From: Suganath Prabu <suganath-prabu.subramani@broadcom.com>
Date: Sat, 3 Aug 2019 09:59:47 -0400
Subject: [PATCH] scsi: mpt3sas: memset request frame before reusing
References: bsc#1156632,jsc#SLE-10717
Git-commit: e224e03b0c6a2381ed1ea5325c846582d87d6fae
Patch-mainline: v5.4-rc1

Driver gets a request frame from the free pool of DMA-able request frames
and fill in the required information and pass the address of the frame to
IOC/FW to pull the complete request frame. In certain places the driver
used the request frame allocated from the free pool without completely
clearing the previous data stored in it. The request contents were cleared
only for the size of the new request to be issued and that left out some
stale data in the unused part of the request. Though the IOC/FW is not
expected to access the request beyond the specified size, it is good
practice to clear complete request message frame.

So reinitialize the complete request message frame with 0s before using
it.

Signed-off-by: Suganath Prabu <suganath-prabu.subramani@broadcom.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Hannes Reinecke <hare@suse.de>
---
 drivers/scsi/mpt3sas/mpt3sas_base.c | 2 ++
 drivers/scsi/mpt3sas/mpt3sas_ctl.c  | 1 +
 2 files changed, 3 insertions(+)

diff --git a/drivers/scsi/mpt3sas/mpt3sas_base.c b/drivers/scsi/mpt3sas/mpt3sas_base.c
index 050c0f029ef9..ba83f5999050 100644
--- a/drivers/scsi/mpt3sas/mpt3sas_base.c
+++ b/drivers/scsi/mpt3sas/mpt3sas_base.c
@@ -5037,6 +5037,7 @@ _base_allocate_memory_pools(struct MPT3SAS_ADAPTER *ioc)
 		_base_release_memory_pools(ioc);
 		goto retry_allocation;
 	}
+	memset(ioc->request, 0, sz);
 
 	if (retry_sz)
 		ioc_err(ioc, "request pool: dma_alloc_coherent succeed: hba_depth(%d), chains_per_io(%d), frame_sz(%d), total(%d kb)\n",
@@ -5868,6 +5869,7 @@ mpt3sas_base_scsi_enclosure_processor(struct MPT3SAS_ADAPTER *ioc,
 	ioc->base_cmds.status = MPT3_CMD_PENDING;
 	request = mpt3sas_base_get_msg_frame(ioc, smid);
 	ioc->base_cmds.smid = smid;
+	memset(request, 0, ioc->request_sz);
 	memcpy(request, mpi_request, sizeof(Mpi2SepReply_t));
 	init_completion(&ioc->base_cmds.done);
 	ioc->put_smid_default(ioc, smid);
diff --git a/drivers/scsi/mpt3sas/mpt3sas_ctl.c b/drivers/scsi/mpt3sas/mpt3sas_ctl.c
index a4676a8ec3fd..663070c05341 100644
--- a/drivers/scsi/mpt3sas/mpt3sas_ctl.c
+++ b/drivers/scsi/mpt3sas/mpt3sas_ctl.c
@@ -707,6 +707,7 @@ _ctl_do_mpt_command(struct MPT3SAS_ADAPTER *ioc, struct mpt3_ioctl_command karg,
 	ioc->ctl_cmds.status = MPT3_CMD_PENDING;
 	memset(ioc->ctl_cmds.reply, 0, ioc->reply_sz);
 	request = mpt3sas_base_get_msg_frame(ioc, smid);
+	memset(request, 0, ioc->request_sz);
 	memcpy(request, mpi_request, karg.data_sge_offset*4);
 	ioc->ctl_cmds.smid = smid;
 	data_out_sz = karg.data_out_size;
-- 
2.16.4