff8fd5ff9598a8 RSI: 0000000000000001 RDI: ffff8fd5ff9598a0 [61110.467730] RBP: ffff8fb6aaf78700 R08: 0000000000000000 R09: 0000000100d863b7 [61110.467731] R10: ffffa304e489fd20 R11: ffffffff913bef48 R12: 0000000040002000 [61110.467731] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [61110.467733] FS: 00007f64c89fb740(0000) GS:ffff8fd5ff940000(0000) knlGS:0000000000000000 [61110.467734] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [61110.467735] CR2: 00007f0f02bfe000 CR3: 00000020ad6dc005 CR4: 0000000000770ee0 [61110.467736] PKRU: 55555554 [61110.467737] Call Trace: [61110.467738] [61110.467739] qla2x00_module_exit+0x93/0x99 [qla2xxx] [61110.467755] ? __do_sys_delete_module.constprop.0+0x178/0x280 Free sp in the error path to fix the crash. Fixes: f352eeb75419 ("scsi: qla2xxx: Add ability to use GPNFT/GNNFT for RSCN handling") Cc: stable@vger.kernel.org Signed-off-by: Anil Gurumurthy Signed-off-by: Nilesh Javali Reviewed-by: Himanshu Madhani Link: https://patch.msgid.link/20251210101604.431868-9-njavali@marvell.com Signed-off-by: Martin K. Petersen commit 8890bf450e0b6b283f48ac619fca5ac2f14ddd62 Author: Anil Gurumurthy Date: Wed Dec 10 15:45:59 2025 +0530 scsi: qla2xxx: Delay module unload while fabric scan in progress System crash seen during load/unload test in a loop. [105954.384919] RBP: ffff914589838dc0 R08: 0000000000000000 R09: 0000000000000086 [105954.384920] R10: 000000000000000f R11: ffffa31240904be5 R12: ffff914605f868e0 [105954.384921] R13: ffff914605f86910 R14: 0000000000008010 R15: 00000000ddb7c000 [105954.384923] FS: 0000000000000000(0000) GS:ffff9163fec40000(0000) knlGS:0000000000000000 [105954.384925] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [105954.384926] CR2: 000055d31ce1d6a0 CR3: 0000000119f5e001 CR4: 0000000000770ee0 [105954.384928] PKRU: 55555554 [105954.384929] Call Trace: [105954.384931] [105954.384934] qla24xx_sp_unmap+0x1f3/0x2a0 [qla2xxx] [105954.384962] ? qla_async_scan_sp_done+0x114/0x1f0 [qla2xxx] [105954.384980] ? qla24xx_els_ct_entry+0x4de/0x760 [qla2xxx] [105954.384999] ? __wake_up_common+0x80/0x190 [105954.385004] ? qla24xx_process_response_queue+0xc2/0xaa0 [qla2xxx] [105954.385023] ? qla24xx_msix_rsp_q+0x44/0xb0 [qla2xxx] [105954.385040] ? __handle_irq_event_percpu+0x3d/0x190 [105954.385044] ? handle_irq_event+0x58/0xb0 [105954.385046] ? handle_edge_irq+0x93/0x240 [105954.385050] ? __common_interrupt+0x41/0xa0 [105954.385055] ? common_interrupt+0x3e/0xa0 [105954.385060] ? asm_common_interrupt+0x22/0x40 The root cause of this was that there was a free (dma_free_attrs) in the interrupt context. There was a device discovery/fabric scan in progress. A module unload was issued which set the UNLOADING flag. As part of the discovery, after receiving an interrupt a work queue was scheduled (which involved a work to be queued). Since the UNLOADING flag is set, the work item was not allocated and the mapped memory had to be freed. The free occurred in interrupt context leading to system crash. Delay the driver unload until the fabric scan is complete to avoid the crash. Reported-by: kernel test robot Reported-by: Dan Carpenter Closes: https://lore.kernel.org/all/202512090414.07Waorz0-lkp@intel.com/ Fixes: 783e0dc4f66a ("qla2xxx: Check for device state before unloading the driver.") Cc: stable@vger.kernel.org Signed-off-by: Anil Gurumurthy Signed-off-by: Nilesh Javali Reviewed-by: Himanshu Madhani Link: https://patch.msgid.link/20251210101604.431868-8-njavali@marvell.com Signed-off-by: Martin K. Petersen commit b0335ee4fb94832a4ef68774ca7e7b33b473c7a6 Author: