commit 85db7391310b1304d2dc8ae3b0b12105a9567147 Author: Alexandru Hossu Date: Thu May 21 17:11:21 2026 +0200 scsi: target: iscsi: Validate CHAP_R length before base64 decode chap_server_compute_hash() allocates client_digest as kzalloc(chap->digest_size) and then, for BASE64-encoded responses, passes chap_r directly to chap_base64_decode() without checking whether the input length could produce more than digest_size bytes of output. chap_base64_decode() writes to the destination unconditionally as long as there is input to consume. With MAX_RESPONSE_LENGTH set to 128 and the "0b" prefix stripped by extract_param(), up to 127 base64 characters can reach the decoder. 127 characters decode to 95 bytes. For SHA-256 (digest_size=32) this overflows client_digest by 63 bytes; for MD5 (digest_size=16) the overflow is 79 bytes. The length check at line 344 fires after the write has already happened. The HEX branch in the same switch statement already validates the length up front. Apply the same approach to the BASE64 branch: strip trailing base64 padding characters, then reject any input whose data length exceeds DIV_ROUND_UP(digest_size * 4, 3) before calling the decoder. Stripping trailing '=' before the comparison handles both padded and unpadded encodings. chap_base64_decode() already returns early on '=', so the full original string is still passed to the decoder unchanged. The mutual CHAP path decodes CHAP_C into initiatorchg_binhex, which is kzalloc(CHAP_CHALLENGE_STR_LEN). extract_param() caps initiatorchg at CHAP_CHALLENGE_STR_LEN characters, so at most CHAP_CHALLENGE_STR_LEN-1 base64 characters reach the decoder. The maximum decoded size, DIV_ROUND_UP((CHAP_CHALLENGE_STR_LEN-1) * 3, 4), is less than CHAP_CHALLENGE_STR_LEN, so no overflow is possible there. A comment is added at the call site to document this. Fixes: 1e5733883421 ("scsi: target: iscsi: Support base64 in CHAP") Cc: stable@vger.kernel.org Signed-off-by: Alexandru Hossu Reviewed-by: David Disseldorp Link: https://patch.msgid.link/20260521151121.808477-1-hossu.alexandru@gmail.com Signed-off-by: Martin K. Petersen commit bf33e01f88388c43e285492a63e539df6ffed64c Author: Michael Bommarito Date: Mon May 11 14:49:14 2026 -0400 scsi: target: iscsi: Bound iscsi_encode_text_output() appends to rsp_buf iscsi_encode_text_output() concatenates "key=value\0" records into login->rsp_buf, an 8192-byte kzalloc(MAX_KEY_VALUE_PAIRS) buffer allocated in iscsit_alloc_login_setup_buffer(). The three sprintf() call sites in this function (lines 1398, 1411, 1424 in v7.1-rc2) never check the remaining buffer capacity: *length += sprintf(output_buf, "%s=%s", er->key, er->value); *length += 1; output_buf = textbuf + *length; The 8192-byte ceiling at iscsi_target_check_login_request() bounds the *input* Login PDU payload, but a single PDU can carry up to 2048 minimal four-byte "a=b\0" pairs, each unknown key expanding to a 16-byte "a=NotUnderstood\0" output record via iscsi_add_notunderstood_response(). 2048 * 16 = 32 KiB of output into an 8 KiB buffer, producing a ~24 KiB heap overrun in the kmalloc-8k slab. The fix introduces a static iscsi_encode_text_record() helper that uses snprintf() with a per-call bounds check against the remaining buffer, and threads a u32 textbuf_size parameter through iscsi_encode_text_output(). Both call sites in iscsi_target_handle_csg_zero() (PHASE_SECURITY) and iscsi_target_handle_csg_one() (PHASE_OPERATIONAL) pass MAX_KEY_VALUE_PAIRS. On overflow the encoder logs the condition, calls iscsi_release_extra_responses() to drop queued records, and returns -1; both caller sites now emit ISCSI_STATUS_CLS_INITIATOR_ERR / ISCSI_LOGIN_STATUS_INIT_ERR via iscsit_tx_login_rsp() before returning, so the initiator sees an explicit failed-login response rather than a silent connection drop. (Prior to this patch only the PHASE_OPERATIONAL caller did that; the PHASE_SECURITY caller is converted to the same shape.) Fixes: e48354ce078c ("iscsi-target: Add iSCSI fabric support for target v4.1") Cc: stable@vger.kernel.org Assisted-by: Claude:claude-opus-4-7 Signed-off-by: Michael Bommarito Tested-by: John Garry Reviewed-by: John Garry Signed-off-by: Martin K. Petersen commit 778c2ab142c625a8a8afa570e0f9b7873f445d99 Author: Michael Bommarito Date: Sat Apr 18 11:49:27 2026 -0400 scsi: target: iscsi: Fix CRC overread and double-free in iscsit_handle_text_cmd() Two latent bugs in the Text-phase handler, both present since the original LIO integration in commit e48354ce078c ("iscsi-target: Add iSCSI fabric support for target v4.1"): 1) DataDigest CRC buffer overread (4 bytes past text_in). text_in is kzalloc()'d at ALIGN(payload_length, 4). rx_size is then incremented by ISCSI_CRC_LEN to make room for the received DataDigest in the iovec, but the same (now-bumped) rx_size is passed as the buffer length to iscsit_crc_buf(): if (conn->conn_ops->DataDigest) { ... rx_size += ISCSI_CRC_LEN; } ... if (conn->conn_ops->DataDigest) { data_crc = iscsit_crc_buf(text_in, rx_size, 0, NULL); iscsit_crc_buf() walks rx_size bytes of text_in with crc32c(), so when DataDigest is negotiated it reads 4 bytes past the end of the text_in allocation. KASAN reproduces this directly on the unpatched mainline tree as slab-out-of-bounds in crc32c() called from the Text PDU path. The OOB bytes feed crc32c() and are then compared against the initiator-supplied checksum, so the value does not flow back to the attacker, but the kernel does read past the buffer on every Text PDU with DataDigest=CRC32C. Fix by passing the actual padded payload length (ALIGN(payload_length, 4)) that was used for the kzalloc(). 