commit 14d4ac19d1895397532eec407433c5d74d9da53b Author: Prithvi Tambewagh Date: Mon Feb 16 11:50:02 2026 +0530 scsi: target: Fix recursive locking in __configfs_open_file() In flush_write_buffer, &p->frag_sem is acquired and then the loaded store function is called, which, here, is target_core_item_dbroot_store(). This function called filp_open(), following which these functions were called (in reverse order), according to the call trace: down_read __configfs_open_file do_dentry_open vfs_open do_open path_openat do_filp_open file_open_name filp_open target_core_item_dbroot_store flush_write_buffer configfs_write_iter target_core_item_dbroot_store() tries to validate the new file path by trying to open the file path provided to it; however, in this case, the bug report shows: db_root: not a directory: /sys/kernel/config/target/dbroot indicating that the same configfs file was tried to be opened, on which it is currently working on. Thus, it is trying to acquire frag_sem semaphore of the same file of which it already holds the semaphore obtained in flush_write_buffer(), leading to acquiring the semaphore in a nested manner and a possibility of recursive locking. Fix this by modifying target_core_item_dbroot_store() to use kern_path() instead of filp_open() to avoid opening the file using filesystem-specific function __configfs_open_file(), and further modifying it to make this fix compatible. Reported-by: syzbot+f6e8174215573a84b797@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=f6e8174215573a84b797 Tested-by: syzbot+f6e8174215573a84b797@syzkaller.appspotmail.com Cc: stable@vger.kernel.org Signed-off-by: Prithvi Tambewagh Reviewed-by: Dmitry Bogdanov Link: https://patch.msgid.link/20260216062002.61937-1-activprithvi@gmail.com Signed-off-by: Martin K. Petersen commit 80bf3b28d32b431f84f244a8469488eb6d96afbb Author: Florian Fuchs Date: Fri Feb 27 19:18:23 2026 +0100 scsi: devinfo: Add BLIST_SKIP_IO_HINTS for Iomega ZIP The Iomega ZIP 100 (Z100P2) can't process IO Advice Hints Grouping mode page query. It immediately switches to the status phase 0xb8 after receiving the subpage code 0x05 of MODE_SENSE_10 command, which fails imm_out() and turns into DID_ERROR of this command, which leads to unusable device. This was tested with an Iomega ZIP 100 (Z100P2) connected with a StarTech PEX1P2 AX99100 PCIe parallel port card. Prior to this fix, Test Unit Ready fails and the drive can't be used: IMM: returned SCSI status b8 sd 7:0:6:0: [sdh] Test Unit Ready failed: Result: hostbyte=0x01 driverbyte=DRIVER_OK Signed-off-by: Florian Fuchs Link: https://patch.msgid.link/20260227181823.892932-1-fuchsfl@gmail.com Signed-off-by: Martin K. Petersen commit dbd53975ed4132d161b6a97ebe785a262380182d Author: Ranjan Kumar Date: Wed Feb 25 13:56:22 2026 +0530 scsi: mpi3mr: Clear reset history on ready and recheck state after timeout The driver retains reset history even after the IOC has successfully reached the READY state. That leaves stale reset information active during normal operation and can mislead recovery and diagnostics. In addition, if the IOC becomes READY just as the ready timeout loop exits, the driver still follows the failure path and may retry or report failure incorrectly. Clear reset history once READY is confirmed so driver state matches actual IOC status. After the timeout loop, recheck the IOC state and treat READY as success instead of failing. Signed-off-by: Ranjan Kumar Link: https://patch.msgid.link/20260225082622.82588-1-ranjan.kumar@broadcom.com Signed-off-by: Martin K. Petersen commit 1ac22c8eae81366101597d48360718dff9b9d980 Author: Junxiao Bi Date: Mon Feb 23 15:27:28 2026 -0800 scsi: core: Fix refcount leak for tagset_refcnt This leak will cause a hang when tearing down the SCSI host. For example, iscsid hangs with the following call trace: [130120.652718] scsi_alloc_sdev: Allocation failure during SCSI scanning, some SCSI devices might not be configured PID: 2528 TASK: ffff9d0408974e00 CPU: 3 COMMAND: "iscsid" #0 [ffffb5b9c134b9e0] __schedule at ffffffff860657d4 #1 [ffffb5b9c134ba28] schedule at ffffffff86065c6f #2 [ffffb5b9c134ba40] schedule_timeout at