Shreyas Deodhar Date: Wed Dec 10 15:45:58 2025 +0530 scsi: qla2xxx: Allow recovery for tape devices Tape device doesn't show up after RSCNs. To fix this, remove tape device specific checks which allows recovery of tape devices. Fixes: 44c57f205876 ("scsi: qla2xxx: Changes to support FCP2 Target") Cc: stable@vger.kernel.org Signed-off-by: Shreyas Deodhar Signed-off-by: Nilesh Javali Reviewed-by: Himanshu Madhani Link: https://patch.msgid.link/20251210101604.431868-7-njavali@marvell.com Signed-off-by: Martin K. Petersen commit d74181ca110e3de9d7dc4fba7f9f6026033e2e5d Author: Manish Rangankar Date: Wed Dec 10 15:45:57 2025 +0530 scsi: qla2xxx: Add bsg interface to support firmware img validation Add new bsg interface to issue MPI passthrough sub command to validate the new flash firmware image partition. Signed-off-by: Manish Rangankar Signed-off-by: Nilesh Javali Reviewed-by: Himanshu Madhani Link: https://patch.msgid.link/20251210101604.431868-6-njavali@marvell.com Signed-off-by: Martin K. Petersen commit 478b152ab309a3fb94f4955ac661a38c7f150101 Author: Manish Rangankar Date: Wed Dec 10 15:45:56 2025 +0530 scsi: qla2xxx: Validate MCU signature before executing MBC 03h FC firmware does not come online during on-the-fly upgrade i.e. on soft reset. To limit Load flash firmware, i.e. MBC 3 changes, validate MCU signature before executing MBC 03h Signed-off-by: Manish Rangankar Signed-off-by: Nilesh Javali Reviewed-by: Himanshu Madhani Link: https://patch.msgid.link/20251210101604.431868-5-njavali@marvell.com Signed-off-by: Martin K. Petersen commit b99b04b12214ff5e4a01575c3c6612ae79bc5e76 Author: Manish Rangankar Date: Wed Dec 10 15:45:55 2025 +0530 scsi: qla2xxx: Add load flash firmware mailbox support for 28xxx For 28xxx adaptor Load flash firmware mailbox load the operational firmware from flash, and also validate the checksum. Driver does not need to load the operational firmware anymore, but it still need to read fwdt from flash to build and allocate firmware dump template. Remove request_firmware() support for 28xxx adapter. Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202512031128.XsuvzBv1-lkp@intel.com/ Signed-off-by: Manish Rangankar Signed-off-by: Nilesh Javali Reviewed-by: Himanshu Madhani Link: https://patch.msgid.link/20251210101604.431868-4-njavali@marvell.com Signed-off-by: Martin K. Petersen commit 21ab087cae5000dd084dfb21d0a4d6086f79c445 Author: Manish Rangankar Date: Wed Dec 10 15:45:54 2025 +0530 scsi: qla2xxx: Add support for 64G SFP speed Incorrect speed info is shown in driver logs for 64G SFP. Add support for 64G SFP speed as per SFF-8472 specification. Signed-off-by: Manish Rangankar Signed-off-by: Nilesh Javali Reviewed-by: Himanshu Madhani Link: https://patch.msgid.link/20251210101604.431868-3-njavali@marvell.com Signed-off-by: Martin K. Petersen commit 7411f1875a6055abe16e72fa5fc1b731cbfc7d76 Author: Himanshu Madhani Date: Wed Dec 10 15:45:53 2025 +0530 scsi: qla2xxx: Add Speed in SFP print information Print additional information about the speed while displaying SFP information. Signed-off-by: Himanshu Madhani Signed-off-by: Nilesh Javali Reviewed-by: Himanshu Madhani Link: https://patch.msgid.link/20251210101604.431868-2-njavali@marvell.com Signed-off-by: Martin K. Petersen commit c9f36f04a8a2725172cdf2b5e32363e4addcb14c Author: Seunghwan Baek Date: Wed Dec 10 15:38:54 2025 +0900 scsi: ufs: core: Add ufshcd_update_evt_hist() for UFS suspend error If UFS resume fails, the event history is updated in ufshcd_resume(), but there is no code anywhere to record UFS