2) Stale cmd->text_in_ptr re-free (double-free) on ERL>0 bad DataDigest drop. On DataDigest mismatch with ErrorRecoveryLevel > 0 the handler silently drops the PDU and lets the initiator plug the CmdSN gap: kfree(text_in); return 0; cmd->text_in_ptr still points at the freed buffer. The next Text Request on the same ITT re-enters iscsit_setup_text_cmd(), which unconditionally does kfree(cmd->text_in_ptr); cmd->text_in_ptr = NULL; freeing the same pointer a second time. Session teardown via iscsit_release_cmd() has the same shape and hits the same double-free if the connection is dropped before a second Text Request arrives. On an unmodified mainline tree the bug-1 CRC overread fires first on the initial valid Text Request and perturbs the subsequent state, so #4 was isolated by building a kernel with only the bug-1 hunk of this patch applied plus temporary printk() observability around the three relevant kfree() sites. The observability prints are not part of this patch. On that build, a three-PDU Text Request sequence after login produces two back-to-back splats: BUG: KASAN: double-free in iscsit_setup_text_cmd+0x?? BUG: KASAN: double-free in iscsit_release_cmd+0x?? showing the same pointer freed in the ERL>0 drop path and again in iscsit_setup_text_cmd() (next Text Request on the same ITT) and once more in iscsit_release_cmd() (session teardown). On distro kernels with CONFIG_SLAB_FREELIST_HARDENED=y (default) the double-free becomes a remote kernel BUG(); on non-hardened kernels it corrupts the slab freelist. Fix by clearing cmd->text_in_ptr after the kfree() in the ERL>0 drop path. With both hunks applied #4 is directly observable on the stock tree without observability printks; fixing bug-1 alone would mask #4 less, not more, so the hunks are submitted together. Both fixes are one-liners. The Text PDU state machine is unchanged and the wire protocol is unaffected. Fixes: e48354ce078c ("iscsi-target: Add iSCSI fabric support for target v4.1") Cc: stable@vger.kernel.org Assisted-by: Claude:claude-opus-4-7 Signed-off-by: Michael Bommarito Tested-by: John Garry Reviewed-by: John Garry Signed-off-by: Martin K. Petersen commit 9eed1bd59937e6828b00d2f2dfef631d964f3636 Author: Michael Bommarito Date: Mon May 18 10:43:07 2026 -0400 scsi: fcoe: Reject FIP descriptors with zero fip_dlen in CVL walker drivers/scsi/fcoe/fcoe_ctlr.c::fcoe_ctlr_recv_clr_vlink() advanced the descriptor cursor by an attacker-supplied fip_dlen without ever requiring dlen >= sizeof(struct fip_desc) in the default branch. The named descriptor cases (FIP_DT_MAC, FIP_DT_NAME, FIP_DT_VN_ID) checked their per-type minimum lengths, but a FIP_DT_NON_CRITICAL descriptor (fip_dtype >= 128, which the standard requires receivers to silently ignore) skipped that check entirely. An unauthenticated L2 peer on the FCoE control VLAN could hang fcoe_ctlr_recv_work on an fcoe, qedf, or bnx2fc initiator indefinitely by emitting one FIP CVL frame whose single descriptor had fip_dtype == FIP_DT_NON_CRITICAL and fip_dlen == 0: the cursor advanced zero bytes per iteration and the loop condition rlen >= sizeof(*desc) stayed true forever, blocking every subsequent FIP frame on that controller. Tighten the outer dlen guard to also reject dlen < sizeof(struct fip_desc), so a malformed descriptor whose length cannot even cover the descriptor header is rejected before the switch. This is the same lower-bound the named cases already apply and is the minimum scope that closes the loop. Fixes: 97c8389d54b9 ("[SCSI] fcoe, libfcoe: Add support for FIP. FCoE discovery and keep-alive.") Cc: stable@vger.kernel.org Assisted-by: Claude:claude-opus-4-7 Signed-off-by: Michael Bommarito Reviewed-by: Hannes Reinecke Link: https://patch.msgid.link/20260518144307.2820961-1-michael.bommarito@gmail.com Signed-off-by: Martin K. Petersen commit a9a39233ec1fc9f97ea1340a4d09bb7ec2be5153 Author: Michael Bommarito Date: Wed May 20 09:30:15 2026 -0400 scsi: scsi_transport_fc: Widen FPIN pname walker counter to u32 An adjacent Fibre Channel fabric actor that can deliver an FPIN ELS frame to an lpfc or qla2xxx Linux initiator can trigger a non-return in the generic FC transport. This is not a local userspace or IP network path; the attacker must be able to inject fabric traffic, for example as a compromised switch or fabric controller, or as a same-zone N_Port on a fabric that permits source spoofing. The Link-Integrity and Peer-Congestion FPIN walkers used a u8 loop counter against the 32-bit on-wire pname_count field, and did not bound pname_count by the descriptor body already validated by the TLV walker. A pname_count of 256 therefore wraps the counter and keeps the loop condition true indefinitely. Factor the shared pname_list[] walk into one helper, widen the counter to u32, and clamp pname_count against the entries that fit in the descriptor body before iterating. Fixes: 3dcfe0de5a97 ("scsi: fc: Parse FPIN packets and update statistics") Cc: stable@vger.kernel.org Assisted-by: Claude:claude-opus-4-7 Signed-off-by: Michael Bommarito Reviewed-by: Christoph Hellwig Reviewed-by: John Garry Link: https://patch.msgid.link/20260520133015.1018937-1-michael.bommarito@gmail.com Signed-off-by: Martin K. Petersen commit e4bb73bf3ac11b4a93634660345b9d764a4a80df Author: Ewan D. Milne Date: Tue May 19 16:53:56 2026 -0400 scsi: scsi_debug: Add missing newline in scsi_debug_device_reset() A "\n" at the end of the sdev_printk() string appears to have been inadvertently removed. Add it back for correct log message formatting. Fixes: a743b120227a ("scsi: scsi_debug: Stop printing extra function name in debug logs") Assisted-by: Claude:claude-opus-4-6 Signed-off-by: Ewan D. Milne Reviewed-by: Bart Van Assche Reviewed-by: John Garry Link: https://patch.msgid.link/20260519205356.1040855-1-emilne@redhat.com Signed-off-by: Martin K. Petersen commit a4719ae23fb5b1b6229120c7ea4b6143a501a62e Author: Milan P. Gandhi Date: Thu May 14 13:27:54 2026 +0530 scsi: megaraid_sas: Fix NULL pointer dereference on firmware duplicate completion Add NULL check for scmd_local in the MPI2_FUNCTION_SCSI_IO_REQUEST case to handle firmware duplicate/stale completions. When firmware sends a duplicate completion for a command that was already processed and returned to the pool, the driver accesses NULL scmd pointer causing a crash. Timeline of the bug: 1. Command completes normally, megasas_return_cmd_fusion() called 2. This sets cmd->scmd = NULL and clears io_request with memset(..., 0, ...) 