commit 946574434aa9cfe175c3e8234734a3822410ff53 Author: Krzysztof Kozlowski Date: Mon Dec 8 03:08:08 2025 +0100 scsi: ufs: qcom: Fix confusing cleanup.h syntax Initializing automatic __free variables to NULL without need (e.g. branches with different allocations), followed by actual allocation is in contrary to explicit coding rules guiding cleanup.h: "Given that the "__free(...) = NULL" pattern for variables defined at the top of the function poses this potential interdependency problem the recommendation is to always define and assign variables in one statement and not group variable definitions at the top of the function when __free() is used." Code does not have a bug, but is less readable and uses discouraged coding practice, so fix that by moving declaration to the place of assignment. Signed-off-by: Krzysztof Kozlowski Reviewed-by: Manivannan Sadhasivam Link: https://patch.msgid.link/20251208020807.5043-2-krzysztof.kozlowski@oss.qualcomm.com Signed-off-by: Martin K. Petersen commit 362432e9b9aefb914ab7d9f86c9fc384a6620c41 Author: Chaohai Chen Date: Sat Dec 6 14:06:16 2025 +0800 scsi: libsas: Add rollback handling when an error occurs In sas_register_phys(), if an error is triggered in the loop process, we need to roll back the resources that have already been requested. Add sas_unregister_phys() when an error occurs in sas_register_ha(). [mkp: a few coding style tweaks and address John's comment] Signed-off-by: Chaohai Chen Reviewed-by: John Garry Link: https://patch.msgid.link/20251206060616.69216-1-wdhh6@aliyun.com Signed-off-by: Martin K. Petersen commit fd81bc5cca8fc6936a8988de6b5d4c5693b6587e Author: Benjamin Marzinski Date: Fri Dec 5 20:00:15 2025 -0500 scsi: device_handler: Return error pointer in scsi_dh_attached_handler_name() If scsi_dh_attached_handler_name() fails to allocate the handler name, dm-multipath (its only caller) assumes there is no attached device handler, and sets the device up incorrectly. Return an error pointer instead, so multipath can distinguish between failure, success where there is no attached device handler, or when the path device is not a SCSI device at all. Signed-off-by: Benjamin Marzinski Reviewed-by: Martin Wilck Link: https://patch.msgid.link/20251206010015.1595225-1-bmarzins@redhat.com Signed-off-by: Martin K. Petersen commit d2875b812b141d0c449541976d92c8d89b94ec72 Author: Bart Van Assche Date: Thu Dec 4 08:15:43 2025 -1000 scsi: ufs: core: Fix a deadlock in the frequency scaling code Commit 08b12cda6c44 ("scsi: ufs: core: Switch to scsi_get_internal_cmd()") accidentally introduced a deadlock in the frequency scaling code. ufshcd_clock_scaling_unprepare() may submit a device management command while SCSI command processing is blocked. The deadlock was introduced by using the SCSI core for submitting device management commands (scsi_get_internal_cmd() + blk_execute_rq()). Fix this deadlock by calling blk_mq_unquiesce_tagset() before any device management commands are submitted by ufshcd_clock_scaling_unprepare(). Fixes: 08b12cda6c44 ("scsi: ufs: core: Switch to scsi_get_internal_cmd()") Reported-by: Manivannan Sadhasivam Reported-by: Roger Shimizu Closes: https://lore.kernel.org/linux-scsi/ehorjaflathzab5oekx2nae2zss5vi2r36yqkqsfjb2fgsifz2@yk3us5g3igow/ Tested-by: Roger Shimizu Cc: Nitin Rawat Signed-off-by: Bart Van Assche Reviewed-by: Peter Wang Reviewed-by: Nitin Rawat Tested-by: Alexey Klimov # RB5 board Link: https://patch.msgid.link/20251204181548.1006696-1-bvanassche@acm.org Signed-off-by: Martin K. Petersen commit 14be351e5cd07349377010e457a58fac99201832 Author: Bart Van Assche Date: Thu Dec 4 07:04:52 2025 -1000 scsi: ufs: core: Fix an error handler crash The UFS error handler may be activated before SCSI scanning has started and hence before hba->ufs_device_wlun has been set. Check the hba->ufs_device_wlun pointer before