suspend. Therefore, add code to record UFS suspend error event history. Fixes: dd11376b9f1b ("scsi: ufs: Split the drivers/scsi/ufs directory") Cc: stable@vger.kernel.org Signed-off-by: Seunghwan Baek Reviewed-by: Peter Wang Link: https://patch.msgid.link/20251210063854.1483899-2-sh8267.baek@samsung.com Signed-off-by: Martin K. Petersen commit 0f9c4be787f786cff0bf2183607e54a552a40cb2 Author: Bart Van Assche Date: Thu Nov 13 10:17:30 2025 -0800 scsi: core: Introduce an enumeration type for the SCSI_MLQUEUE constants Multiple functions in the SCSI core accept an 'int reason' argument. The 'int' type of these arguments doesn't make it clear what values are acceptable for these arguments. Document which values are supported for these arguments by introducing the enumeration type scsi_qc_status. 'qc' in the type name stands for 'queuecommand' since the values passed as the 'reason' argument are the .queuecommand() return values. Cc: John Garry Cc: Hannes Reinecke Signed-off-by: Bart Van Assche Link: https://patch.msgid.link/20251113181730.1109331-1-bvanassche@acm.org Signed-off-by: Martin K. Petersen commit 39680c59f10c899e9533a3635b1a201f38461ba0 Author: Ranjan Kumar Date: Thu Nov 13 21:07:10 2025 +0530 scsi: mpt3sas: Fixed the W=1 compilation warning Fix W=1 compilation warnings. Signed-off-by: Ranjan Kumar Link: https://patch.msgid.link/20251113153712.31850-7-ranjan.kumar@broadcom.com Signed-off-by: Martin K. Petersen commit 72340fecd0c8449dcef1fd07199b0476728aae72 Author: Ranjan Kumar Date: Thu Nov 13 21:07:09 2025 +0530 scsi: mpt3sas: Add configurable command retry limit for slow-to-respond devices Add a new module parameter "command_retry_count" to control the number of retries during device discovery and readiness checks, improving reliability for slow or transient SAS/PCIe devices. Signed-off-by: Ranjan Kumar Link: https://patch.msgid.link/20251113153712.31850-6-ranjan.kumar@broadcom.com Signed-off-by: Martin K. Petersen commit ad59571931072e6f77b2bfa7d7fdc564dad6f331 Author: Ranjan Kumar Date: Thu Nov 13 21:07:08 2025 +0530 scsi: mpt3sas: Add firmware event requeue support for busy devices Add support to requeue SAS/PCIe topology change events when devices are busy or not ready. Introduce delayed work with retry counters so events are retried instead of dropped, improving device discovery by retrying transient failures instead of dropping events. Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202510311720.NiDwRLwp-lkp@intel.com/ Signed-off-by: Ranjan Kumar Link: https://patch.msgid.link/20251113153712.31850-5-ranjan.kumar@broadcom.com Signed-off-by: Martin K. Petersen commit aee682fad6cdd9e3482b52fab727f50bc0227fae Author: Ranjan Kumar Date: Thu Nov 13 21:07:06 2025 +0530 scsi: mpt3sas: Improve device discovery and readiness handling for slow devices Introduce a new module parameter "issue_scsi_cmd_to_bringup_drive" (default=1) which allows overriding the driver's behavior of issuing SCSI TEST_UNIT_READY/START_UNIT commands to bring devices to READY state during unblock. Improve device discovery and I/O unblocking reliability by adding robust device readiness checks and separate callback handling for discovery I/O. This introduces new helper routines for SCSI command execution and readiness determination, ensuring smoother recovery and initialization for slow or transient devices. Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202510310924.crvtELzs-lkp@intel.com/ Signed-off-by: Ranjan Kumar Link: https://patch.msgid.link/20251113153712.31850-4-ranjan.kumar@broadcom.com Signed-off-by: Martin K. Petersen commit 6b553f2a5c840d38fe2f658bbe18365d40554361 Author: Ranjan Kumar Date: Thu Nov 13 21:07:05 2025 +0530 scsi: mpt3sas: Added no_turs flag to device unblock logic Add a "no_turs" flag to _scsih_ublock_io_all_device() to optionally skip TEST UNIT READY (TUR) checks while unblocking devices. This is used after broadcast events where sending TURs is not required. Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202510310216.gerpzbxP-lkp@intel.com/ Signed-off-by: Ranjan Kumar Link: https://patch.msgid.link/20251113153712.31850-2-ranjan.kumar@broadcom.com Signed-off-by: Martin K. Petersen commit 6211644253153e4a86892112121ea597d02b5e12 Author: Justin Tee Date: Wed Dec 10 16:16:59 2025 -0800 scsi: lpfc: Update lpfc version to 14.4.0.13 Update lpfc version to 14.4.0.13 Signed-off-by: Justin Tee Link: https://patch.msgid.link/20251211001659.138635-4-justintee8345@gmail.com Signed-off-by: Martin K. Petersen commit e2dacf8e5e33e9d268874882ad1e0d307f693db0 Author: Sarah Catania Date: Wed Dec 10 16:16:58 2025 -0800 scsi: lpfc: Add support for reporting encryption events Support logging encryption events in both point-to-point and fabric topologies. A new LOG_ENCRYPTION flag is defined for reporting encryption related events for HBAs that support the FEDIF feature. Encryption information is stored in each NDLP object, which is determined during the discovery stage after PLOGI completes. For reporting encryption information to upper layers, the .get_fc_rport_enc_info routine is implemented in lpfc_get_enc_info(). This allows encryption status to be reported through fc_remote_ports sysfs. Debugfs is also updated to report encryption information for all NDLP objects. Signed-off-by: Sarah Catania Signed-off-by: Justin Tee Link: https://patch.msgid.link/20251211001659.138635-3-justintee8345@gmail.com Signed-off-by: Martin K. Petersen commit bd2bc528691e11ea945fbac485eb84c102a521d8 Author: Sarah Catania Date: Wed Dec 10 16:16:57 2025 -0800 scsi: scsi_transport_fc: Introduce encryption group in fc_rport attribute Introduce a new structure for reporting an encrypted session over an fc_rport. The encryption group is added as an attribute in struct fc_rport and reports information in fc_encryption_info. This structure contains a status member variable, which stores a bit value indicating an encrypted session. Signed-off-by: Sarah Catania Signed-off-by: Justin Tee Link: https://patch.msgid.link/20251211001659.138635-2-justintee8345@gmail.com Signed-off-by: Martin K. Petersen commit 1a56e63c82161fca8f8d93b0ce5ce66c7c7d6b6d Author: Yury Norov (NVIDIA) Date: Fri Dec 5 18:58:08 2025 -0500 scsi: lpfc: Rework lpfc_sli4_fcf_rr_next_index_get() The function opencodes for_each_set_bit_wrap(). Use it, and while there switch from goto-driven codeflow to more high-level constructions. Signed-off-by: Yury Norov (NVIDIA) Reviewed-by: Justin Tee Link: https://patch.msgid.link/20251205235808.358258-1-yury.norov@gmail.com Signed-off-by: Martin K. Petersen commit a8cf5c1bee0fe1b3a829118d636d4f1ea6b408b0 Author: John Garry Date: Thu Nov 13 13:36:42 2025 +0000 scsi: scsi_debug: Drop NULL scsi_cmnd check in sdebug_q_cmd_complete() The scp pointer cannot be NULL, as it is evaluated from container_of() and pointer offsets (so remove the check in sdebug_q_cmd_complete()). Signed-off-by: John Garry Link: https://patch.msgid.link/20251113133645.2898748-4-john.g.garry@oracle.com Signed-off-by: Martin K. Petersen commit 559ae7a26b105f9e0b1279b3ab8029623592e900 Author: John Garry Date: Thu Nov 13 13:36:41 2025 +0000 scsi: scsi_debug: Stop using