3. Firmware sends duplicate/stale completion for same SMID (firmware bug) 4. Driver processes reply descriptor again 5. Cleared io_request has Function = 0 (MPI2_FUNCTION_SCSI_IO_REQUEST) 6. Switch statement matches SCSI_IO_REQUEST case by accident 7. Accesses megasas_priv(NULL scmd)->status -> crash at offset 0x228 The offset 0x228 = sizeof(struct scsi_cmnd) 0x220 + offsetof(status) 0x8. This issue was observed on PERC H330 Mini running firmware 25.5.9.0001 after 3+ days of heavy I/O load. Crash signature: BUG: unable to handle kernel NULL pointer dereference at 0x228 RIP: complete_cmd_fusion+0x428 Function: megasas_priv(cmd_fusion->scmd)->status Add defensive check to skip processing when scmd_local is NULL. This handles duplicate completions from firmware and prevents accessing freed command structures. The check protects all scmd_local uses in both the SCSI_IO path and the fallthrough LDIO path. Signed-off-by: Milan P. Gandhi Link: https://patch.msgid.link/agWAgtk6rtHqNWb5@machine1 Signed-off-by: Martin K. Petersen commit adda8a44e1e43aceba058839f56fa1c599f6f99b Author: Alexander Perlis Date: Tue May 12 18:12:54 2026 -0500 scsi: devinfo: Add BLIST_NO_RSOC for Promise VTrak E310f The extremely slow boots reported July 2014 in bug 79901: https://bugzilla.kernel.org/show_bug.cgi?id=79901 for Promise VTrak E610f 3U 16-bay FC RAID enclosure occur also with the Promise VTrak E310f 2U 12-bay FC RAID enclosure. The 2014 patch: https://bugzilla.kernel.org/attachment.cgi?id=144101&action=diff added support for the BLIST_NO_RSOC flag and specified that flag for the Promise VTrak E610f. This current patch simply adds the E310f to that same list. One curiosity is the additional BLIST_SPARSELUN flag. This was also in the 2014 patch for the E610f, and was already in place for *all* Promise devices since 2007 due to commit e0b2e597d5dd ("[SCSI] stex: fix id mapping issue") which added the line: {"Promise", "", NULL, BLIST_SPARSELUN} The 2007 commit message talks of issues with SuperTrak EX (stex) but the added line did not limit itself to that particular device family. The current patch for E310F, like the 2014 patch for E610f, adds BLIST_NO_RSOC while preserving BLIST_SPARSELUN from 2007. Signed-off-by: Alexander Perlis Suggested-by: Nikkos Svoboda Link: https://patch.msgid.link/20260512231254.27530-1-aperlis@math.lsu.edu Signed-off-by: Martin K. Petersen commit 7205b58702273baf21d6ba7992e6ba15852325f7 Author: David Jeffery Date: Fri May 15 14:09:41 2026 -0400 scsi: core: Run queues for all non-SDEV_DEL devices from scsi_run_host_queues While a SCSI host is in a recovery state, scsi_mq_requeue_cmd() will not set the requeue list for a requeued command to be kicked in the future. The expectation is a call to scsi_run_host_queues() will kick all SCSI devices once the recovery state is cleared. However, scsi_run_host_queues() uses shost_for_each_device() which uses scsi_device_get() and so will ignore devices in a partially removed state like SDEV_CANCEL. But these devices may also have requeued requests, leaving their requests stuck from not being kicked and causing the removal process of the device to hang. scsi_run_host_queues() needs to run against more devices than the macro shost_for_each_device() allows. Instead of using the too limiting scsi_device_get() state checks, only ignore devices in SDEV_DEL state or when unable to acquire a reference. Attempt to run the queues for all other devices when scsi_run_host_queues() is called. Fixes: 8b566edbdbfb ("scsi: core: Only kick the requeue list if necessary") Signed-off-by: David Jeffery Reviewed-by: Bart Van Assche Link: https://patch.msgid.link/20260515180941.9698-1-djeffery@redhat.com Signed-off-by: Martin K. Petersen commit 016d484531e3169cd7bcb26e0ac2c5523080809f Author: Piotr Zarycki Date: Thu Apr 23 10:13:43 2026 +0200 scsi: isci: Remove unused macro scu_get_command_request_logical_port() The macro scu_get_command_request_logical_port() has never been used since it was introduced. Signed-off-by: Piotr Zarycki Link: https://patch.msgid.link/20260423081343.1813002-1-piotr.zarycki@gmail.com Signed-off-by: Martin K. Petersen commit b71cb088b2e3427924a470fc43e7aedb8a40d2e3 Author: Guixin Liu Date: Fri Apr 24 09:39:23 2026 +0800 scsi: target: tcm_loop: Fix NULL ptr dereference The TCM_LOOP LUN creation process calls device_register() to create the device, which in turn invokes tcm_loop_driver_probe() registered with the TCM_LOOP bus to create and register the scsi_host. However, if the scsi_host memory allocation fails or scsi_add_host() fails, the device_register() process still returns success. Subsequently, when the user binds the LUN to a specific backend device, it accesses the NULL or freed scsi_host. Crash Call Trace: RIP: 0010:scsi_is_host_device+0x7/0x20 scsi_alloc_target+0x32/0x2c0 __scsi_add_device+0x41/0xf0 scsi_add_device+0xd/0x30 tcm_loop_port_link+0x25/0x50 [tcm_loop] target_fabric_port_link+0x9c/0xb0 [target_core_mod] ... This issue is fixed by: 1. Setting the tcm_loop_hba's scsi_host to NULL, if scsi_add_host() fails. 