lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <20260107210202.36203-1-jiashengjiangcool@gmail.com>
Date: Wed,  7 Jan 2026 21:02:02 +0000
From: Jiasheng Jiang <jiashengjiangcool@...il.com>
To: Nilesh Javali <njavali@...vell.com>,
	GR-QLogic-Storage-Upstream@...vell.com,
	"James E . J . Bottomley" <James.Bottomley@...senPartnership.com>,
	"Martin K . Petersen" <martin.petersen@...cle.com>
Cc: linux-scsi@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	Jiasheng Jiang <jiashengjiangcool@...il.com>
Subject: [PATCH] scsi: tcm_qla2xxx: initialize cmd->offset in tcm_qla2xxx_write_pending

In the tcm_qla2xxx fabric driver, command structures (struct qla_tgt_cmd)
are often recycled from a command pool to improve performance. Failure
to reset the internal 'offset' member can lead to incorrect DMA offsets
when a command is reused.

Differential analysis shows that while tcm_qla2xxx_queue_data_in and
tcm_qla2xxx_queue_status both explicitly initialize 'cmd->offset = 0'
before passing the command to the lower-level QLA2xxx driver,
tcm_qla2xxx_write_pending fails to do so.

If a recycled command with a stale non-zero offset is passed to
qlt_rdy_to_xfer, it may result in data corruption or IOMMU faults due
to the hardware attempting to transfer data to or from an incorrect
memory offset.

Fix this by explicitly initializing 'cmd->offset' to 0 in
tcm_qla2xxx_write_pending to ensure consistency with other command
queuing paths.

Signed-off-by: Jiasheng Jiang <jiashengjiangcool@...il.com>
---
 drivers/scsi/qla2xxx/tcm_qla2xxx.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/scsi/qla2xxx/tcm_qla2xxx.c b/drivers/scsi/qla2xxx/tcm_qla2xxx.c
index 2fff68935338..282689bb6750 100644
--- a/drivers/scsi/qla2xxx/tcm_qla2xxx.c
+++ b/drivers/scsi/qla2xxx/tcm_qla2xxx.c
@@ -415,6 +415,7 @@ static int tcm_qla2xxx_write_pending(struct se_cmd *se_cmd)
 
 	cmd->sg_cnt = se_cmd->t_data_nents;
 	cmd->sg = se_cmd->t_data_sg;
+	cmd->offset = 0;
 
 	cmd->prot_sg_cnt = se_cmd->t_prot_nents;
 	cmd->prot_sg = se_cmd->t_prot_sg;
-- 
2.25.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