In the tcm_qla2xxx fabric driver, command structures (struct qla_tgt_cmd)
are often recycled from a command pool to improve performance. Failure
to reset the internal 'offset' member can lead to incorrect DMA offsets
when a command is reused.

Differential analysis shows that while tcm_qla2xxx_queue_data_in and
tcm_qla2xxx_queue_status both explicitly initialize 'cmd->offset = 0'
before passing the command to the lower-level QLA2xxx driver,
tcm_qla2xxx_write_pending fails to do so.

If a recycled command with a stale non-zero offset is passed to
qlt_rdy_to_xfer, it may result in data corruption or IOMMU faults due
to the hardware attempting to transfer data to or from an incorrect
memory offset.

Fix this by explicitly initializing 'cmd->offset' to 0 in
tcm_qla2xxx_write_pending to ensure consistency with other command
queuing paths.

Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
---
 drivers/scsi/qla2xxx/tcm_qla2xxx.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/scsi/qla2xxx/tcm_qla2xxx.c b/drivers/scsi/qla2xxx/tcm_qla2xxx.c
index 2fff68935338..282689bb6750 100644
--- a/drivers/scsi/qla2xxx/tcm_qla2xxx.c
+++ b/drivers/scsi/qla2xxx/tcm_qla2xxx.c
@@ -415,6 +415,7 @@ static int tcm_qla2xxx_write_pending(struct se_cmd *se_cmd)
 
 	cmd->sg_cnt = se_cmd->t_data_nents;
 	cmd->sg = se_cmd->t_data_sg;
+	cmd->offset = 0;
 
 	cmd->prot_sg_cnt = se_cmd->t_prot_nents;
 	cmd->prot_sg = se_cmd->t_prot_sg;
-- 
2.25.1