2. Checking the tcm_loop_hba's scsi_host after device_register(). 3. Checking the tcm_loop_hba's scsi_host in tcm_loop_driver_remove(). Fixes: 3703b2c5d041 ("[SCSI] tcm_loop: Add multi-fabric Linux/SCSI LLD fabric module") Signed-off-by: Guixin Liu Reviewed-by: Mike Christie Link: https://patch.msgid.link/20260424013923.25998-1-kanie@linux.alibaba.com Signed-off-by: Martin K. Petersen commit 76417038c4d61fc3d407625c0b9332942f13e142 Author: Palash Kambar Date: Thu Apr 23 15:50:23 2026 +0530 scsi: ufs: ufs-qcom: Enable Auto Hibern8 clock request support On platforms that support Auto Hibern8 (AH8), the UFS controller can autonomously de-assert clk_req signals to the Global Clock Controller when entering the Hibern8 state. This allows Global Clock Controller (GCC) to gate unused clocks, improving power efficiency. Enable the Clock Request feature by setting the UFS_HW_CLK_CTRL_EN bit in the UFS_AH8_CFG register, as recommended in the Hardware Programming Guidelines. Reviewed-by: Manivannan Sadhasivam Signed-off-by: Palash Kambar Reviewed-by: Bart Van Assche Link: https://patch.msgid.link/20260423102023.3779489-3-palash.kambar@oss.qualcomm.com Signed-off-by: Martin K. Petersen commit e72323f3b09f9c890fa93a74197bbc290d39d981 Author: Palash Kambar Date: Thu Apr 23 15:50:22 2026 +0530 scsi: ufs: core: Configure only active lanes during link The number of connected lanes detected during UFS link startup can be fewer than the lanes specified in the device tree. The current driver logic attempts to configure all lanes defined in the device tree, regardless of their actual availability. This mismatch may cause failures during power mode changes. Hence, Add a check during link startup to ensure that only the lanes actually discovered are considered valid. If a mismatch is detected, fail the initialization early, preventing the driver from entering an unsupported configuration that could cause power mode transition failures. Reviewed-by: Bart Van Assche Reviewed-by: Shawn Lin Reviewed-by: Manivannan Sadhasivam Signed-off-by: Palash Kambar Link: https://patch.msgid.link/20260423102023.3779489-2-palash.kambar@oss.qualcomm.com Signed-off-by: Martin K. Petersen commit b52a8d52c3125ec9a93106ed816582368de34426 Author: Michael Bommarito Date: Sun Apr 19 17:04:20 2026 -0400 scsi: isci: Fix use-after-free in device removal path The ISCI completion tasklet is initialized in isci_host_alloc() (drivers/scsi/isci/init.c:496) and scheduled from both MSI-X and legacy interrupt handlers (drivers/scsi/isci/host.c:223,613). isci_host_deinit() stops the controller and waits for stop completion, but it never kills completion_tasklet before teardown continues. A top-of-function tasklet_kill() is not sufficient here: interrupts are only disabled when isci_host_stop_complete() runs, so until wait_for_stop() returns the IRQ handlers can still requeue the tasklet. The tasklet callback also re-enables interrupts after draining completions, so killing the tasklet before the source is quiesced leaves the same race open. Once wait_for_stop() returns, no further IRQ-driven scheduling can occur. Kill completion_tasklet there so teardown cannot race a queued tasklet running on a dead ihost. On remove or unload, the stale callback can otherwise dereference ihost and touch ihost->smu_registers after the host lifetime ends. A UML + KASAN analogue reproduced the failure class both with no tasklet_kill() and with tasklet_kill() placed before source quiesce, and stayed clean once the kill happened after quiescing the scheduling source. This mirrors commit f6ab594672d4 ("scsi: aic94xx: fix use-after-free in device removal path"), but ISCI needs the kill after wait_for_stop(). Fixes: 6f231dda6808 ("isci: Intel(R) C600 Series Chipset Storage Control Unit Driver") Cc: stable@vger.kernel.org Assisted-by: Claude:claude-opus-4-7 Assisted-by: Codex:gpt-5-4 Signed-off-by: Michael Bommarito Link: https://patch.msgid.link/20260419210420.2134639-1-michael.bommarito@gmail.com Signed-off-by: Martin K. Petersen commit aa3b8f56ef27ed72394a752820abdec4608b731c Author: Kumar Meiyappan Date: Thu Apr 16 15:46:50 2026 +0000 scsi: pm8001: Reject non-fatal dump when controller is crashed pm80xx_get_non_fatal_dump() can be called even after the controller has entered a fatal error state. In that case the forensic memory contents are not safe to access for a non-fatal dump request, and attempting to do so can trigger a call trace. Check controller_fatal_error before reading the non-fatal dump buffer and return -EINVAL when the controller is already in a crashed state. This prevents non-fatal dump collection from running in an invalid controller state. Signed-off-by: Kumar Meiyappan Signed-off-by: Sagar Biradar Link: https://patch.msgid.link/20260416154650.415624-1-sagar.biradar@microchip.com Signed-off-by: Martin K. Petersen commit 2a8fbcfb04aa9db189bfa3842d4f586aecd0e631 Author: Kumar Meiyappan Date: Thu Apr 16 15:37:57 2026 +0000 scsi: pm8001: Reject firmware update in fatal error state pm8001_store_update_fw() allows a firmware update request even when the controller has already entered a fatal error state. Firmware update is not valid once the controller is in that state, and attempting it can lead to a call trace. Reject the request early by checking controller_fatal_error, set the firmware status to FAIL_PARAMETERS, and return -EINVAL. Signed-off-by: Kumar Meiyappan Signed-off-by: Sagar Biradar Link: https://patch.msgid.link/20260416153757.414896-1-sagar.biradar@microchip.com Signed-off-by: Martin K. Petersen commit 67b85a88265df19f049241d8c00571a5408f4eeb