ffffffff86069fb0 #3 [ffffb5b9c134bab0] __wait_for_common at ffffffff8606674f #4 [ffffb5b9c134bb10] scsi_remove_host at ffffffff85bfe84b #5 [ffffb5b9c134bb30] iscsi_sw_tcp_session_destroy at ffffffffc03031c4 [iscsi_tcp] #6 [ffffb5b9c134bb48] iscsi_if_recv_msg at ffffffffc0292692 [scsi_transport_iscsi] #7 [ffffb5b9c134bb98] iscsi_if_rx at ffffffffc02929c2 [scsi_transport_iscsi] #8 [ffffb5b9c134bbf0] netlink_unicast at ffffffff85e551d6 #9 [ffffb5b9c134bc38] netlink_sendmsg at ffffffff85e554ef Fixes: 8fe4ce5836e9 ("scsi: core: Fix a use-after-free") Cc: stable@vger.kernel.org Signed-off-by: Junxiao Bi Reviewed-by: Mike Christie Reviewed-by: Bart Van Assche Link: https://patch.msgid.link/20260223232728.93350-1-junxiao.bi@oracle.com Signed-off-by: Martin K. Petersen commit e521b77688365e0ed495baa6dae4905428a9f517 Author: Bart Van Assche Date: Mon Feb 23 14:00:30 2026 -0800 scsi: megaraid_sas: Protect more code with instance->reset_mutex megasas_get_device_list() and megasas_get_snapdump_properties() may unlock instance->reset_mutex indirectly. Hence, hold reset_mutex while calling these functions. Cc: Kashyap Desai Cc: Sumit Saxena Cc: Shivasharan S Cc: Chandrakanth patil Cc: James E.J. Bottomley Cc: Martin K. Petersen Cc: megaraidlinux.pdl@broadcom.com Cc: linux-scsi@vger.kernel.org Signed-off-by: Bart Van Assche Link: https://patch.msgid.link/20260223220102.2158611-31-bart.vanassche@linux.dev Signed-off-by: Martin K. Petersen commit fc803a39c42ad3887796cb3afbf7bdd4221199bf Author: Bart Van Assche Date: Mon Feb 23 14:00:29 2026 -0800 scsi: fnic: Make fnic_queuecommand() easier to analyze Move a spin_unlock_irqrestore() call such that the io_lock_acquired variable can be eliminated. This patch prepares for enabling the Clang thread-safety analyzer. Cc: Satish Kharat Cc: Sesidhar Baddela Cc: Karan Tilak Kumar Cc: James E.J. Bottomley Cc: Martin K. Petersen Cc: linux-scsi@vger.kernel.org Signed-off-by: Bart Van Assche Reviewed-by: Karan Tilak Kumar Link: https://patch.msgid.link/20260223220102.2158611-30-bart.vanassche@linux.dev Signed-off-by: Martin K. Petersen commit 2f38fd99c0004676d835ae96ac4f3b54edc02c82 Author: wangshuaiwei Date: Tue Feb 24 14:32:28 2026 +0800 scsi: ufs: core: Fix shift out of bounds when MAXQ=32 According to JESD223F, the maximum number of queues (MAXQ) is 32. When MCQ is enabled and ESI is disabled, nr_hw_queues=32 causes a shift overflow problem. Fix this by using 64-bit intermediate values to handle the nr_hw_queues=32 case safely. Signed-off-by: wangshuaiwei Reviewed-by: Bart Van Assche Link: https://patch.msgid.link/20260224063228.50112-1-wangshuaiwei1@xiaomi.com Signed-off-by: Martin K. Petersen commit 47e088c9d1a06e0f762ac7ea62ae48c9e16c4def Author: Karan Tilak Kumar Date: Tue Feb 17 14:39:43 2026 -0800 scsi: fnic: Bump up version number Bump up version number. Tested-by: Karan Tilak Kumar Reviewed-by: Sesidhar Baddela Reviewed-by: Arulprabhu Ponnusamy Reviewed-by: Gian Carlo Boffa Reviewed-by: Arun Easi Reviewed-by: Hannes Reinecke Signed-off-by: Karan Tilak Kumar Link: https://patch.msgid.link/20260217223943.7938-5-kartilak@cisco.com Signed-off-by: Martin K. Petersen commit 927b5282df6463fea8eeb1342e58cec0fa03b35e Author: Karan Tilak Kumar Date: Tue Feb 17 14:39:42 2026 -0800 scsi: fnic: Refactor in_remove flag and call to fnic_fcpio_reset() Modify logic to remove unnecessary acquire/release of spinlock to set in_remove flag. There's also no need to check for init status to call fnic_fcpio_reset. Tested-by: Karan Tilak Kumar Reviewed-by: Sesidhar Baddela Reviewed-by: Arulprabhu Ponnusamy Reviewed-by: Gian Carlo Boffa Reviewed-by: Arun Easi Reviewed-by: Hannes Reinecke Signed-off-by: Karan Tilak Kumar Co-developed-by: Hannes Reinecke Link: https://patch.msgid.link/20260217223943.7938-4-kartilak@cisco.com Signed-off-by: Martin K. Petersen commit 31eda39bfd468a0fbabc0179e913c0755377e3b5 Author: Karan Tilak Kumar Date: Tue Feb 17 14:39:41 2026 -0800 scsi: fnic: Rename fnic_scsi_fcpio_reset() The function has no dependency on SCSI/FCP, so rename it to fnic_fcpio_reset() and move it to fnic_fcs.c Tested-by: Karan Tilak Kumar Reviewed-by: Sesidhar