commit fca6caeb4a61d240f031914413fcc69534f6dc03
Author: Wang Hai <wanghai38@huawei.com>
Date:   Fri Oct 11 19:34:44 2024 +0800

    scsi: target: core: Fix null-ptr-deref in target_alloc_device()
    
    There is a null-ptr-deref issue reported by KASAN:
    
    BUG: KASAN: null-ptr-deref in target_alloc_device+0xbc4/0xbe0 [target_core_mod]
    ...
     kasan_report+0xb9/0xf0
     target_alloc_device+0xbc4/0xbe0 [target_core_mod]
     core_dev_setup_virtual_lun0+0xef/0x1f0 [target_core_mod]
     target_core_init_configfs+0x205/0x420 [target_core_mod]
     do_one_initcall+0xdd/0x4e0
    ...
     entry_SYSCALL_64_after_hwframe+0x76/0x7e
    
    In target_alloc_device(), if allocing memory for dev queues fails, then
    dev will be freed by dev->transport->free_device(), but dev->transport
    is not initialized at that time, which will lead to a null pointer
    reference problem.
    
    Fixing this bug by freeing dev with hba->backend->ops->free_device().
    
    Fixes: 1526d9f10c61 ("scsi: target: Make state_list per CPU")
    Signed-off-by: Wang Hai <wanghai38@huawei.com>
    Link: https://lore.kernel.org/r/20241011113444.40749-1-wanghai38@huawei.com
    Reviewed-by: Mike Christie <michael.christie@oracle.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

commit b9e63d6c7c0e94a99e1af7c9c0c7fad13a2f2453
Author: Ranjan Kumar <ranjan.kumar@broadcom.com>
Date:   Tue Oct 8 13:13:53 2024 +0530

    scsi: mpi3mr: Validate SAS port assignments
    
    A sanity check on phy_mask was added in commit 3668651def2c ("scsi:
    mpi3mr: Sanitise num_phys"). This causes warning messages when more than
    64 phys are detected and devices connected to phys greater than 64 are
    dropped.
    
    The phy_mask bitmap is only needed for controller phys and not required
    for expander phys. Controller phys can go up to a maximum of 64 and
    therefore u64 is good enough to contain phy_mask bitmap.
    
    To suppress those warnings and allow devices to be discovered as before
    the offending commit, restrict the phy_mask setting and lowest phy
    setting only to the controller phys.
    
    Fixes: 3668651def2c ("scsi: mpi3mr: Sanitise num_phys")
    Cc: stable@vger.kernel.org
    Reported-by: kernel test robot <lkp@intel.com>
    Closes: https://lore.kernel.org/oe-kbuild-all/202410051943.Mp9o5DlF-lkp@intel.com/
    Reported-by: Alexander Motin <mav@ixsystems.com>
    Signed-off-by: Ranjan Kumar <ranjan.kumar@broadcom.com>
    Link: https://lore.kernel.org/r/20241008074353.200379-1-ranjan.kumar@broadcom.com
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

commit 19a198b67767d952c8f3d0cf24eb3100522a8223
Author: Seunghwan Baek <sh8267.baek@samsung.com>
Date:   Thu Aug 29 18:39:13 2024 +0900

    scsi: ufs: core: Set SDEV_OFFLINE when UFS is shut down
    
    There is a history of deadlock if reboot is performed at the beginning
    of booting. SDEV_QUIESCE was set for all LU's scsi_devices by UFS
    shutdown, and at that time the audio driver was waiting on
    blk_mq_submit_bio() holding a mutex_lock while reading the fw binary.
    After that, a deadlock issue occurred while audio driver shutdown was
    waiting for mutex_unlock of blk_mq_submit_bio(). To solve this, set
    SDEV_OFFLINE for all LUs except WLUN, so that any I/O that comes down
    after a UFS shutdown will return an error.
    