Author: Yihang Li Date: Sat Apr 25 16:20:56 2026 +0800 scsi: hisi_sas: Add slave_destroy interface for v3 hw WARNING is triggered when executing link reset of remote PHY and rmmod SAS driver simultaneously. Following is the WARNING log: WARNING: CPU: 61 PID: 21818 at drivers/base/core.c:1347 __device_links_no_driver+0xb4/0xc0 Call trace: __device_links_no_driver+0xb4/0xc0 device_links_driver_cleanup+0xb0/0xfc __device_release_driver+0x198/0x23c device_release_driver+0x38/0x50 bus_remove_device+0x130/0x140 device_del+0x184/0x434 __scsi_remove_device+0x118/0x150 scsi_remove_target+0x1bc/0x240 sas_rphy_remove+0x90/0x94 sas_rphy_delete+0x24/0x3c sas_destruct_devices+0x64/0xa0 [libsas] sas_revalidate_domain+0xe4/0x150 [libsas] process_one_work+0x1e0/0x46c worker_thread+0x15c/0x464 kthread+0x160/0x170 ret_from_fork+0x10/0x20 ---[ end trace 71e059eb58f85d4a ]--- During SAS phy up, link->status is set to DL_STATE_AVAILABLE in device_links_driver_bound, then this setting influences __device_links_no_driver() before driver rmmod and caused WARNING. Add the slave_destroy interface to make sure link is removed after flush workque. Fixes: 16fd4a7c5917 ("scsi: hisi_sas: Add device link between SCSI devices and hisi_hba") Signed-off-by: Yihang Li Link: https://patch.msgid.link/20260425082056.2749910-1-liyihang9@huawei.com Signed-off-by: Martin K. Petersen commit 2cc8a6cf8a801065b68550d5af33f62999ce15f0 Author: Uwe Kleine-König (The Capable Hub) Date: Mon Apr 27 19:45:46 2026 +0200 scsi: mvsas: Don't emit __LINE__ in debug messages __LINE__ changes quite easily for cleanup commits. So when checking if a cleanup patch introduces changes to the resulting binary each usage of __LINE__ is source of annoyance. So instead of __FILE__ and __LINE__ emit __func__ to give at least some more indication about where the messages originates from than __FILE__ alone; with that and the actual message the situation should be clear enough. While at it reduce duplication by implementing mv_dprintk() using mv_printk(). Signed-off-by: Uwe Kleine-König (The Capable Hub) Link: https://patch.msgid.link/20260427174545.2014499-2-u.kleine-koenig@baylibre.com Signed-off-by: Martin K. Petersen commit 6ea68a8dc7d2711504d944811981a5304af7d7a9 Author: Mike Christie Date: Mon May 11 12:53:17 2026 -0500 scsi: sd: Fix return code handling in sd_spinup_disk() As found by smatch-ci, scsi_execute_cmd() can return negative or positve values so we should use a int instead of unsigned int. Fixes: b4d0c33a32c3 ("scsi: sd: Fix sshdr use in sd_spinup_disk") Reported-by: Dan Carpenter Closes: https://lore.kernel.org/linux-scsi/agFbI7E6JQwd3wGW@stanley.mountain/T/#u Signed-off-by: Mike Christie Reviewed-by: Bart Van Assche Link: https://patch.msgid.link/20260511175317.114007-1-michael.christie@oracle.com Signed-off-by: Martin K. Petersen commit 250ba648f42d571e08e0bd95fa32953e7577001d Author: Wang Yan Date: Mon May 11 17:30:30 2026 +0800 scsi: libiscsi: Fix spelling and format errors Fix two issues in libiscsi.c: - Correct typo "numer" to "number" in iscsi_session_setup() comment - Fix format string "seconds\n." to "seconds.\n" in recv timeout warning Signed-off-by: Wang Yan Reviewed-by: Mike Christie Reviewed-by: Chris Leech Link: https://patch.msgid.link/20260511093030.63542-1-wangyan01@kylinos.cn Signed-off-by: Martin K. Petersen commit 53f5cce2efc7af85a15ca224c660c397332f19e1 Author: Wang Zihan Date: Sat May 2 14:07:03 2026 +0800 scsi: st: Fix typo in documentation Correct "form" to "from" in drive buffers description. Signed-off-by: Wang Zihan Link: https://patch.msgid.link/tencent_818C822F215676B9B14011B88848609BD309@qq.com Signed-off-by: Martin K. Petersen commit 1039939c52f27667c819537ce5ca231805ca40b8 Author: Marco Crivellari Date: Thu May 7 16:34:10 2026 +0200 scsi: scsi_transport_srp: Move long delayed work to system_dfl_long_wq Currently the code enqueue work items using {queue|mod}_delayed_work(), using system_long_wq. This workqueue should be used when long works are expected and it is a per-cpu workqueue. The function(s) end up calling __queue_delayed_work(), which set a global timer that could fire anywhere, enqueuing the work where the timer fired. Unbound works could benefit from scheduler task placement, to optimize performance and power consumption. Long work shouldn't stick to a single CPU. Recently, a new unbound workqueue specific for long running work has been added:     c116737e972e ("workqueue: Add system_dfl_long_wq for long unbound works") Since the workqueue work doesn't rely on per-cpu variables, there is no obvious reason that justify the use of a per-cpu workqueue. So change system_long_wq with system_dfl_long_wq so that the work may benefit from scheduler task placement. Signed-off-by: Marco Crivellari Reviewed-by: Bart Van Assche Link: https://patch.msgid.link/20260507143410.337267-1-marco.crivellari@suse.com Signed-off-by: Martin K. Petersen commit 73322071418ec3ad5e4d9cdf783890d7f2ae9777 Author: Md Shofiqul Islam Date: Wed May 6 03:49:48 2026 +0300 scsi: storvsc: Replace symbolic permissions with octal Symbolic permissions like S_IRUGO and S_IWUSR are not preferred by checkpatch. Replace with their octal equivalents: - S_IRUGO|S_IWUSR -> 0644 - S_IRUGO -> 0444 Signed-off-by: Md Shofiqul Islam Reviewed-by: Long Li Link: https://patch.msgid.link/20260506004948.2172-1-shofiqtest@gmail.com Signed-off-by: Martin K. Petersen commit 036218473a8467493860df84602a7825b71385af Author: Md Shofiqul Islam Date: Wed May 6 12:45:04 2026 +0300 scsi: core: scsi_scan: Fix typo in comment Fix spelling mistake in comment: - initialze -> initialize Signed-off-by: Md Shofiqul Islam Reviewed-by: Bart Van Assche Link: https://patch.msgid.link/20260506094504.2235-1-shofiqtest@gmail.com Signed-off-by: Martin K. Petersen commit 8ef4c72dbbfda41b8f83a9b5a275feaf4a30ea21 Author: Uwe Kleine-König (The Capable Hub) Date: Tue May 5 10:28:53 2026 +0200 scsi: ufs: ufshcd-pci: Use PCI_VDEVICE and named initializers for pci array The pci_device_id array uses a mixture of ways to initialize ufshcd_pci_tbl[]. List initializers are hard to read unless you memoized the order of the struct members. Use the PCI_VDEVICE for all entries and a named initializer for .driver_data. This allows to idiomatically assign the members without using zeros to fill the fields before .driver_data (either explicitly or hidding in PCI_VDEVICE()). There are no changes to the compiled result of the array; verified with builds for x86 and arm64. Signed-off-by: Uwe Kleine-König (The Capable Hub) Reviewed-by: Adrian Hunter Link: https://patch.msgid.link/6cac1c22381f7026edad9854d70833381d14929a.1777968942.git.u.kleine-koenig@baylibre.com Signed-off-by: Martin K. Petersen commit 2a18c57560f454e2e63373ecf00e4a6fb0265600 Author: Uwe Kleine-König (The Capable Hub) Date: Tue May 5 10:28:52 2026 +0200 scsi: ufs: tc-dwc-g210-pci: Simplify initialization of pci_device_id array A list initializer is hard to parse for a human if they don't see or know the order of the members of struct pci_device_id. So use the PCI_VDEVICE macro which is much more idiomatic and skip assigning explicit zeros. There are no changes to the compiled result of the array; verified with builds for x86 and arm64. Signed-off-by: Uwe Kleine-König (The Capable Hub) Link: https://patch.msgid.link/ff015bf46ad395702f40c85c8359fd24957e7224.1777968942.git.u.kleine-koenig@baylibre.com Signed-off-by: Martin K. Petersen commit 195254adeddc30c5a892a1cc9528a6ed5e841224 Author: Evgenii Burenchev Date: Wed Apr 29 12:52:12 2026 +0300 scsi: snic: vnic_dev: Remove dead store in vnic_dev_discover_res() The assignment 'len = count' for RES_TYPE_INTR_PBA_LEGACY, RES_TYPE_DEVCMD, and RES_TYPE_DEVCMD2 cases is never used. Drop the unused assignments to fix the following static analyzer warning. No functional change. Found by Linux Verification Center (linuxtesting.org) with SVACE. Signed-off-by: Evgenii Burenchev Acked-by: Narsimhulu Musini Link: https://patch.msgid.link/20260429095212.11251-1-evg28bur@yandex.ru Signed-off-by: Martin K. Petersen commit 949af038b6d2a41c54502179c5a8ddfb3d57dd17 Author: Can Guo Date: Fri Apr 24 08:14:20 2026 -0700 scsi: ufs: core: Add support to retrieve and store TX Equalization settings Add support for UFS v5.0 JEDEC attributes qTxEQGnSettings and wTxEQGnSettingsExt to enable persistent storage and retrieval of optimal TX Equalization settings. This provides a fast-path for TX Equalization by reusing previously stored optimal settings, avoiding TX Equalization Training (EQTR) procedures during subsequent Power Mode changes. When no valid TX Equalization settings are found, fall back to full TX EQTR procedures and optionally save the results for future use. The validity of one set of TX Equalization settings is indicated by Bit[15] in wTxEQGnSettingsExt. Signed-off-by: Can Guo Reviewed-by: Peter Wang Reviewed-by: Bean Huo Reviewed-by: Bart Van Assche Link: https://patch.msgid.link/20260424151420.111675-3-can.guo@oss.qualcomm.com Signed-off-by: Martin K. Petersen commit f2cb7c01f48caffb38e12481949dea4f9beb65dc Author: Can Guo Date: Fri Apr 24 08:14:19 2026 -0700 scsi: ufs: core: Introduce function ufshcd_query_attr_qword() Introduce a new generic function ufshcd_query_attr_qword() to handle quad-word (64-bit) UFS attribute operations. This consolidates the handling of 64-bit attributes which was previously scattered across multiple specialized functions. Reviewed-by: Peter Wang Signed-off-by: Can Guo Reviewed-by: Bean Huo Reviewed-by: Bart Van Assche Link: https://patch.msgid.link/20260424151420.111675-2-can.guo@oss.qualcomm.com Signed-off-by: Martin K. Petersen commit 50349bd5d0ab6d6f7e106a6cb1cdbf2bcfb75e08 Author: Sowon Na Date: Fri Apr 17 17:44:51 2026 +0530 scsi: ufs: exynos: Add support for ExynosAutov920 SoC Add a dedicated compatible and drv_data with associated hooks for ExynosAutov920 SoC. ExynosAutov920 has a different mask of UFS sharability from ExynosAutov9, so add related changes for the same. Signed-off-by: Sowon Na Signed-off-by: Alim Akhtar [Alim: fixed unintended changes, other fixes] Link: https://patch.msgid.link/20260417121452.827054-4-alim.akhtar@samsung.com Signed-off-by: Martin K. Petersen commit 45c9dee6d6531bf1d0e0dbf577fb59850e34f6d0 Author: Sowon Na Date: Fri Apr 17 17:44:50 2026 +0530 scsi: ufs: exynos: dt-bindings: Add ExynosAutov920 compatible string Add samsung,exynosautov920-ufs compatible for ExynosAutov920 SoC. Acked-by: Krzysztof Kozlowski Signed-off-by: Sowon Na Signed-off-by: Alim Akhtar Reviewed-by: Alim Akhtar Link: https://patch.msgid.link/20260417121452.827054-3-alim.akhtar@samsung.com Signed-off-by: Martin K. Petersen commit 7030e16247dc9fb044371141c513581067c8e574 Author: Deepti Jaggi Date: Mon Apr 27 09:31:15 2026 +0800 scsi: ufs: dt-bindings: Add compatible for SA8797P UFS Host Controller SA8797P is the automotive variant of the Nord SoC. Like SA8255P, its platform firmware implements an SCMI server that manages UFS resources such as the PHY, clocks, regulators and resets via the SCMI power protocol. As a result, the OS-visible DT only describes the controller's MMIO, interrupt, IOMMU and power-domain interfaces, making SA8255P the appropriate fallback compatible. Signed-off-by: Deepti Jaggi Reviewed-by: Manivannan Sadhasivam Signed-off-by: Shawn Guo Reviewed-by: Krzysztof Kozlowski Link: https://patch.msgid.link/20260427013115.231731-3-shengchao.guo@oss.qualcomm.com