Baddela Reviewed-by: Arulprabhu Ponnusamy Reviewed-by: Gian Carlo Boffa Reviewed-by: Arun Easi Reviewed-by: Hannes Reinecke Reviewed-by: Lee Duncan Signed-off-by: Karan Tilak Kumar Co-developed-by: Hannes Reinecke Link: https://patch.msgid.link/20260217223943.7938-3-kartilak@cisco.com Signed-off-by: Martin K. Petersen commit a59d1caf1ded07e38a0f6e98c6491a75faedd70f Author: Karan Tilak Kumar Date: Tue Feb 17 14:39:40 2026 -0800 scsi: fnic: Do not use GFP_ZERO for mempools One cannot use the GFP_ZERO flag for mempool allocation, so use memset() instead. Tested-by: Karan Tilak Kumar Reviewed-by: Sesidhar Baddela Reviewed-by: Arulprabhu Ponnusamy Reviewed-by: Gian Carlo Boffa Reviewed-by: Arun Easi Reviewed-by: Hannes Reinecke Reviewed-by: Lee Duncan Signed-off-by: Karan Tilak Kumar Co-developed-by: Hannes Reinecke Link: https://patch.msgid.link/20260217223943.7938-2-kartilak@cisco.com Signed-off-by: Martin K. Petersen commit 0e07baae55bc319e4e9559fee352b9252a467db6 Author: Karan Tilak Kumar Date: Tue Feb 17 14:39:39 2026 -0800 scsi: fnic: Use mempool for receive frames The receive frames are constantly replenished so we should rather use a mempool here. fip_frame_queue is an rxq. Deallocate it in fnic_free_rxq(). Tested-by: Karan Tilak Kumar Reviewed-by: Sesidhar Baddela Reviewed-by: Arulprabhu Ponnusamy Reviewed-by: Gian Carlo Boffa Reviewed-by: Arun Easi Reviewed-by: Hannes Reinecke Signed-off-by: Karan Tilak Kumar Co-developed-by: Hannes Reinecke Link: https://patch.msgid.link/20260217223943.7938-1-kartilak@cisco.com Signed-off-by: Martin K. Petersen commit f707860ebc84dd07148c3855e2f0fa9f41a3ed4a Author: Peter Wang Date: Tue Feb 10 15:17:30 2026 +0800 scsi: ufs: core: Support UFSHCI 4.1 CQ entry tag The UFSHCI 4.1 specification introduces a new completion queue (CQ) entry format, allowing the tag to be obtained directly. Signed-off-by: Peter Wang Reviewed-by: Bean Huo Reviewed-by: Bart Van Assche Link: https://patch.msgid.link/20260210071834.1837878-1-peter.wang@mediatek.com Signed-off-by: Martin K. Petersen commit 3abe4113e784b4a1135fe0e89828afecbfebf862 Author: Peter Wang Date: Tue Feb 10 14:41:44 2026 +0800 scsi: ufs: core: Add debug log for MCQ command timeout It is difficult to debug situations where an MCQ command timeout occurs, the corresponding CQ tag response is received, but the request is not completed. Add a one-line log to indicate when the CQ entry is abnormal. Signed-off-by: Peter Wang Reviewed-by: Bart Van Assche Link: https://patch.msgid.link/20260210070837.1820710-3-peter.wang@mediatek.com Signed-off-by: Martin K. Petersen commit 01517654bc258efb2610e53e99fa4ef641d134b9 Author: Peter Wang Date: Tue Feb 10 14:41:43 2026 +0800 scsi: ufs: core: Add debug log for UIC command timeout It is difficult to debug when a UIC command timeout occurs simultaneously with a UIC command complete interrupt. Currently, we only see the timeout log without any debug information, making it unclear whether the UFS device failed to respond or the host entered an incorrect state. Add a one-line log to cover this situation. Signed-off-by: Peter Wang Reviewed-by: Bart Van Assche Link: https://patch.msgid.link/20260210070837.1820710-2-peter.wang@mediatek.com Signed-off-by: Martin K. Petersen commit 931c105de11c2e0e9675fbc061b16a9c5f134dcf Author: Thorsten Blum Date: Tue Feb 24 15:48:27 2026 +0100 scsi: BusLogic: Replace deprecated strcpy() + strcat() in blogic_rdconfig() strcpy() is deprecated [1] and using strcat() is discouraged. Replace them with scnprintf(). No functional changes. Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strcpy [1] Signed-off-by: Thorsten Blum Link: https://patch.msgid.link/20260224144828.585577-1-thorsten.blum@linux.dev Signed-off-by: Martin K. Petersen commit 6446e8c2b6c76b4d253c46352540ca1f5fa3f854 Author: Justin Tee Date: Thu Feb 12 13:30:08 2026 -0800 scsi: lpfc: Update lpfc version to 14.4.0.14 Update lpfc version to 14.4.0.14. Signed-off-by: Justin Tee Link: https://patch.msgid.link/20260212213008.149873-14-justintee8345@gmail.com Signed-off-by: Martin K. Petersen commit 107cb8ed4f44eeb17f9624e183603c0b885ef039 Author: Justin Tee Date: Thu Feb 12 13:30:07 2026 -0800 scsi: lpfc: Update copyright year string for 2026 Update copyright string to 2026 for this version patch set. Signed-off-by: Justin Tee Link: https://patch.msgid.link/20260212213008.149873-13-justintee8345@gmail.com Signed-off-by: Martin K. Petersen commit 5807d96c46d5ccfb4c247f16653e616e8c90ae06 Author: Justin Tee Date: Thu Feb 12 13:30:06 2026 -0800 scsi: lpfc: Restrict first burst to non-FCoE and SLI4 adapters only First burst is only supported on adapters running in SLI4 mode and that are non-FCoE based. Include sli_rev and FCoE mode checks before setting the write transfer ready disabled bit in PRLIs. Signed-off-by: Justin Tee Link: https://patch.msgid.link/20260212213008.149873-12-justintee8345@gmail.com Signed-off-by: Martin K. Petersen commit 9714c5463fd1d963fe30193ed75b9578e84278ab Author: Justin Tee Date: Thu Feb 12 13:30:05 2026 -0800 scsi: lpfc: Update class of service bit field to 3 bits for WQE submissions WQE submissions only require a 3 bit field when specifying the class of service to use. So, update WQE submission paths to use a 3 bit field instead of 0x0f as the bit mask. A NLP_FCP_CLASS_MASK bitmask is defined to ensure only a 3 bit mask is used. Signed-off-by: Justin Tee Link: https://patch.msgid.link/20260212213008.149873-11-justintee8345@gmail.com Signed-off-by: Martin K. Petersen commit 559a6c2ab097695f7b3cd4fdd5f6aca81ae3da09 Author: Justin Tee Date: Thu Feb 12 13:30:04 2026 -0800 scsi: lpfc: Add clean up of aborted NVMe commands during PCI fcn reset When handling a PCI function reset, notification to the NVMe transport layer is skipped for outstanding aborted NVMe I/O. Introduce a new routine called lpfc_nvme_flush_abts_list(), which notifies upper NVMe transport layer of outstanding aborted NVMe I/O that are not planned to be completed normally due to a PCI function reset request. Signed-off-by: Justin Tee Link: https://patch.msgid.link/20260212213008.149873-10-justintee8345@gmail.com Signed-off-by: Martin K. Petersen commit 2da10bcaa58a389ca60f8e788180e0dca00739bc Author: Justin Tee Date: Thu Feb 12 13:30:03 2026 -0800 scsi: lpfc: Fix incorrect txcmplq_cnt during cleanup in lpfc_sli_abort_ring() When a port is offline in lpfc_sli_abort_ring, the phba->txcmplq is cleared but the phba->txcmplq_cnt is not reset to zero. This can sometimes result in a phba->txcmplq_cnt that never reaches zero, which hangs the cleanup process. Update lpfc_sli_abort_ring so that txcmplq_cnt is reset to zero and also ensure that the LPFC_IO_ON_TXCMPLQ flag is properly cleared. Signed-off-by: Justin Tee Link: https://patch.msgid.link/20260212213008.149873-9-justintee8345@gmail.com Signed-off-by: Martin K. Petersen commit 6b0bcf4b6430688984fe1ee69fce7165a3e24b92 Author: Justin Tee Date: Thu Feb 12 13:30:02 2026 -0800 scsi: lpfc: Cleanup error exit paths in lpfc_fdmi_cmd() and associated messages Error labels in lpfc_fdmi_cmd() accidentally return success status and can potentially leak memory. Change error exit path status to return a non-zero value using a common exit path for failure cases. The error path also frees allocated memory and provides logging. Signed-off-by: Justin Tee Link: https://patch.msgid.link/20260212213008.149873-8-justintee8345@gmail.com Signed-off-by: Martin K. Petersen commit f6bfb8d149336661bb80e62980da9a45b920403c Author: Justin Tee Date: Thu Feb 12 13:30:01 2026 -0800 scsi: lpfc: Remove unnecessary ndlp kref get in lpfc_check_nlp_post_devloss When NLP_IN_RECOV_POST_DEV_LOSS is set, the initial node reference remains held while recovery is in progress. Taking a reference when NLP_IN_RECOV_POST_DEV_LOSS is cleared results in an additional reference being held. This causes an extra reference when cleaning up lpfc_vport instances. Thus, remove the extraneous ndlp kref get in lpfc_check_nlp_post_devloss. Signed-off-by: Justin Tee Link: https://patch.msgid.link/20260212213008.149873-7-justintee8345@gmail.com Signed-off-by: Martin K. Petersen commit 70b468d41b822e4b510761120be3924df966a62d Author: Justin Tee Date: Thu Feb 12 13:30:00 2026 -0800 scsi: lpfc: Reduce pointer chasing when accessing vmid_flag For all