using it. Cc: Peter Wang Cc: Nitin Rawat Fixes: e23ef4f22db3 ("scsi: ufs: core: Fix error handler host_sem issue") Fixes: f966e02ae521 ("scsi: ufs: core: Fix runtime suspend error deadlock") Signed-off-by: Bart Van Assche Reviewed-by: Peter Wang Reviewed-by: Nitin Rawat Tested-by: Nitin Rawat #SM8750 Link: https://patch.msgid.link/20251204170457.994851-1-bvanassche@acm.org Signed-off-by: Martin K. Petersen commit 278712d20bc8ec29d1ad6ef9bdae9000ef2c220c Author: Xingui Yang Date: Tue Dec 2 14:56:27 2025 +0800 scsi: Revert "scsi: libsas: Fix exp-attached device scan after probe failure scanned in again after probe failed" This reverts commit ab2068a6fb84751836a84c26ca72b3beb349619d. When probing the exp-attached sata device, libsas/libata will issue a hard reset in sas_probe_sata() -> ata_sas_async_probe(), then a broadcast event will be received after the disk probe fails, and this commit causes the probe will be re-executed on the disk, and a faulty disk may get into an indefinite loop of probe. Therefore, revert this commit, although it can fix some temporary issues with disk probe failure. Signed-off-by: Xingui Yang Reviewed-by: Jason Yan Reviewed-by: John Garry Link: https://patch.msgid.link/20251202065627.140361-1-yangxingui@huawei.com Signed-off-by: Martin K. Petersen commit d98b4d52bff02d15ea73b1790d7610a2f4f023ab Author: Bean Huo Date: Tue Dec 2 16:51:38 2025 +0100 scsi: ufs: core: Fix RPMB link error by reversing Kconfig dependencies When CONFIG_SCSI_UFSHCD=y and CONFIG_RPMB=m, the kernel fails to link with undefined references to ufs_rpmb_probe() and ufs_rpmb_remove(): ld: drivers/ufs/core/ufshcd.c:8950: undefined reference to `ufs_rpmb_probe' ld: drivers/ufs/core/ufshcd.c:10505: undefined reference to `ufs_rpmb_remove' The issue is that RPMB depends on its consumers (MMC, UFS) in Kconfig, which is backwards. This prevents proper module dependency handling when the library is modular but consumers are built-in. Fix by reversing the dependency: - Remove 'depends on MMC || SCSI_UFSHCD' from RPMB Kconfig - Add 'depends on RPMB || !RPMB' to SCSI_UFSHCD Kconfig This allows RPMB to be an independent library while ensuring correct linking in all module/built-in combinations. Fixes: b06b8c421485 ("scsi: ufs: core: Add OP-TEE based RPMB driver for UFS devices") Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202511300443.h7sotuL0-lkp@intel.com/ Suggested-by: Arnd Bergmann Cc: Bart Van Assche Cc: Jens Wiklander Cc: Ulf Hansson Signed-off-by: Bean Huo Reviewed-by: Arnd Bergmann Reviewed-by: Jens Wiklander Reviewed-by: Bart Van Assche Link: https://patch.msgid.link/20251202155138.2607210-1-beanhuo@iokpp.de Signed-off-by: Martin K. Petersen commit 9086cac895c3bfd9bdd9a4d850da1749e447ed32 Author: Shi Hao Date: Tue Nov 18 01:39:49 2025 +0530 scsi: qla4xxx: Use time conversion macros Replace the raw use of 500 value in schedule_timeout() function with msecs_to_jiffies() to ensure intended value across different kernel configurations regardless of HZ value. Signed-off-by: Shi Hao Link: https://patch.msgid.link/20251117200949.42557-1-i.shihao.999@gmail.com Signed-off-by: Martin K. Petersen commit eaea513077cde23f70d4414288839eb26632ef36 Author: Wen Xiong Date: Tue Oct 28 09:24:27 2025 -0500 scsi: qla2xxx: Enable/disable IRQD_NO_BALANCING during reset A dynamic remove/add storage adapter test hits EEH on PowerPC: EEH: [c00000000004f77c] __eeh_send_failure_event+0x7c/0x160 EEH: [c000000000048464] eeh_dev_check_failure.part.0+0x254/0x660 EEH: [c000000000934e0c] __pci_read_msi_msg+0x1ac/0x280 EEH: [c000000000100f68] pseries_msi_compose_msg+0x28/0x40 EEH: [c00000000020e1cc] irq_chip_compose_msi_msg+0x5c/0x90 EEH: [c000000000214b1c] msi_domain_set_affinity+0xbc/0x100 EEH: [c000000000206be4] irq_do_set_affinity+0x214/0x2c0 EEH: [c000000000206e04] irq_set_affinity_locked+0x174/0x230 EEH: [c000000000207044] irq_set_affinity+0x64/0xa0 EEH: [c000000000212890] write_irq_affinity.constprop.0.isra.0+0x130/0x150 EEH: [c00000000068868c] proc_reg_write+0xfc/0x160 EEH: [c0000000005adb48] vfs_write+0xf8/0x4e0 EEH: [c0000000005ae234] ksys_write+0x84/0x140 EEH: [c00000000002e994] system_call_exception+0x164/0x310 EEH: [c00000000000bfe8] system_call_vectored_common+0xe8/0x278 The irqbalance daemon kicks in before invoking qla2xxx->slot_reset during the EEH recovery process. irqbalance daemon ->irq_set_affinity() ->msi_domain_set_affinity() ->irq_chip_set_affiinity_parent() ->xive_irq_set_affinity() ->pseries_msi_compose_ms() ->__pci_read_msi_msg() ->irq_chip_compose_msi_msg() In __pci_read_msi_msg(), the first MSI-X vector is set to all F by the irqbalance daemon. pci_write_msg_msix: index=0, lo=ffffffff hi=fffffff IRQ balancing is not required during adapter reset. Enable "IRQ_NO_BALANCING" bit before starting adapter reset and disable it calling pci_restore_state(). The irqbalance daemon is disabled for this short period of time (~2s). Co-developed-by: Kyle Mahlkuch Signed-off-by: Kyle Mahlkuch Signed-off-by: Wen Xiong Link: https://patch.msgid.link/20251028142427.3969819-3-wenxiong@linux.ibm.com Signed-off-by: Martin K. Petersen commit 6ac3484fb13b2fc7f31cfc7f56093e7d0ce646a5 Author: Wen Xiong Date: Tue Oct 28 09:24:26 2025 -0500 scsi: ipr: Enable/disable IRQD_NO_BALANCING during reset A dynamic remove/add storage adapter test hits EEH on PowerPC: EEH: [c00000000004f75c] __eeh_send_failure_event+0x7c/0x160 EEH: [c000000000048444] eeh_dev_check_failure.part.0+0x254/0x650 EEH: [c008000001650678] eeh_readl+0x60/0x90 [ipr] EEH: [c00800000166746c] ipr_cancel_op+0x2b8/0x524 [ipr] EEH: [c008000001656524] ipr_eh_abort+0x6c/0x130 [ipr] EEH: [c000000000ab0d20] scmd_eh_abort_handler+0x140/0x440 EEH: [c00000000017e558] process_one_work+0x298/0x590 EEH: [c00000000017eef8] worker_thread+0xa8/0x620 EEH: [c00000000018be34] kthread+0x124/0x130 EEH: [c00000000000cd64] ret_from_kernel_thread+0x5c/0x64 A PCIe bus trace reveals that a vector of MSI-X is cleared to 0 by irqbalance daemon. If we disable irqbalance daemon, we won't see the issue. With debug enabled in ipr driver: [ 44.103071] ipr: Entering __ipr_remove [ 44.103083] ipr: Entering ipr_initiate_ioa_bringdown [ 44.103091] ipr: Entering ipr_reset_shutdown_ioa [ 44.103099] ipr: Leaving ipr_reset_shutdown_ioa [ 44.103105] ipr: Leaving ipr_initiate_ioa_bringdown [ 44.149918] ipr: Entering ipr_reset_ucode_download [ 44.149935] ipr: Entering ipr_reset_alert [ 44.150032] ipr: Entering ipr_reset_start_timer [ 44.150038] ipr: Leaving ipr_reset_alert [ 44.244343] scsi 1:2:3:0: alua: Detached [ 44.254300] ipr: Entering ipr_reset_start_bist [ 44.254320] ipr: Entering ipr_reset_start_timer [ 44.254325] ipr: Leaving ipr_reset_start_bist [ 44.364329] scsi 1:2:4:0: alua: Detached [ 45.134341] scsi 1:2:5:0: alua: Detached [ 45.860949] ipr: Entering ipr_reset_shutdown_ioa [ 45.860962] ipr: Leaving ipr_reset_shutdown_ioa [ 45.860966] ipr: Entering ipr_reset_alert [ 45.861028] ipr: Entering ipr_reset_start_timer [ 45.861035] ipr: Leaving ipr_reset_alert [ 45.964302] ipr: Entering ipr_reset_start_bist [ 45.964309] ipr: Entering ipr_reset_start_timer [ 45.964313] ipr: Leaving ipr_reset_start_bist [ 46.264301] ipr: Entering ipr_reset_bist_done [ 46.264309] ipr: Leaving ipr_reset_bist_done During adapter reset, ipr device driver blocks config space access but can't block MMIO access for MSI-X entries. There is very small window: irqbalance daemon kicks in during adapter reset before ipr driver calls pci_restore_state(pdev) to restore MSI-X table. irqbalance daemon reads back all 0 for that MSI-X vector in __pci_read_msi_msg(). irqbalance daemon: msi_domain_set_affinity() ->irq_chip_set_affinity_patent() ->xive_irq_set_affinity() ->irq_chip_compose_msi_msg() ->pseries_msi_compose_msg() ->__pci_read_msi_msg(): read