Signed-off-by: Martin K. Petersen commit c9ee94c7e2fb65a433b505d7bcf4c2b6ee81b86c Author: Shawn Guo Date: Mon Apr 27 09:31:14 2026 +0800 scsi: ufs: dt-bindings: Add compatible for Nord UFS Host Controller Document UFS Host Controller on Qualcomm Nord SoC. Like the Eliza SoC, Nord has a multi-queue command (MCQ) register range in addition to the standard one, making both reg entries required. Reviewed-by: Krzysztof Kozlowski Reviewed-by: Manivannan Sadhasivam Signed-off-by: Shawn Guo Link: https://patch.msgid.link/20260427013115.231731-2-shengchao.guo@oss.qualcomm.com Signed-off-by: Martin K. Petersen commit 7787588db949a6caa7ca40bd6b67ecb75b68c932 Author: Sasha Levin Date: Sat Apr 25 20:03:30 2026 -0400 scsi: ncr53c8xx: Drop CONFIG_ prefix from Zalon-specific compiler defines kconfiglint reports: X001: CONFIG_NCR53C8XX_PREFETCH referenced in Makefile but not defined in any Kconfig X001: CONFIG_SCSI_NCR53C8XX_NO_WORD_TRANSFERS referenced in Makefile but not defined in any Kconfig The ncr53c8xx SCSI driver uses two preprocessor defines that carry the CONFIG_ prefix but are not defined in any Kconfig file: -DCONFIG_NCR53C8XX_PREFETCH -DCONFIG_SCSI_NCR53C8XX_NO_WORD_TRANSFERS These are hardcoded compiler flags in drivers/scsi/Makefile, passed only when CONFIG_SCSI_ZALON is enabled: ncr53c8xx-flags-$(CONFIG_SCSI_ZALON) \ := -DCONFIG_NCR53C8XX_PREFETCH -DSCSI_NCR_BIG_ENDIAN \ -DCONFIG_SCSI_NCR53C8XX_NO_WORD_TRANSFERS The source files ncr53c8xx.c and ncr53c8xx.h check these defines with #ifdef to enable script prefetching and disable 16-bit word transfers respectively — both specific to the PA-RISC Zalon SCSI controller's big-endian bus requirements. These defines have been present since the initial git import in commit 1da177e4c3f4 ("Linux-2.6.12-rc2"). They predate the modern Kconfig convention that CONFIG_ prefixed symbols should always originate from Kconfig. The third define on the same line, SCSI_NCR_BIG_ENDIAN, already correctly omits the CONFIG_ prefix. The CONFIG_ prefix is misleading: these are not user-configurable options and do not appear in any Kconfig menu. They are unconditionally enabled for all Zalon builds. Remove the CONFIG_ prefix from both symbols — renaming them to NCR53C8XX_PREFETCH and SCSI_NCR53C8XX_NO_WORD_TRANSFERS — to match the convention used by SCSI_NCR_BIG_ENDIAN on the same line and to avoid confusion with actual Kconfig-managed symbols. No functional change. Assisted-by: Claude:claude-opus-4-6 kconfiglint Signed-off-by: Sasha Levin Link: https://patch.msgid.link/20260426000330.56137-1-sashal@kernel.org Signed-off-by: Martin K. Petersen commit c7233b3d99db9760daf07c4e95daa9675c6c0cba Author: Arnd Bergmann Date: Wed Apr 29 17:15:37 2026 +0200 scsi: advansys: Drop ISA_DMA_API remnants Support for ISA bus mastering was removed a few years ago, and the VLB mode does not use the ISA DMA API, so drop the dependency and the header inclusion. Fixes: 9b4c8eaa68d0 ("advansys: remove ISA support") Signed-off-by: Arnd Bergmann Reviewed-by: Johannes Thumshirn Link: https://patch.msgid.link/20260429151623.3899875-1-arnd@kernel.org Signed-off-by: Martin K. Petersen commit 0bdf7d7ee75da076eabcfa9b5fadd0ed0524df43 Author: Krzysztof Kozlowski Date: Mon Apr 27 09:00:49 2026 +0200 scsi: ufs: qcom: Unify user-visible "Qualcomm" name Various names for Qualcomm as a company are used in user-visible config options: QCOM, Qualcomm and Qualcomm Technologies. Switch to unified "Qualcomm" so it will be easier for users to identify the options when for example running menuconfig. Signed-off-by: Krzysztof Kozlowski Reviewed-by: Bart Van Assche Link: https://patch.msgid.link/20260427070048.18017-2-krzysztof.kozlowski@oss.qualcomm.com Signed-off-by: Martin K. Petersen commit 2f3835771dff512750205aa5f5f61aec0f2b8cb7 Author: Carlos Bilbao Date: Tue Apr 14 21:07:28 2026 -0700 scsi: target: iscsi: reject invalid size Extended CDB AHS If ecdb_ahdr->ahslength is zero, two bugs follow: kmalloc(be16_to_cpu(ecdb_ahdr->ahslength) + 15, ...) allocates 15 bytes, but the immediately following memcpy writes ISCSI_CDB_SIZE (16) bytes into it, a one-byte heap overflow. Also: memcpy(cdb + ISCSI_CDB_SIZE, ecdb_ahdr->ecdb, be16_to_cpu(ecdb_ahdr->ahslength) - 1); (u16)0 - 1 promotes to (int)-1 which converts to SIZE_MAX as size_t, causing a massive out-of-bounds write. Reject ahslength == 0 with ISCSI_REASON_PROTOCOL_ERROR before the kmalloc. Also reject ahslength values that exceed the actual AHS buffer advertised. Fixes: 8f1f7d297bce ("scsi: target: iscsi: Add support for extended CDB AHS") Signed-off-by: Carlos Bilbao Reviewed-by: Dmitry Bogdanov Link: https://patch.msgid.link/20260415040728.187680-1-carlos.bilbao@kernel.org Signed-off-by: Martin K. Petersen commit b06cf63d83d3b3744d3aefdd2f3ced25e99d7ec1 Author: Wang Shuaiwei Date: Tue Apr 14 11:37:18 2026 +0800 scsi: ufs: core: Fix bRefClkFreq write failure in HS-LSS mode According to the UFS spec, the bRefClkFreq attribute can only be written when both sub-links are in LS-MODE. However, in HS LSS mode with resetmode = HS_MODE, if the UFS device's default bRefClkFreq value differs from the host controller's dev_ref_clk_freq setting, the write operation will fail. To fix this issue, introduce ufshcd_get_op_mode() function to detect the current link operational mode. Call ufshcd_set_dev_ref_clk() only when both sub-links are in LS-MODE to ensure the attribute can be written successfully. Signed-off-by: Wang Shuaiwei Link: https://patch.msgid.link/20260414033718.1459540-1-wangshuaiwei1@xiaomi.com Reviewed-by: Peter Wang Signed-off-by: Martin K. Petersen commit 47e66bec3edaebd7c52d8ee981065a4c83b3072f Author: Yihang Li Date: Mon Apr 20 10:10:44 