FLOGI completions, the vport->phba->pport pointer is actually a pointer to the original vport pointer because FLOGIs always complete on the physical lpfc_vport object. Thus, we can reduce the vport->phba->pport->vmid_flag dereference to simply vport->vmid_flag. Signed-off-by: Justin Tee Link: https://patch.msgid.link/20260212213008.149873-6-justintee8345@gmail.com Signed-off-by: Martin K. Petersen commit f8c599ad90f53dbe2246935f90ff49693c26b34f Author: Justin Tee Date: Thu Feb 12 13:29:59 2026 -0800 scsi: lpfc: Use min_t() instead of min() in lpfc_sli4_driver_resource_setup The member called cfg_sg_dma_buf_size is declared as a u32, while the min comparator's second argument called SLI4_PAGE_SIZE is a #define. Proper comparison should be using the same type, therefore change to use min_t. Signed-off-by: Justin Tee Link: https://patch.msgid.link/20260212213008.149873-5-justintee8345@gmail.com Signed-off-by: Martin K. Petersen commit 5f442e54e9ef662aaad736ca1af13f20d0448f08 Author: Justin Tee Date: Thu Feb 12 13:29:58 2026 -0800 scsi: lpfc: Add log messages to fabric login error labels Should fabric login or related initialization mailbox commands fail, there are no log messages to notify which step encountered an issue. Update error label paths to log when unexpected fabric login issues occur. Signed-off-by: Justin Tee Link: https://patch.msgid.link/20260212213008.149873-4-justintee8345@gmail.com Signed-off-by: Martin K. Petersen commit b4082ac8e62ca669beabddff47238cdb33ea47dc Author: Justin Tee Date: Thu Feb 12 13:29:57 2026 -0800 scsi: lpfc: Log discarded and insufficient RQE buffer events An RCQE with statuses indicating that an RQE is dropped or when there are insufficient buffers to receive new RQEs are currently occuring silently. Add a new log message to warn when such events occur. Signed-off-by: Justin Tee Link: https://patch.msgid.link/20260212213008.149873-3-justintee8345@gmail.com Signed-off-by: Martin K. Petersen commit 8ecb3ec244acd7db2a6c071d53eb4870619fb5e6 Author: Justin Tee Date: Thu Feb 12 13:29:56 2026 -0800 scsi: lpfc: Update log message when ndlp kref get is unsuccessful If kref_get_unless_zero on ndlp->kref is unsuccessful, then there's no point to log kref_read(&ndlp->kref) because it will of course be zero. In such cases, ndlp->vport would also be an invalid pointer. Thus, use pr_info() instead of lpfc_printf_vlog() to log when a kref get is attempted on an ndlp with a zero kref. Signed-off-by: Justin Tee Link: https://patch.msgid.link/20260212213008.149873-2-justintee8345@gmail.com Signed-off-by: Martin K. Petersen commit 62c015373e1cdb1cdca824bd2dbce2dac0819467 Author: Peter Wang Date: Mon Feb 23 18:37:57 2026 +0800 scsi: ufs: core: Move link recovery for hibern8 exit failure to wl_resume Move the link recovery trigger from ufshcd_uic_pwr_ctrl() to __ufshcd_wl_resume(). Ensure link recovery is only attempted when hibern8 exit fails during resume, not during hibern8 enter in suspend. Improve error handling and prevent unnecessary link recovery attempts. Fixes: 35dabf4503b9 ("scsi: ufs: core: Use link recovery when h8 exit fails during runtime resume") Signed-off-by: Peter Wang Reviewed-by: Bart Van Assche Link: https://patch.msgid.link/20260223103906.2533654-1-peter.wang@mediatek.com Signed-off-by: Martin K. Petersen commit 30df81f2228d65bddf492db3929d9fcaffd38fc5 Author: Peter Wang Date: Mon Feb 23 14:56:09 2026 +0800 scsi: ufs: core: Fix possible NULL pointer dereference in ufshcd_add_command_trace() The kernel log indicates a crash in ufshcd_add_command_trace, due to a NULL pointer dereference when accessing hwq->id. This can happen if ufshcd_mcq_req_to_hwq() returns NULL. This patch adds a NULL check for hwq before accessing its id field to prevent a kernel crash. Kernel log excerpt: [] notify_die+0x4c/0x8c [] __die+0x60/0xb0 [] die+0x4c/0xe0 [] die_kernel_fault+0x74/0x88 [] __do_kernel_fault+0x314/0x318 [] do_page_fault+0xa4/0x5f8 [] do_translation_fault+0x34/0x54 [] do_mem_abort+0x50/0xa8 [] el1_abort+0x3c/0x64 [] el1h_64_sync_handler+0x44/0xcc [] el1h_64_sync+0x80/0x88 [] ufshcd_add_command_trace+0x23c/0x320 [] ufshcd_compl_one_cqe+0xa4/0x404 [] ufshcd_mcq_poll_cqe_lock+0xac/0x104 [] ufs_mtk_mcq_intr+0x54/0x74 [ufs_mediatek_mod] [] __handle_irq_event_percpu+0xc8/0x348 [] handle_irq_event+0x3c/0xa8 [] handle_fasteoi_irq+0xf8/0x294 [] generic_handle_domain_irq+0x54/0x80 [] gic_handle_irq+0x1d4/0x330 [] call_on_irq_stack+0x44/0x68 [] do_interrupt_handler+0x78/0xd8 [] el1_interrupt+0x48/0xa8 [] el1h_64_irq_handler+0x14/0x24 [] el1h_64_irq+0x80/0x88 [] arch_local_irq_enable+0x4/0x1c [] cpuidle_enter+0x34/0x54 [] do_idle+0x1dc/0x2f8 [] cpu_startup_entry+0x30/0x3c [] secondary_start_kernel+0x134/0x1ac [] __secondary_switched+0xc4/0xcc Signed-off-by: Peter Wang Reviewed-by: Bart Van Assche Link: https://patch.msgid.link/20260223065657.2432447-1-peter.wang@mediatek.com Signed-off-by: Martin K. Petersen commit 97af85787c1964a7e7b146c5d4e021f089af47ea Author: Karan Tilak Kumar Date: Tue Feb 17 12:46:58 2026 -0800 scsi: snic: MAINTAINERS: Update snic maintainers Update snic maintainers. Signed-off-by: Karan Tilak Kumar Link: https://patch.msgid.link/20260217204658.5465-1-kartilak@cisco.com Signed-off-by: Martin K. Petersen commit af3973e7b4fd91e6884b312526168869fb013d68 Author: Thomas Fourier Date: Mon Feb 16 15:10:55 2026 +0100 scsi: snic: Remove unused linkstatus The (struct vnic_dev).linkstatus buffer is freed in svnic_dev_unregister() and referenced in svnic_dev_link_status() but never alloc'd. This means (struct vnic_dev).linkstatus is always null and the dealloc the reference in svnic_dev_link_status() is dead code. Signed-off-by: Thomas Fourier Acked-by: Karan Tilak Kumar Link: https://patch.msgid.link/20260216141056.59429-2-fourier.thomas@gmail.com Signed-off-by: Martin K. Petersen commit 38353c26db28efd984f51d426eac2396d299cca7 Author: Salomon Dushimirimana Date: Fri Feb 13 19:28:06 2026 +0000 scsi: pm8001: Fix use-after-free in pm8001_queue_command() Commit e29c47fe8946 ("scsi: pm8001: Simplify pm8001_task_exec()") refactors pm8001_queue_command(), however it introduces a potential cause of a double free scenario when it changes the function to return -ENODEV in case of phy down/device gone state. In this path, pm8001_queue_command() updates task status and calls task_done to indicate to upper layer that the task has been handled. However, this also frees the underlying SAS task. A -ENODEV is then returned to the caller. When libsas sas_ata_qc_issue() receives this error value, it assumes the task wasn't handled/queued by LLDD and proceeds to clean up and free the task again, resulting in a double free. Since pm8001_queue_command() handles the SAS task in this case, it should return 0 to the caller indicating that the task has been handled. Fixes: e29c47fe8946 ("scsi: pm8001: Simplify pm8001_task_exec()") Signed-off-by: Salomon Dushimirimana Reviewed-by: Damien Le Moal Link: https://patch.msgid.link/20260213192806.439432-1-salomondush@google.com Signed-off-by: Martin K. Petersen commit fa96392ebebc8fade2b878acb14cce0f71016503 Author: Ranjan Kumar Date: Thu Feb 12 12:30:26 2026 +0530 scsi: mpi3mr: Add NULL checks when resetting request and reply queues The driver encountered a crash during resource cleanup when the reply and request queues were NULL due to freed memory. This issue occurred when the creation of reply or request queues failed, and the driver freed the memory first, but attempted to mem set the content of the freed memory, leading to a system crash. Add NULL pointer checks for reply and request queues before accessing the reply/request memory during cleanup Signed-off-by: Ranjan Kumar Link: https://patch.msgid.link/20260212070026.30263-1-ranjan.kumar@broadcom.com Signed-off-by: Martin K. Petersen commit 5b313760059c9df7d60aba7832279bcb81b4aec0 Author: Won Jung Date: Wed Feb 11 15:01:05 2026 +0900 scsi: ufs: core: Reset urgent_bkops_lvl to allow runtime PM power mode Ensures that UFS Runtime PM can achieve power saving after System PM suspend by resetting hba->urgent_bkops_lvl. Also modify the ufshcd_bkops_exception_event_handler to avoid setting urgent_bkops_lvl when status is 0, which helps maintain optimal power management. On UFS devices supporting UFSHCD_CAP_AUTO_BKOPS_SUSPEND, a