kernel/linux.git/drivers/scsi, branch v7.1-rc6

Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi

2026-05-31T15:45:08+00:00

Pull SCSI fixes from James Bottomley: "Two core changes, the only one of significance being the change to kick queues in SDEV_CANCEL which had a small window for stuck requests. The major driver fixes are the one to the FC transport class to widen the FPIN counter to counter a theoretical (and privileged) fabric traffic injection attack and the other is an iscsi fix where a malicious target could trick the kernel into an output buffer overrun. Both the driver fixes were AI assisted" * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: scsi: target: iscsi: Validate CHAP_R length before base64 decode scsi: target: iscsi: Bound iscsi_encode_text_output() appends to rsp_buf scsi: target: iscsi: Fix CRC overread and double-free in iscsit_handle_text_cmd() scsi: fcoe: Reject FIP descriptors with zero fip_dlen in CVL walker scsi: scsi_transport_fc: Widen FPIN pname walker counter to u32 scsi: scsi_debug: Add missing newline in scsi_debug_device_reset() scsi: megaraid_sas: Fix NULL pointer dereference on firmware duplicate completion scsi: devinfo: Add BLIST_NO_RSOC for Promise VTrak E310f scsi: core: Run queues for all non-SDEV_DEL devices from scsi_run_host_queues

scsi: fcoe: Reject FIP descriptors with zero fip_dlen in CVL walker

2026-05-23T01:56:42+00:00

drivers/scsi/fcoe/fcoe_ctlr.c::fcoe_ctlr_recv_clr_vlink() advanced the descriptor cursor by an attacker-supplied fip_dlen without ever requiring dlen >= sizeof(struct fip_desc) in the default branch. The named descriptor cases (FIP_DT_MAC, FIP_DT_NAME, FIP_DT_VN_ID) checked their per-type minimum lengths, but a FIP_DT_NON_CRITICAL descriptor (fip_dtype >= 128, which the standard requires receivers to silently ignore) skipped that check entirely. An unauthenticated L2 peer on the FCoE control VLAN could hang fcoe_ctlr_recv_work on an fcoe, qedf, or bnx2fc initiator indefinitely by emitting one FIP CVL frame whose single descriptor had fip_dtype == FIP_DT_NON_CRITICAL and fip_dlen == 0: the cursor advanced zero bytes per iteration and the loop condition rlen >= sizeof(*desc) stayed true forever, blocking every subsequent FIP frame on that controller. Tighten the outer dlen guard to also reject dlen < sizeof(struct fip_desc), so a malformed descriptor whose length cannot even cover the descriptor header is rejected before the switch. This is the same lower-bound the named cases already apply and is the minimum scope that closes the loop. Fixes: 97c8389d54b9 ("[SCSI] fcoe, libfcoe: Add support for FIP. FCoE discovery and keep-alive.") Cc: stable@vger.kernel.org Assisted-by: Claude:claude-opus-4-7 Signed-off-by: Michael Bommarito Reviewed-by: Hannes Reinecke Link: https://patch.msgid.link/20260518144307.2820961-1-michael.bommarito@gmail.com Signed-off-by: Martin K. Petersen

scsi: scsi_transport_fc: Widen FPIN pname walker counter to u32

2026-05-23T01:54:47+00:00

An adjacent Fibre Channel fabric actor that can deliver an FPIN ELS frame to an lpfc or qla2xxx Linux initiator can trigger a non-return in the generic FC transport. This is not a local userspace or IP network path; the attacker must be able to inject fabric traffic, for example as a compromised switch or fabric controller, or as a same-zone N_Port on a fabric that permits source spoofing. The Link-Integrity and Peer-Congestion FPIN walkers used a u8 loop counter against the 32-bit on-wire pname_count field, and did not bound pname_count by the descriptor body already validated by the TLV walker. A pname_count of 256 therefore wraps the counter and keeps the loop condition true indefinitely. Factor the shared pname_list[] walk into one helper, widen the counter to u32, and clamp pname_count against the entries that fit in the descriptor body before iterating. Fixes: 3dcfe0de5a97 ("scsi: fc: Parse FPIN packets and update statistics") Cc: stable@vger.kernel.org Assisted-by: Claude:claude-opus-4-7 Signed-off-by: Michael Bommarito Reviewed-by: Christoph Hellwig Reviewed-by: John Garry Link: https://patch.msgid.link/20260520133015.1018937-1-michael.bommarito@gmail.com Signed-off-by: Martin K. Petersen

scsi: scsi_debug: Add missing newline in scsi_debug_device_reset()

