[thirdparty/kernel/stable-queue.git] / releases / 4.4.177 / scsi-virtio_scsi-don-t-send-sc-payload-with-tmfs.patch

From 3722e6a52174d7c3a00e6f5efd006ca093f346c1 Mon Sep 17 00:00:00 2001
From: Felipe Franciosi <felipe@nutanix.com>
Date: Wed, 27 Feb 2019 16:10:34 +0000
Subject: scsi: virtio_scsi: don't send sc payload with tmfs

From: Felipe Franciosi <felipe@nutanix.com>

commit 3722e6a52174d7c3a00e6f5efd006ca093f346c1 upstream.

The virtio scsi spec defines struct virtio_scsi_ctrl_tmf as a set of
device-readable records and a single device-writable response entry:

    struct virtio_scsi_ctrl_tmf
    {
        // Device-readable part
        le32 type;
        le32 subtype;
        u8 lun[8];
        le64 id;
        // Device-writable part
        u8 response;
    }

The above should be organised as two descriptor entries (or potentially
more if using VIRTIO_F_ANY_LAYOUT), but without any extra data after "le64
id" or after "u8 response".

The Linux driver doesn't respect that, with virtscsi_abort() and
virtscsi_device_reset() setting cmd->sc before calling virtscsi_tmf().  It
results in the original scsi command payload (or writable buffers) added to
the tmf.

This fixes the problem by leaving cmd->sc zeroed out, which makes
virtscsi_kick_cmd() add the tmf to the control vq without any payload.

Cc: stable@vger.kernel.org
Signed-off-by: Felipe Franciosi <felipe@nutanix.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/virtio_scsi.c |    2 --
 1 file changed, 2 deletions(-)

--- a/drivers/scsi/virtio_scsi.c
+++ b/drivers/scsi/virtio_scsi.c
@@ -692,7 +692,6 @@ static int virtscsi_device_reset(struct
 		return FAILED;
 
 	memset(cmd, 0, sizeof(*cmd));
-	cmd->sc = sc;
 	cmd->req.tmf = (struct virtio_scsi_ctrl_tmf_req){
 		.type = VIRTIO_SCSI_T_TMF,
 		.subtype = cpu_to_virtio32(vscsi->vdev,
@@ -751,7 +750,6 @@ static int virtscsi_abort(struct scsi_cm
 		return FAILED;
 
 	memset(cmd, 0, sizeof(*cmd));
-	cmd->sc = sc;
 	cmd->req.tmf = (struct virtio_scsi_ctrl_tmf_req){
 		.type = VIRTIO_SCSI_T_TMF,
 		.subtype = VIRTIO_SCSI_T_TMF_ABORT_TASK,
Commit	Line	Data
fd02d56f GKH	1	From 3722e6a52174d7c3a00e6f5efd006ca093f346c1 Mon Sep 17 00:00:00 2001
	2	From: Felipe Franciosi <felipe@nutanix.com>
	3	Date: Wed, 27 Feb 2019 16:10:34 +0000
	4	Subject: scsi: virtio_scsi: don't send sc payload with tmfs
	5
	6	From: Felipe Franciosi <felipe@nutanix.com>
	7
	8	commit 3722e6a52174d7c3a00e6f5efd006ca093f346c1 upstream.
	9
	10	The virtio scsi spec defines struct virtio_scsi_ctrl_tmf as a set of
	11	device-readable records and a single device-writable response entry:
	12
	13	struct virtio_scsi_ctrl_tmf
	14	{
	15	// Device-readable part
	16	le32 type;
	17	le32 subtype;
	18	u8 lun[8];
	19	le64 id;
	20	// Device-writable part
	21	u8 response;
	22	}
	23
	24	The above should be organised as two descriptor entries (or potentially
	25	more if using VIRTIO_F_ANY_LAYOUT), but without any extra data after "le64
	26	id" or after "u8 response".
	27
	28	The Linux driver doesn't respect that, with virtscsi_abort() and
	29	virtscsi_device_reset() setting cmd->sc before calling virtscsi_tmf(). It
	30	results in the original scsi command payload (or writable buffers) added to
	31	the tmf.
	32
	33	This fixes the problem by leaving cmd->sc zeroed out, which makes
	34	virtscsi_kick_cmd() add the tmf to the control vq without any payload.
	35
	36	Cc: stable@vger.kernel.org
	37	Signed-off-by: Felipe Franciosi <felipe@nutanix.com>
	38	Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
	39	Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
	40	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	41
	42	---
	43	drivers/scsi/virtio_scsi.c \| 2 --
	44	1 file changed, 2 deletions(-)
	45
	46	--- a/drivers/scsi/virtio_scsi.c
	47	+++ b/drivers/scsi/virtio_scsi.c
	48	@@ -692,7 +692,6 @@ static int virtscsi_device_reset(struct
	49	return FAILED;
	50
	51	memset(cmd, 0, sizeof(*cmd));
	52	- cmd->sc = sc;
	53	cmd->req.tmf = (struct virtio_scsi_ctrl_tmf_req){
	54	.type = VIRTIO_SCSI_T_TMF,
	55	.subtype = cpu_to_virtio32(vscsi->vdev,
	56	@@ -751,7 +750,6 @@ static int virtscsi_abort(struct scsi_cm
	57	return FAILED;
	58
	59	memset(cmd, 0, sizeof(*cmd));
	60	- cmd->sc = sc;
	61	cmd->req.tmf = (struct virtio_scsi_ctrl_tmf_req){
	62	.type = VIRTIO_SCSI_T_TMF,
	63	.subtype = VIRTIO_SCSI_T_TMF_ABORT_TASK,