BKOPS exception event can lead to a situation where UFS Runtime PM can't enter low-power mode states even after the BKOPS exception has been resolved. BKOPS exception with bkops status 0 occurs, the driver logs: "ufshcd_bkops_exception_event_handler: device raised urgent BKOPS exception for bkops status 0" When a BKOPS exception occurs, ufshcd_bkops_exception_event_handler() reads the BKOPS status and sets hba->urgent_bkops_lvl to BKOPS_STATUS_NO_OP(0). This allows the device to perform Runtime PM without changing the UFS power mode. (__ufshcd_wl_suspend(hba, UFS_RUNTIME_PM)) During system PM suspend, ufshcd_disable_auto_bkops() is called, disabling auto bkops. After UFS System PM Resume, when runtime PM attempts to suspend again, ufshcd_urgent_bkops() is invoked. Since hba->urgent_bkops_lvl remains at BKOPS_STATUS_NO_OP(0), ufshcd_enable_auto_bkops() is triggered. However, in ufshcd_bkops_ctrl(), the driver compares the current BKOPS status with hba->urgent_bkops_lvl, and only enables auto bkops if curr_status >= hba->urgent_bkops_lvl. Since both values are 0, the condition is met As a result, __ufshcd_wl_suspend(hba, UFS_RUNTIME_PM) skips power mode transitions and remains in an active state, preventing power saving even though no urgent BKOPS condition exists. Signed-off-by: Won Jung Reviewed-by: Peter Wang Link: https://patch.msgid.link/1891546521.01770806581968.JavaMail.epsvc@epcpadp2new Signed-off-by: Martin K. Petersen commit 70ca8caa96ce473647054f5c7b9dab5423902402 Author: Tomas Henzl Date: Tue Feb 10 20:18:50 2026 +0100 scsi: ses: Fix devices attaching to different hosts On a multipath SAS system some devices don't end up with correct symlinks from the SCSI device to its enclosure. Some devices even have enclosure links pointing to enclosures attached to different SCSI hosts. ses_match_to_enclosure() calls enclosure_for_each_device() which iterates over all enclosures on the system, not just enclosures attached to the current SCSI host. Replace the iteration with a direct call to ses_enclosure_find_by_addr(). Reviewed-by: David Jeffery Signed-off-by: Tomas Henzl Link: https://patch.msgid.link/20260210191850.36784-1-thenzl@redhat.com Signed-off-by: Martin K. Petersen commit 2e6b5cd6a4b37a95b78cf8c39a979b58c915c8ed Author: Alexey Charkov Date: Mon Feb 9 19:17:34 2026 +0400 scsi: ufs: core: Fix RPMB region size detection for UFS 2.2 Older UFS spec devices (2.2 and earlier) do not expose per-region RPMB sizes, as only one RPMB region is supported. In such cases, the size of the single RPMB region can be deduced from the Logical Block Count and Logical Block Size fields in the RPMB Unit Descriptor. Add a fallback mechanism to calculate the RPMB region size from these fields if the device implements an older spec, so that the RPMB driver can work with such devices - otherwise it silently skips the whole RPMB. Section 14.1.4.6 (RPMB Unit Descriptor) Link: https://www.jedec.org/system/files/docs/JESD220C-2_2.pdf Cc: stable@vger.kernel.org Fixes: b06b8c421485 ("scsi: ufs: core: Add OP-TEE based RPMB driver for UFS devices") Reviewed-by: Bean Huo Signed-off-by: Alexey Charkov Link: https://patch.msgid.link/20260209-ufs-rpmb-v3-1-b1804e71bd38@flipper.net Signed-off-by: Martin K. Petersen commit 57297736c08233987e5d29ce6584c6ca2a831b12 Author: Jan Kiszka Date: Thu Jan 29 15:30:39 2026 +0100 scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT This resolves the follow splat and lock-up when running with PREEMPT_RT enabled on Hyper-V: [ 415.140818] BUG: scheduling while atomic: stress-ng-iomix/1048/0x00000002 [ 415.140822] INFO: lockdep is turned off. [ 415.140823] Modules linked in: intel_rapl_msr intel_rapl_common intel_uncore_frequency_common intel_pmc_core pmt_telemetry pmt_discovery pmt_class intel_pmc_ssram_telemetry intel_vsec ghash_clmulni_intel aesni_intel rapl binfmt_misc nls_ascii nls_cp437 vfat fat snd_pcm hyperv_drm snd_timer drm_client_lib drm_shmem_helper snd sg soundcore drm_kms_helper pcspkr hv_balloon hv_utils evdev joydev drm configfs efi_pstore nfnetlink vsock_loopback vmw_vsock_virtio_transport_common hv_sock vmw_vsock_vmci_transport vsock vmw_vmci