From e65a1de700559cf747b9696cf5dbd36370d86255 Mon Sep 17 00:00:00 2001 From: Olaf Hering <ohering@suse.de> Date: Jun 02 2025 12:31:00 +0000 Subject: scsi: storvsc: Set correct data length for sending SCSI command without payload (git-fixes). --- diff --git a/patches.suse/msft-hv-3159-scsi-storvsc-Set-correct-data-length-for-sending-SCS.patch b/patches.suse/msft-hv-3159-scsi-storvsc-Set-correct-data-length-for-sending-SCS.patch new file mode 100644 index 0000000..27059d4 --- /dev/null +++ b/patches.suse/msft-hv-3159-scsi-storvsc-Set-correct-data-length-for-sending-SCS.patch @@ -0,0 +1,44 @@ +From: Long Li <longli@microsoft.com> +Date: Wed, 22 Jan 2025 19:07:22 -0800 +Patch-mainline: v6.14-rc2 +Subject: scsi: storvsc: Set correct data length for sending SCSI command without payload +Git-commit: 87c4b5e8a6b65189abd9ea5010ab308941f964a4 +References: git-fixes + +In StorVSC, payload->range.len is used to indicate if this SCSI command +carries payload. This data is allocated as part of the private driver data +by the upper layer and may get passed to lower driver uninitialized. + +For example, the SCSI error handling mid layer may send TEST_UNIT_READY or +REQUEST_SENSE while reusing the buffer from a failed command. The private +data section may have stale data from the previous command. + +If the SCSI command doesn't carry payload, the driver may use this value as +is for communicating with host, resulting in possible corruption. + +Fix this by always initializing this value. + +Fixes: be0cf6ca301c ("scsi: storvsc: Set the tablesize based on the information given by the host") +Cc: stable@kernel.org +Tested-by: Roman Kisel <romank@linux.microsoft.com> +Reviewed-by: Roman Kisel <romank@linux.microsoft.com> +Reviewed-by: Michael Kelley <mhklinux@outlook.com> +Signed-off-by: Long Li <longli@microsoft.com> +Link: https://lore.kernel.org/r/1737601642-7759-1-git-send-email-longli@linuxonhyperv.com +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> +Acked-by: Olaf Hering <ohering@suse.de> +--- + drivers/scsi/storvsc_drv.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c +--- a/drivers/scsi/storvsc_drv.c ++++ b/drivers/scsi/storvsc_drv.c +@@ -1800,6 +1800,7 @@ static int storvsc_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *scmnd) + + length = scsi_bufflen(scmnd); + payload = (struct vmbus_packet_mpb_array *)&cmd_request->mpb; ++ payload->range.len = 0; + payload_sz = 0; + + if (scsi_sg_count(scmnd)) { diff --git a/series.conf b/series.conf index 5bdf272..c626d57 100644 --- a/series.conf +++ b/series.conf @@ -24029,6 +24029,7 @@ patches.suse/btrfs-fix-use-after-free-when-attempting-to-join-an-.patch patches.suse/x86-xen-fix-xen_hypercall_hvm-to-not-clobber-rbx.patch patches.suse/x86-xen-add-FRAME_END-to-xen_hypercall_hvm.patch + patches.suse/msft-hv-3159-scsi-storvsc-Set-correct-data-length-for-sending-SCS.patch patches.suse/vrf-use-RCU-protection-in-l3mdev_l3_out.patch patches.suse/idpf-call-set_real_num_queues-in-idpf_open.patch patches.suse/0001-drm-amdgpu-avoid-buffer-overflow-attach-in-smu_sys_s.patch