    [   31.907781]I[0:      swapper/0:    0]        1        130705007       1651079834      11289729804                0 D(   2) 3 ffffff882e208000 *             init [device_shutdown]
    [   31.907793]I[0:      swapper/0:    0] Mutex: 0xffffff8849a2b8b0: owner[0xffffff882e28cb00 kworker/6:0 :49]
    [   31.907806]I[0:      swapper/0:    0] Call trace:
    [   31.907810]I[0:      swapper/0:    0]  __switch_to+0x174/0x338
    [   31.907819]I[0:      swapper/0:    0]  __schedule+0x5ec/0x9cc
    [   31.907826]I[0:      swapper/0:    0]  schedule+0x7c/0xe8
    [   31.907834]I[0:      swapper/0:    0]  schedule_preempt_disabled+0x24/0x40
    [   31.907842]I[0:      swapper/0:    0]  __mutex_lock+0x408/0xdac
    [   31.907849]I[0:      swapper/0:    0]  __mutex_lock_slowpath+0x14/0x24
    [   31.907858]I[0:      swapper/0:    0]  mutex_lock+0x40/0xec
    [   31.907866]I[0:      swapper/0:    0]  device_shutdown+0x108/0x280
    [   31.907875]I[0:      swapper/0:    0]  kernel_restart+0x4c/0x11c
    [   31.907883]I[0:      swapper/0:    0]  __arm64_sys_reboot+0x15c/0x280
    [   31.907890]I[0:      swapper/0:    0]  invoke_syscall+0x70/0x158
    [   31.907899]I[0:      swapper/0:    0]  el0_svc_common+0xb4/0xf4
    [   31.907909]I[0:      swapper/0:    0]  do_el0_svc+0x2c/0xb0
    [   31.907918]I[0:      swapper/0:    0]  el0_svc+0x34/0xe0
    [   31.907928]I[0:      swapper/0:    0]  el0t_64_sync_handler+0x68/0xb4
    [   31.907937]I[0:      swapper/0:    0]  el0t_64_sync+0x1a0/0x1a4
    
    [   31.908774]I[0:      swapper/0:    0]       49                0         11960702      11236868007                0 D(   2) 6 ffffff882e28cb00 *      kworker/6:0 [__bio_queue_enter]
    [   31.908783]I[0:      swapper/0:    0] Call trace:
    [   31.908788]I[0:      swapper/0:    0]  __switch_to+0x174/0x338
    [   31.908796]I[0:      swapper/0:    0]  __schedule+0x5ec/0x9cc
    [   31.908803]I[0:      swapper/0:    0]  schedule+0x7c/0xe8
    [   31.908811]I[0:      swapper/0:    0]  __bio_queue_enter+0xb8/0x178
    [   31.908818]I[0:      swapper/0:    0]  blk_mq_submit_bio+0x194/0x67c
    [   31.908827]I[0:      swapper/0:    0]  __submit_bio+0xb8/0x19c
    
    Fixes: b294ff3e3449 ("scsi: ufs: core: Enable power management for wlun")
    Cc: stable@vger.kernel.org
    Signed-off-by: Seunghwan Baek <sh8267.baek@samsung.com>
    Link: https://lore.kernel.org/r/20240829093913.6282-2-sh8267.baek@samsung.com
    Reviewed-by: Bart Van Assche <bvanassche@acm.org>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

commit 8fa075804cb3b00960dd5c06554308175c834530
Author: Peter Wang <peter.wang@mediatek.com>
Date:   Tue Oct 1 17:19:17 2024 +0800

    scsi: ufs: core: Requeue aborted request
    
    After the SQ cleanup fix, the CQ will receive a response with the
    corresponding tag marked as OCS: ABORTED. To align with the behavior of
    Legacy SDB mode, the handling of OCS: ABORTED has been changed to match
    that of OCS_INVALID_COMMAND_STATUS (SDB), with both returning a SCSI
    result of DID_REQUEUE.
    
    Furthermore, the workaround implemented before the SQ cleanup fix can be
    removed.
    
    Fixes: ab248643d3d6 ("scsi: ufs: core: Add error handling for MCQ mode")
    Cc: stable@vger.kernel.org
    Signed-off-by: Peter Wang <peter.wang@mediatek.com>
    Link: https://lore.kernel.org/r/20241001091917.6917-3-peter.wang@mediatek.com
    Reviewed-by: Bart Van Assche <bvanassche@acm.org>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

commit bf0c6cc73f7f91ec70307f7c72343f6cb7d65d01
Author: Peter Wang <peter.wang@mediatek.com>
Date:   Tue Oct 1 17:19:16 2024 +0800

    scsi: ufs: core: Fix the issue of ICU failure
    
    When setting the ICU bit without using read-modify-write, SQRTCy will
    restart SQ again and receive an RTC return error code 2 (Failure - SQ
    not stopped).
    
    Additionally, the error log has been modified so that this type of error
    can be observed.
    
    Fixes: ab248643d3d6 ("scsi: ufs: core: Add error handling for MCQ mode")
    Cc: stable@vger.kernel.org
    Signed-off-by: Peter Wang <peter.wang@mediatek.com>
    Link: https://lore.kernel.org/r/20241001091917.6917-2-peter.wang@mediatek.com
    Reviewed-by: Bao D. Nguyen <quic_nguyenb@quicinc.com>
    Reviewed-by: Bart Van Assche <bvanassche@acm.org>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>