2026-05-23T01:29:35+00:00

A "\n" at the end of the sdev_printk() string appears to have been inadvertently removed. Add it back for correct log message formatting. Fixes: a743b120227a ("scsi: scsi_debug: Stop printing extra function name in debug logs") Assisted-by: Claude:claude-opus-4-6 Signed-off-by: Ewan D. Milne Reviewed-by: Bart Van Assche Reviewed-by: John Garry Link: https://patch.msgid.link/20260519205356.1040855-1-emilne@redhat.com Signed-off-by: Martin K. Petersen

scsi: megaraid_sas: Fix NULL pointer dereference on firmware duplicate completion

2026-05-23T01:25:53+00:00

Add NULL check for scmd_local in the MPI2_FUNCTION_SCSI_IO_REQUEST case to handle firmware duplicate/stale completions. When firmware sends a duplicate completion for a command that was already processed and returned to the pool, the driver accesses NULL scmd pointer causing a crash. Timeline of the bug: 1. Command completes normally, megasas_return_cmd_fusion() called 2. This sets cmd->scmd = NULL and clears io_request with memset(..., 0, ...) 3. Firmware sends duplicate/stale completion for same SMID (firmware bug) 4. Driver processes reply descriptor again 5. Cleared io_request has Function = 0 (MPI2_FUNCTION_SCSI_IO_REQUEST) 6. Switch statement matches SCSI_IO_REQUEST case by accident 7. Accesses megasas_priv(NULL scmd)->status -> crash at offset 0x228 The offset 0x228 = sizeof(struct scsi_cmnd) 0x220 + offsetof(status) 0x8. This issue was observed on PERC H330 Mini running firmware 25.5.9.0001 after 3+ days of heavy I/O load. Crash signature: BUG: unable to handle kernel NULL pointer dereference at 0x228 RIP: complete_cmd_fusion+0x428 Function: megasas_priv(cmd_fusion->scmd)->status Add defensive check to skip processing when scmd_local is NULL. This handles duplicate completions from firmware and prevents accessing freed command structures. The check protects all scmd_local uses in both the SCSI_IO path and the fallthrough LDIO path. Signed-off-by: Milan P. Gandhi Link: https://patch.msgid.link/agWAgtk6rtHqNWb5@machine1 Signed-off-by: Martin K. Petersen

scsi: devinfo: Add BLIST_NO_RSOC for Promise VTrak E310f

2026-05-23T01:22:27+00:00

The extremely slow boots reported July 2014 in bug 79901: https://bugzilla.kernel.org/show_bug.cgi?id=79901 for Promise VTrak E610f 3U 16-bay FC RAID enclosure occur also with the Promise VTrak E310f 2U 12-bay FC RAID enclosure. The 2014 patch: https://bugzilla.kernel.org/attachment.cgi?id=144101&action=diff added support for the BLIST_NO_RSOC flag and specified that flag for the Promise VTrak E610f. This current patch simply adds the E310f to that same list. One curiosity is the additional BLIST_SPARSELUN flag. This was also in the 2014 patch for the E610f, and was already in place for *all* Promise devices since 2007 due to commit e0b2e597d5dd ("[SCSI] stex: fix id mapping issue") which added the line: {"Promise", "", NULL, BLIST_SPARSELUN} The 2007 commit message talks of issues with SuperTrak EX (stex) but the added line did not limit itself to that particular device family. The current patch for E310F, like the 2014 patch for E610f, adds BLIST_NO_RSOC while preserving BLIST_SPARSELUN from 2007. Signed-off-by: Alexander Perlis Suggested-by: Nikkos Svoboda Link: https://patch.msgid.link/20260512231254.27530-1-aperlis@math.lsu.edu Signed-off-by: Martin K. Petersen