READ/WRITE_ONCE() when accessing sdebug_defer.defer_t Using READ/WRITE_ONCE() means that the read or write is not torn by the compiler. READ/WRITE_ONCE() is always used when accessing sdebug_defer.defer_t. However, we also guard the access in a spinlock when accessing that member, and spinlock already guarantees no tearing, so stop using READ/WRITE_ONCE(). Signed-off-by: John Garry Link: https://patch.msgid.link/20251113133645.2898748-3-john.g.garry@oracle.com Signed-off-by: Martin K. Petersen commit a743b120227a371f37c46738d91cc7a9691dbcf6 Author: John Garry Date: Thu Nov 13 13:36:40 2025 +0000 scsi: scsi_debug: Stop printing extra function name in debug logs The driver defines as follows pr_fmt: #define pr_fmt(fmt) KBUILD_MODNAME ":%s: " fmt, __func__ ...meaning that we already get the function name added in any debug statements. Remove using of __func__ in debug logs to avoid the duplication. For instances of where the function name was being printed, add some verbose comment to avoid using "" (which would be a bit silly). It would be nicer to stop using pr_fmt(), but that would mean rewriting approx 100 debug statements to have a sensible and clear message. Signed-off-by: John Garry Link: https://patch.msgid.link/20251113133645.2898748-2-john.g.garry@oracle.com Signed-off-by: Martin K. Petersen commit 0e1677654259a2f3ccf728de1edde922a3c4ba57 Author: Michal Rábek Date: Fri Dec 12 17:08:23 2025 +0100 scsi: sg: Fix occasional bogus elapsed time that exceeds timeout A race condition was found in sg_proc_debug_helper(). It was observed on a system using an IBM LTO-9 SAS Tape Drive (ULTRIUM-TD9) and monitoring /proc/scsi/sg/debug every second. A very large elapsed time would sometimes appear. This is caused by two race conditions. We reproduced the issue with an IBM ULTRIUM-HH9 tape drive on an x86_64 architecture. A patched kernel was built, and the race condition could not be observed anymore after the application of this patch. A reproducer C program utilising the scsi_debug module was also built by Changhui Zhong and can be viewed here: https://github.com/MichaelRabek/linux-tests/blob/master/drivers/scsi/sg/sg_race_trigger.c The first race happens between the reading of hp->duration in sg_proc_debug_helper() and request completion in sg_rq_end_io(). The hp->duration member variable may hold either of two types of information: #1 - The start time of the request. This value is present while the request is not yet finished. #2 - The total execution time of the request (end_time - start_time). If sg_proc_debug_helper() executes *after* the value of hp->duration was changed from #1 to #2, but *before* srp->done is set to 1 in sg_rq_end_io(), a fresh timestamp is taken in the else branch, and the elapsed time (value type #2) is subtracted from a timestamp, which cannot yield a valid elapsed time (which is a type #2 value as well). To fix this issue, the value of hp->duration must change under the protection of the sfp->rq_list_lock in sg_rq_end_io(). Since sg_proc_debug_helper() takes this read lock, the change to srp->done and srp->header.duration will happen atomically from the perspective of sg_proc_debug_helper() and the race condition is thus eliminated. The second race condition happens between sg_proc_debug_helper() and sg_new_write(). Even though hp->duration is set to the current time stamp in sg_add_request() under the write lock's protection, it gets overwritten by a call to get_sg_io_hdr(), which calls copy_from_user() to copy struct sg_io_hdr from userspace into kernel space. hp->duration is set