4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Greg Edwards <gedwards@xxxxxxx> commit 4542d623c7134bc1738f8a68ccb6dd546f1c264f upstream. Commands with protection information included were not truncating the protection iov_iter to the number of protection bytes in the command. This resulted in vhost_scsi mis-calculating the size of the protection SGL in vhost_scsi_calc_sgls(), and including both the protection and data SG entries in the protection SGL. Fixes: 09b13fa8c1a1 ("vhost/scsi: Add ANY_LAYOUT support in vhost_scsi_handle_vq") Signed-off-by: Greg Edwards <gedwards@xxxxxxx> Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx> Fixes: 09b13fa8c1a1093e9458549ac8bb203a7c65c62a Cc: stable@xxxxxxxxxxxxxxx Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/vhost/scsi.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/drivers/vhost/scsi.c +++ b/drivers/vhost/scsi.c @@ -999,7 +999,8 @@ vhost_scsi_handle_vq(struct vhost_scsi * prot_bytes = vhost32_to_cpu(vq, v_req_pi.pi_bytesin); } /* - * Set prot_iter to data_iter, and advance past any + * Set prot_iter to data_iter and truncate it to + * prot_bytes, and advance data_iter past any * preceeding prot_bytes that may be present. * * Also fix up the exp_data_len to reflect only the @@ -1008,6 +1009,7 @@ vhost_scsi_handle_vq(struct vhost_scsi * if (prot_bytes) { exp_data_len -= prot_bytes; prot_iter = data_iter; + iov_iter_truncate(&prot_iter, prot_bytes); iov_iter_advance(&data_iter, prot_bytes); } tag = vhost64_to_cpu(vq, v_req_pi.tag);