scsi: core: Run queues for all non-SDEV_DEL devices from scsi_run_host_queues

2026-05-23T01:09:23+00:00

While a SCSI host is in a recovery state, scsi_mq_requeue_cmd() will not set the requeue list for a requeued command to be kicked in the future. The expectation is a call to scsi_run_host_queues() will kick all SCSI devices once the recovery state is cleared. However, scsi_run_host_queues() uses shost_for_each_device() which uses scsi_device_get() and so will ignore devices in a partially removed state like SDEV_CANCEL. But these devices may also have requeued requests, leaving their requests stuck from not being kicked and causing the removal process of the device to hang. scsi_run_host_queues() needs to run against more devices than the macro shost_for_each_device() allows. Instead of using the too limiting scsi_device_get() state checks, only ignore devices in SDEV_DEL state or when unable to acquire a reference. Attempt to run the queues for all other devices when scsi_run_host_queues() is called. Fixes: 8b566edbdbfb ("scsi: core: Only kick the requeue list if necessary") Signed-off-by: David Jeffery Reviewed-by: Bart Van Assche Link: https://patch.msgid.link/20260515180941.9698-1-djeffery@redhat.com Signed-off-by: Martin K. Petersen

Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi

2026-05-22T23:08:06+00:00

Pull SCSI fixes from James Bottomley: "Small fixes, two in drivers and the remaining a sign conversion probem in sd with no user visible consequences (non-zero is error)" * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: scsi: target: tcm_loop: Fix NULL ptr dereference scsi: isci: Fix use-after-free in device removal path scsi: sd: Fix return code handling in sd_spinup_disk()

scsi: isci: Fix use-after-free in device removal path

2026-05-15T02:14:13+00:00

The ISCI completion tasklet is initialized in isci_host_alloc() (drivers/scsi/isci/init.c:496) and scheduled from both MSI-X and legacy interrupt handlers (drivers/scsi/isci/host.c:223,613). isci_host_deinit() stops the controller and waits for stop completion, but it never kills completion_tasklet before teardown continues. A top-of-function tasklet_kill() is not sufficient here: interrupts are only disabled when isci_host_stop_complete() runs, so until wait_for_stop() returns the IRQ handlers can still requeue the tasklet. The tasklet callback also re-enables interrupts after draining completions, so killing the tasklet before the source is quiesced leaves the same race open. Once wait_for_stop() returns, no further IRQ-driven scheduling can occur. Kill completion_tasklet there so teardown cannot race a queued tasklet running on a dead ihost. On remove or unload, the stale callback can otherwise dereference ihost and touch ihost->smu_registers after the host lifetime ends. A UML + KASAN analogue reproduced the failure class both with no tasklet_kill() and with tasklet_kill() placed before source quiesce, and stayed clean once the kill happened after quiescing the scheduling source. This mirrors commit f6ab594672d4 ("scsi: aic94xx: fix use-after-free in device removal path"), but ISCI needs the kill after wait_for_stop(). Fixes: 6f231dda6808 ("isci: Intel(R) C600 Series Chipset Storage Control Unit Driver") Cc: stable@vger.kernel.org Assisted-by: Claude:claude-opus-4-7 Assisted-by: Codex:gpt-5-4 Signed-off-by: Michael Bommarito Link: https://patch.msgid.link/20260419210420.2134639-1-michael.bommarito@gmail.com Signed-off-by: Martin K. Petersen

scsi: sd: Fix return code handling in sd_spinup_disk()

2026-05-15T02:02:52+00:00

As found by smatch-ci, scsi_execute_cmd() can return negative or positve values so we should use a int instead of unsigned int. Fixes: b4d0c33a32c3 ("scsi: sd: Fix sshdr use in sd_spinup_disk") Reported-by: Dan Carpenter Closes: https://lore.kernel.org/linux-scsi/agFbI7E6JQwd3wGW@stanley.mountain/T/#u Signed-off-by: Mike Christie Reviewed-by: Bart Van Assche Link: https://patch.msgid.link/20260511175317.114007-1-michael.christie@oracle.com Signed-off-by: Martin K. Petersen