to the start time again in sg_common_write(). If sg_proc_debug_helper() is called between these two calls, an arbitrary value set by userspace (usually zero) is used to compute the elapsed time. To fix this issue, hp->duration must be set to the current timestamp again after get_sg_io_hdr() returns successfully. A small race window still exists between get_sg_io_hdr() and setting hp->duration, but this window is only a few instructions wide and does not result in observable issues in practice, as confirmed by testing. Additionally, we fix the format specifier from %d to %u for printing unsigned int values in sg_proc_debug_helper(). Signed-off-by: Michal Rábek Suggested-by: Tomas Henzl Tested-by: Changhui Zhong Reviewed-by: Ewan D. Milne Reviewed-by: John Meneghini Reviewed-by: Tomas Henzl Link: https://patch.msgid.link/20251212160900.64924-1-mrabek@redhat.com Signed-off-by: Martin K. Petersen commit d373163194982f43b92c552c138c29d9f0b79553 Author: Chandrakanth Patil Date: Thu Dec 11 05:59:29 2025 +0530 scsi: mpi3mr: Read missing IOCFacts flag for reply queue full overflow The driver was not reading the MAX_REQ_PER_REPLY_QUEUE_LIMIT IOCFacts flag, so the reply-queue-full handling was never enabled, even on firmware that supports it. Reading this flag enables the feature and prevents reply queue overflow. Fixes: f08b24d82749 ("scsi: mpi3mr: Avoid reply queue full condition") Cc: stable@vger.kernel.org Signed-off-by: Chandrakanth Patil Link: https://patch.msgid.link/20251211002929.22071-1-chandrakanth.patil@broadcom.com Signed-off-by: Martin K. Petersen commit e642331c942003f58dba6e33c8ee93402211b7b6 Author: vamshi gajjela Date: Thu Dec 11 19:02:27 2025 +0530 scsi: ufs: core: mcq: Use ufshcd_rmwl() instead of open-coding it Currently, ufshcd_mcq_enable_esi() manually implements a read-modify-write sequence using ufshcd_readl() and ufshcd_writel(). It also utilizes a hardcoded magic number (0x2) for the enable bit. Use ufshcd_rmwl() helper, replace the magic number with the ESI_ENABLE macro to improve code readability. No functional change intended. Signed-off-by: vamshi gajjela Reviewed-by: Bart Van Assche Link: https://patch.msgid.link/20251211133227.4159394-1-vamshigajjela@google.com Signed-off-by: Martin K. Petersen commit 1f7d6e2efeedd8f545d3e0e9bf338023bf4ea584 Author: John Garry Date: Thu Dec 11 10:06:51 2025 +0000 scsi: scsi_debug: Fix atomic write enable module param description The atomic write enable module param is "atomic_wr", and not "atomic_write", so fix the module param description. Fixes: 84f3a3c01d70 ("scsi: scsi_debug: Atomic write support") Signed-off-by: John Garry Reviewed-by: Bart Van Assche Link: https://patch.msgid.link/20251211100651.9056-1-john.g.garry@oracle.com Signed-off-by: Martin K. Petersen commit 7011e8aafe8c8fcc1c6f8bfcc6796f4530428e13 Author: Gulam Mohamed Date: Mon Dec 1 11:07:16 2025 +0000 scsi: target: core: Add emulation for REPORT IDENTIFYING INFORMATION Add emulation for REPORT IDENTIFYING INFORMATION command using the configfs file 'pd_text_id_info' in target core module. The configfs file is created in /sys/kernel/config/target/core// /wwn/. An emulation function, spc_emulate_report_id_info(), is defined to return the identification string based on the contents of 'pd_text_id_info'. The details of the REPORT IDENTIFYING INFORMATION command is defined in section 6.32 of SPC4. [mkp: checkpatch tweaks] Signed-off-by: Gulam Mohamed Reviewed-by: John Garry Link: https://patch.msgid.link/20251201110716.227588-1-gulam.mohamed@oracle.com Signed-off-by: Martin K. Petersen