From e65a1de700559cf747b9696cf5dbd36370d86255 Mon Sep 17 00:00:00 2001
From: Olaf Hering <ohering@suse.de>
Date: Jun 02 2025 12:31:00 +0000
Subject: scsi: storvsc: Set correct data length for sending SCSI command without payload (git-fixes).


---

diff --git a/patches.suse/msft-hv-3159-scsi-storvsc-Set-correct-data-length-for-sending-SCS.patch b/patches.suse/msft-hv-3159-scsi-storvsc-Set-correct-data-length-for-sending-SCS.patch
new file mode 100644
index 0000000..27059d4
--- /dev/null
+++ b/patches.suse/msft-hv-3159-scsi-storvsc-Set-correct-data-length-for-sending-SCS.patch
@@ -0,0 +1,44 @@
+From: Long Li <longli@microsoft.com>
+Date: Wed, 22 Jan 2025 19:07:22 -0800
+Patch-mainline: v6.14-rc2
+Subject: scsi: storvsc: Set correct data length for sending SCSI command without payload
+Git-commit: 87c4b5e8a6b65189abd9ea5010ab308941f964a4
+References: git-fixes
+
+In StorVSC, payload->range.len is used to indicate if this SCSI command
+carries payload. This data is allocated as part of the private driver data
+by the upper layer and may get passed to lower driver uninitialized.
+
+For example, the SCSI error handling mid layer may send TEST_UNIT_READY or
+REQUEST_SENSE while reusing the buffer from a failed command. The private
+data section may have stale data from the previous command.
+
+If the SCSI command doesn't carry payload, the driver may use this value as
+is for communicating with host, resulting in possible corruption.
+
+Fix this by always initializing this value.
+
+Fixes: be0cf6ca301c ("scsi: storvsc: Set the tablesize based on the information given by the host")
+Cc: stable@kernel.org
+Tested-by: Roman Kisel <romank@linux.microsoft.com>
+Reviewed-by: Roman Kisel <romank@linux.microsoft.com>
+Reviewed-by: Michael Kelley <mhklinux@outlook.com>
+Signed-off-by: Long Li <longli@microsoft.com>
+Link: https://lore.kernel.org/r/1737601642-7759-1-git-send-email-longli@linuxonhyperv.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Acked-by: Olaf Hering <ohering@suse.de>
+---
+ drivers/scsi/storvsc_drv.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c
+--- a/drivers/scsi/storvsc_drv.c
++++ b/drivers/scsi/storvsc_drv.c
+@@ -1800,6 +1800,7 @@ static int storvsc_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *scmnd)
+ 
+ 	length = scsi_bufflen(scmnd);
+ 	payload = (struct vmbus_packet_mpb_array *)&cmd_request->mpb;
++	payload->range.len = 0;
+ 	payload_sz = 0;
+ 
+ 	if (scsi_sg_count(scmnd)) {
diff --git a/series.conf b/series.conf
index 5bdf272..c626d57 100644
--- a/series.conf
+++ b/series.conf
@@ -24029,6 +24029,7 @@
 	patches.suse/btrfs-fix-use-after-free-when-attempting-to-join-an-.patch
 	patches.suse/x86-xen-fix-xen_hypercall_hvm-to-not-clobber-rbx.patch
 	patches.suse/x86-xen-add-FRAME_END-to-xen_hypercall_hvm.patch
+	patches.suse/msft-hv-3159-scsi-storvsc-Set-correct-data-length-for-sending-SCS.patch
 	patches.suse/vrf-use-RCU-protection-in-l3mdev_l3_out.patch
 	patches.suse/idpf-call-set_real_num_queues-in-idpf_open.patch
 	patches.suse/0001-drm-amdgpu-avoid-buffer-overflow-attach-in-smu_sys_s.patch