2026 +0800 scsi: hisi_sas: Fix sparse warnings in prep_ata_v3_hw() In prep_ata_v3_hw(), add cpu_to_le32() to fix warning: drivers/scsi/hisi_sas/hisi_sas_v3_hw.c:1448:26: sparse: sparse: invalid assignment: |= drivers/scsi/hisi_sas/hisi_sas_v3_hw.c:1448:26: sparse: left side has type restricted __le32 drivers/scsi/hisi_sas/hisi_sas_v3_hw.c:1448:26: sparse: right side has type unsigned int Fixes: 8aa580cd9284 ("scsi: hisi_sas: Enable force phy when SATA disk directly connected") Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202604191850.IVYPTaML-lkp@intel.com/ Signed-off-by: Yihang Li Link: https://patch.msgid.link/20260420021044.3339459-1-liyihang9@huawei.com Signed-off-by: Martin K. Petersen commit 1dc39ed655750d6c679d3ada4adf4a937f2a63fc Author: Hugo Villeneuve Date: Fri Apr 17 16:07:31 2026 -0400 scsi: pmcraid: Fix typo in comments Fix typo in structure comment. Signed-off-by: Hugo Villeneuve Link: https://patch.msgid.link/20260417200738.3920001-1-hugo@hugovil.com Signed-off-by: Martin K. Petersen commit 68c3a65a5a8e85643745fdde02cb63904e165620 Author: Brian Bunker Date: Thu Apr 16 09:55:12 2026 -0700 scsi: scsi_dh_alua: Increase default ALUA timeout to maximum spec value The ALUA handler maps a 0 value (no implicit transition timeout provided by the target) to the ALUA_FAILOVER_TIMEOUT constant, currently 60 seconds. This means the kernel already does not accept an infinite transition time. However, 60 seconds is insufficient for some arrays that may take longer to complete ALUA transitions. Since the highest value allowed by the SCSI specification for the implicit transition timeout is a single byte (255 seconds), change the default to 255. This way, when a target does not provide an explicit transition timeout, we default to the maximum value the spec allows rather than an arbitrary 60 second limit. Co-developed-by: Krishna Kant Signed-off-by: Krishna Kant Co-developed-by: Riya Savla Signed-off-by: Riya Savla Signed-off-by: Brian Bunker Reviewed-by: Hannes Reinecke Link: https://patch.msgid.link/20260416165512.26497-2-brian@purestorage.com Signed-off-by: Martin K. Petersen commit d65efdf467ff935e35dfe6aa9a7ab93f17ac07ee Author: Tomas Henzl Date: Tue Apr 14 14:41:18 2026 +0200 scsi: smartpqi: Silence a recursive lock warning On systems with multiple controllers debug kernel shows WARNING: possible recursive locking detected during shutdown. Each controller does have its own ctrl_info (and mutex) and that isn't correctly recognized by debug kernel. Suppress the warning by releasing the mutex at the end of pqi_shutdown(). Signed-off-by: Tomas Henzl Acked-by: Don Brace Link: https://patch.msgid.link/20260414124118.23661-1-thenzl@redhat.com Signed-off-by: Martin K. Petersen commit 04631f55afc543d5431a2bdee7f6cc0f2c0debe7 Author: Ranjan Kumar Date: Tue Apr 14 16:38:11 2026 +0530 scsi: mpt3sas: Limit NVMe request size to 2 MiB The HBA firmware reports NVMe MDTS values based on the underlying drive capability. However, because the driver allocates a fixed 4K buffer for the PRP list, accommodating at most 512 entries, the driver supports a maximum I/O transfer size of 2 MiB. Limit max_hw_sectors to the smaller of the reported MDTS and the 2 MiB driver limit to prevent issuing oversized I/O that may lead to a kernel oops. Cc: stable@vger.kernel.org Fixes: 9b8b84879d4a ("block: Increase BLK_DEF_MAX_SECTORS_CAP") Reported-by: Mira Limbeck Closes: https://lore.kernel.org/r/291f78bf-4b4a-40dd-867d-053b36c564b3@proxmox.com Link: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9b8b84879d4a Suggested-by: Keith Busch Signed-off-by: Ranjan Kumar Tested-by: Mira Limbeck Link: https://patch.msgid.link/20260414110811.85156-1-ranjan.kumar@broadcom.com Signed-off-by: Martin K. Petersen commit 7b03c93d2beb91c6abae322a1f25447b5b3bb9e6 Author: Christoph Hellwig Date: Wed Apr 15 08:08:06 2026 +0200 scsi: sg: Don't use GFP_ATOMIC in sg_start_req() sg_start_req() is called from normal user context and can sleep when waiting for memory. Switch it to use GFP_KERNEL, which fixes allocation failures seen with the bio_alloc rework. Fixes: b520c4eef83d ("block: split bio_alloc_bioset more clearly into a fast and slowpath") Reported-by: Shin'ichiro Kawasaki Signed-off-by: Christoph Hellwig Tested-by: Shin'ichiro Kawasaki Reviewed-by: John Garry Reviewed-by: Hannes Reinecke Reviewed-by: Bart Van Assche Link: https://patch.msgid.link/20260415060813.807659-2-hch@lst.de Signed-off-by: Martin K. Petersen commit 772a896a56e0e3ef9424a025cec9176f9d8f4552 Author: Greg Kroah-Hartman Date: Sat Apr 11 14:06:00 2026 +0200 scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show() target_tg_pt_gp_members_show() formats LUN paths with snprintf() into a 256-byte stack buffer, then will memcpy() cur_len bytes from that buffer. snprintf() returns the length the output would have had, which can exceed the buffer size when the fabric WWN is long because iSCSI IQN names can be up to 223 bytes. The check at the memcpy() site only guards the destination page write, not the source read, so memcpy() will read past the stack buffer and copy adjacent stack contents to the sysfs reader, which when CONFIG_FORTIFY_SOURCE is enabled, fortify_panic() will be triggered. Commit 27e06650a5ea ("scsi: target: target_core_configfs: Add length check to avoid buffer overflow") added the same bound to the target_lu_gp_members_show() but the tg_pt_gp variant was missed so resolve that here. Cc: Martin K. Petersen Fixes: c66ac9db8d4a ("[SCSI] target: Add LIO target core v4.0.0-rc6") Assisted-by: gregkh_clanker_t1000 Signed-off-by: Greg Kroah-Hartman Link: https://patch.msgid.link/2026041159-garter-theft-3be0@gregkh Signed-off-by: Martin K. Petersen