all 0 since didn't call pci_restore_state ->irq_chip_write_msi_msg() -> pci_write_msg_msi(): write 0 to the msix vector entry When ipr driver calls pci_restore_state(pdev) in ipr_reset_restore_cfg_space(), the MSI-X vector entry has been cleared by irqbalance daemon in pci_write_msg_msix(). pci_restore_state() ->__pci_restore_msix_state() Below is the MSI-X table for ipr adapter after irqbalance daemon kicked in during adapter reset: Dump MSIx table: index=0 address_lo=c800 address_hi=10000000 msg_data=0 Dump MSIx table: index=1 address_lo=c810 address_hi=10000000 msg_data=0 Dump MSIx table: index=2 address_lo=c820 address_hi=10000000 msg_data=0 Dump MSIx table: index=3 address_lo=c830 address_hi=10000000 msg_data=0 Dump MSIx table: index=4 address_lo=c840 address_hi=10000000 msg_data=0 Dump MSIx table: index=5 address_lo=c850 address_hi=10000000 msg_data=0 Dump MSIx table: index=6 address_lo=c860 address_hi=10000000 msg_data=0 Dump MSIx table: index=7 address_lo=c870 address_hi=10000000 msg_data=0 Dump MSIx table: index=8 address_lo=0 address_hi=0 msg_data=0 ---------> Hit EEH since msix vector of index=8 are 0 Dump MSIx table: index=9 address_lo=c890 address_hi=10000000 msg_data=0 Dump MSIx table: index=10 address_lo=c8a0 address_hi=10000000 msg_data=0 Dump MSIx table: index=11 address_lo=c8b0 address_hi=10000000 msg_data=0 Dump MSIx table: index=12 address_lo=c8c0 address_hi=10000000 msg_data=0 Dump MSIx table: index=13 address_lo=c8d0 address_hi=10000000 msg_data=0 Dump MSIx table: index=14 address_lo=c8e0 address_hi=10000000 msg_data=0 Dump MSIx table: index=15 address_lo=c8f0 address_hi=10000000 msg_data=0 [ 46.264312] ipr: Entering ipr_reset_restore_cfg_space [ 46.267439] ipr: Entering ipr_fail_all_ops [ 46.267447] ipr: Leaving ipr_fail_all_ops [ 46.267451] ipr: Leaving ipr_reset_restore_cfg_space [ 46.267454] ipr: Entering ipr_ioa_bringdown_done [ 46.267458] ipr: Leaving ipr_ioa_bringdown_done [ 46.267467] ipr: Entering ipr_worker_thread [ 46.267470] ipr: Leaving ipr_worker_thread IRQ balancing is not required during adapter reset. Enable "IRQ_NO_BALANCING" flag before starting adapter reset and disable it after calling pci_restore_state(). The irqbalance daemon is disabled for this short period of time (~2s). Co-developed-by: Kyle Mahlkuch Signed-off-by: Kyle Mahlkuch Signed-off-by: Wen Xiong Link: https://patch.msgid.link/20251028142427.3969819-2-wenxiong@linux.ibm.com Signed-off-by: Martin K. Petersen commit ab58153ec64fa3fc9aea09ca09dc9322e0b54a7c Author: Duoming Zhou Date: Tue Oct 28 18:01:49 2025 +0800 scsi: imm: Fix use-after-free bug caused by unfinished delayed work The delayed work item 'imm_tq' is initialized in imm_attach() and scheduled via imm_queuecommand() for processing SCSI commands. When the IMM parallel port SCSI host adapter is detached through imm_detach(), the imm_struct device instance is deallocated. However, the delayed work might still be pending or executing when imm_detach() is called, leading to use-after-free bugs when the work function imm_interrupt() accesses the already freed imm_struct memory. The race condition can occur as follows: CPU 0(detach thread) | CPU 1 | imm_queuecommand() | imm_queuecommand_lck() imm_detach() | schedule_delayed_work() kfree(dev) //FREE | imm_interrupt() | dev = container_of(...) //USE dev-> //USE Add disable_delayed_work_sync() in imm_detach() to guarantee proper cancellation of the delayed work item before imm_struct is deallocated. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Duoming Zhou Link: https://patch.msgid.link/20251028100149.40721-1-duoming@zju.edu.cn Signed-off-by: Martin K. Petersen commit 971bb08704e227a7815fef31713f25c6b25e2599 Author: Heiko Carstens Date: Wed Nov 26 15:40:27 2025 +0100 scsi: target: sbp: Remove KMSG_COMPONENT macro The KMSG_COMPONENT macro is a leftover of the s390 specific "kernel message catalog" from 2008 [1] which never made it upstream. The macro was added to s390 code to allow for an out-of-tree patch which used this to generate unique message ids. Also this out-of-tree doesn't exist anymore. The pattern of how the KMSG_COMPONENT is used was partially also used for non s390 specific code, for whatever reasons. Remove the macro in order to get rid of a pointless indirection. [1] https://lwn.net/Articles/292650/ Signed-off-by: Heiko Carstens Link: https://patch.msgid.link/20251126144027.2213895-1-hca@linux.ibm.com Signed-off-by: Martin K. Petersen commit c131c9bf98d940bfe8b0562baf94d6372c495df6 Author: Miao Li Date: Mon Nov 24 15:54:44 2025 +0800 scsi: core: Correct documentation for scsi_device_quiesce() If scsi_device_quiesce() returns zero, the function executed successfully. Signed-off-by: Miao Li Reviewed-by: Johannes Thumshirn Link: https://patch.msgid.link/20251124075444.32699-1-limiao870622@163.com Signed-off-by: Martin K. Petersen commit 4588e65cfd66fc8bbd9969ea730db39b60a36a30 Author: Suganath Prabu S Date: Thu Nov 20 12:49:55 2025 +0530 scsi: mpi3mr: Prevent duplicate SAS/SATA device entries in channel 1 Avoid scanning SAS/SATA devices in channel 1 when SAS transport is enabled, as the SAS/SATA devices are exposed through channel 0. Signed-off-by: Suganath Prabu S Signed-off-by: Ranjan Kumar Link: https://lore.kernel.org/stable/20251120071955.463475-1-suganath-prabu.subramani%40broadcom.com Link: https://patch.msgid.link/20251120071955.463475-1-suganath-prabu.subramani@broadcom.com Signed-off-by: Martin K. Petersen commit 5053eab38a4c4543522d0c320c639c56a8b59908 Author: Andrey Vatoropin Date: Tue Nov 18 08:42:31 2025 +0000 scsi: target: Reset t_task_cdb pointer in error case If allocation of cmd->t_task_cdb fails, it remains NULL but is later dereferenced in the 'err' path. In case of error, reset NULL t_task_cdb value to point at the default fixed-size buffer. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 9e95fb805dc0 ("scsi: target: Fix NULL pointer dereference") Cc: stable@vger.kernel.org Signed-off-by: Andrey Vatoropin Reviewed-by: Mike Christie Link: https://patch.msgid.link/20251118084014.324940-1-a.vatoropin@crpt.ru Signed-off-by: Martin K. Petersen commit b4bb6daf4ac4d4560044ecdd81e93aa2f6acbb06 Author: Brian Kao Date: Wed Nov 12 06:32:02 2025 +0000 scsi: ufs: core: Fix EH failure after W-LUN resume error When a W-LUN resume fails, its parent devices in the SCSI hierarchy, including the scsi_target, may be runtime suspended. Subsequently, the error handler in ufshcd_recover_pm_error() fails to set the W-LUN device back to active because the parent target is not active. This results in the following errors: google-ufshcd 3c2d0000.ufs: ufshcd_err_handler started; HBA state eh_fatal; ... ufs_device_wlun 0:0:0:49488: START_STOP failed for power mode: 1, result 40000 ufs_device_wlun 0:0:0:49488: ufshcd_wl_runtime_resume failed: -5 ... ufs_device_wlun 0:0:0:49488: runtime PM trying to activate child device 0:0:0:49488 but parent (target0:0:0) is not active Address this by: 1. Ensuring the W-LUN's parent scsi_target is runtime resumed before attempting to set the W-LUN to active within ufshcd_recover_pm_error(). 2. Explicitly checking for power.runtime_error on the HBA and W-LUN devices before calling pm_runtime_set_active() to clear the error state. 3. Adding pm_runtime_get_sync(hba->dev) in ufshcd_err_handling_prepare() to ensure the HBA itself is active during error recovery, even if a child device resume failed. These changes ensure the device power states are managed correctly during error recovery. Signed-off-by: Brian Kao Tested-by: Brian Kao Reviewed-by: Bart Van Assche Link: https://patch.msgid.link/20251112063214.1195761-1-powenkao@google.com Signed-off-by: Martin K. Petersen