efivarfs autofs4 ext4 crc16 mbcache jbd2 sr_mod sd_mod cdrom hv_storvsc serio_raw hid_generic scsi_transport_fc hid_hyperv scsi_mod hid hv_netvsc hyperv_keyboard scsi_common [ 415.140846] Preemption disabled at: [ 415.140847] [] storvsc_queuecommand+0x2e1/0xbe0 [hv_storvsc] [ 415.140854] CPU: 8 UID: 0 PID: 1048 Comm: stress-ng-iomix Not tainted 6.19.0-rc7 #30 PREEMPT_{RT,(full)} [ 415.140856] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 09/04/2024 [ 415.140857] Call Trace: [ 415.140861] [ 415.140861] ? storvsc_queuecommand+0x2e1/0xbe0 [hv_storvsc] [ 415.140863] dump_stack_lvl+0x91/0xb0 [ 415.140870] __schedule_bug+0x9c/0xc0 [ 415.140875] __schedule+0xdf6/0x1300 [ 415.140877] ? rtlock_slowlock_locked+0x56c/0x1980 [ 415.140879] ? rcu_is_watching+0x12/0x60 [ 415.140883] schedule_rtlock+0x21/0x40 [ 415.140885] rtlock_slowlock_locked+0x502/0x1980 [ 415.140891] rt_spin_lock+0x89/0x1e0 [ 415.140893] hv_ringbuffer_write+0x87/0x2a0 [ 415.140899] vmbus_sendpacket_mpb_desc+0xb6/0xe0 [ 415.140900] ? rcu_is_watching+0x12/0x60 [ 415.140902] storvsc_queuecommand+0x669/0xbe0 [hv_storvsc] [ 415.140904] ? HARDIRQ_verbose+0x10/0x10 [ 415.140908] ? __rq_qos_issue+0x28/0x40 [ 415.140911] scsi_queue_rq+0x760/0xd80 [scsi_mod] [ 415.140926] __blk_mq_issue_directly+0x4a/0xc0 [ 415.140928] blk_mq_issue_direct+0x87/0x2b0 [ 415.140931] blk_mq_dispatch_queue_requests+0x120/0x440 [ 415.140933] blk_mq_flush_plug_list+0x7a/0x1a0 [ 415.140935] __blk_flush_plug+0xf4/0x150 [ 415.140940] __submit_bio+0x2b2/0x5c0 [ 415.140944] ? submit_bio_noacct_nocheck+0x272/0x360 [ 415.140946] submit_bio_noacct_nocheck+0x272/0x360 [ 415.140951] ext4_read_bh_lock+0x3e/0x60 [ext4] [ 415.140995] ext4_block_write_begin+0x396/0x650 [ext4] [ 415.141018] ? __pfx_ext4_da_get_block_prep+0x10/0x10 [ext4] [ 415.141038] ext4_da_write_begin+0x1c4/0x350 [ext4] [ 415.141060] generic_perform_write+0x14e/0x2c0 [ 415.141065] ext4_buffered_write_iter+0x6b/0x120 [ext4] [ 415.141083] vfs_write+0x2ca/0x570 [ 415.141087] ksys_write+0x76/0xf0 [ 415.141089] do_syscall_64+0x99/0x1490 [ 415.141093] ? rcu_is_watching+0x12/0x60 [ 415.141095] ? finish_task_switch.isra.0+0xdf/0x3d0 [ 415.141097] ? rcu_is_watching+0x12/0x60 [ 415.141098] ? lock_release+0x1f0/0x2a0 [ 415.141100] ? rcu_is_watching+0x12/0x60 [ 415.141101] ? finish_task_switch.isra.0+0xe4/0x3d0 [ 415.141103] ? rcu_is_watching+0x12/0x60 [ 415.141104] ? __schedule+0xb34/0x1300 [ 415.141106] ? hrtimer_try_to_cancel+0x1d/0x170 [ 415.141109] ? do_nanosleep+0x8b/0x160 [ 415.141111] ? hrtimer_nanosleep+0x89/0x100 [ 415.141114] ? __pfx_hrtimer_wakeup+0x10/0x10 [ 415.141116] ? xfd_validate_state+0x26/0x90 [ 415.141118] ? rcu_is_watching+0x12/0x60 [ 415.141120] ? do_syscall_64+0x1e0/0x1490 [ 415.141121] ? do_syscall_64+0x1e0/0x1490 [ 415.141123] ? rcu_is_watching+0x12/0x60 [ 415.141124] ? do_syscall_64+0x1e0/0x1490 [ 415.141125] ? do_syscall_64+0x1e0/0x1490 [ 415.141127] ? irqentry_exit+0x140/0x7e0 [ 415.141129] entry_SYSCALL_64_after_hwframe+0x76/0x7e get_cpu() disables preemption while the spinlock hv_ringbuffer_write is using is converted to an rt-mutex under PREEMPT_RT. Signed-off-by: Jan Kiszka Tested-by: Florian Bezdeka Reviewed-by: Michael Kelley Tested-by: Michael Kelley Link: https://patch.msgid.link/0c7fb5cd-fb21-4760-8593-e04bade84744@siemens.com Signed-off-by: Martin K. Petersen commit bffda93a51b40afd67c11bf558dc5aae83ca0943 Author: Mathias Krause Date: Thu Feb 12 11:23:27 2026 -0800 scsi: lpfc: Properly set WC for DPP mapping Using set_memory_wc() to enable write-combining for the DPP portion of the MMIO mapping is wrong as set_memory_*() is meant to operate on RAM only, not MMIO mappings. In fact, as used currently triggers a BUG_ON() with enabled CONFIG_DEBUG_VIRTUAL. Simply map the DPP region separately and in addition to the already existing mappings, avoiding any possible negative side effects for these. Fixes: 1351e69fc6db ("scsi: lpfc: Add push-to-adapter support to sli4") Signed-off-by: Mathias Krause Signed-off-by: Justin Tee Reviewed-by: Mathias Krause Link: https://patch.msgid.link/20260212192327.141104-1-justintee8345@gmail.com Signed-off-by: Martin K. Petersen