Series comparison

-[libvirt] [PULL 0/3] Block patches
+[PULL 0/1] Block patches
-The following changes since commit aceeaa69d28e6f08a24395d0aa6915b687d0a681:
+The following changes since commit 871af84dd599fab68c8ed414d9ecbdb2bcfc5801:
-  Merge remote-tracking branch 'remotes/huth-gitlab/tags/pull-request-2019-12-17' into staging (2019-12-17 15:55:20 +0000)
+  Merge tag 'for-upstream' of https://gitlab.com/bonzini/qemu into staging (2025-01-29 09:51:03 -0500)
 are available in the Git repository at:
-  https://github.com/stefanha/qemu.git tags/block-pull-request
+  https://gitlab.com/stefanha/qemu.git tags/block-pull-request
-for you to fetch changes up to 725fe5d10dbd4259b1853b7d253cef83a3c0d22a:
+for you to fetch changes up to 58607752d173438994d28dea7e2c2587726663e6:
-  virtio-blk: fix out-of-bounds access to bitmap in notify_guest_bh (2019-12-19 16:20:25 +0000)
+  parallels: fix ext_off assertion failure due to overflow (2025-01-30 15:22:28 -0500)
 ----------------------------------------------------------------
 Pull request
 ----------------------------------------------------------------
-Li Hangjing (1):
+Denis Rastyogin (1):
-  virtio-blk: fix out-of-bounds access to bitmap in notify_guest_bh
+  parallels: fix ext_off assertion failure due to overflow
-Stefan Hajnoczi (2):
+ block/parallels.c | 4 ++++
-  virtio-blk: deprecate SCSI passthrough
+file changed, 4 insertions(+)
   docs: fix rst syntax errors in unbuilt docs
  docs/arm-cpu-features.rst       |  6 +++---
  docs/virtio-net-failover.rst    |  4 ++--
  docs/virtio-pmem.rst            | 19 ++++++++++---------
  hw/block/dataplane/virtio-blk.c |  2 +-
  qemu-deprecated.texi            | 11 +++++++++++
 files changed, 27 insertions(+), 15 deletions(-)
 --
-.23.0
+.48.1
 --
 libvir-list mailing list
 libvir-list@redhat.com
 https://www.redhat.com/mailman/listinfo/libvir-list

-[libvirt] [PULL 1/3] virtio-blk: deprecate SCSI passthrough
+Deleted patch
-The Linux virtio_blk.ko guest driver is removing legacy SCSI passthrough
-support.  Deprecate this feature in QEMU too.
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
-Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
-Reviewed-by: Christoph Hellwig <hch@lst.de>
-Reviewed-by: Thomas Huth <thuth@redhat.com>
-Message-id: 20191213144626.1208237-1-stefanha@redhat.com
-Message-Id: <20191213144626.1208237-1-stefanha@redhat.com>
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
----
- qemu-deprecated.texi | 11 +++++++++++
-file changed, 11 insertions(+)
-diff --git a/qemu-deprecated.texi b/qemu-deprecated.texi
-index XXXXXXX..XXXXXXX 100644
---- a/qemu-deprecated.texi
-+++ b/qemu-deprecated.texi
-@@ -XXX,XX +XXX,XX @@ spec you can use the ``-cpu rv64gcsu,priv_spec=v1.9.1`` command line argument.
- @section Device options
-+@subsection Emulated device options
-+
-+@subsubsection -device virtio-blk,scsi=on|off (since 5.0.0)
-+
-+The virtio-blk SCSI passthrough feature is a legacy VIRTIO feature.  VIRTIO 1.0
-+and later do not support it because the virtio-scsi device was introduced for
-+full SCSI support.  Use virtio-scsi instead when SCSI passthrough is required.
-+
-+Note this also applies to ``-device virtio-blk-pci,scsi=on|off'', which is an
-+alias.
-+
- @subsection Block device options
- @subsubsection "backing": "" (since 2.12.0)
---
-.23.0
---
-libvir-list mailing list
-libvir-list@redhat.com
-https://www.redhat.com/mailman/listinfo/libvir-list

-[libvirt] [PULL 2/3] docs: fix rst syntax errors in unbuilt docs
+Deleted patch
-The .rst files outside docs/{devel,interop,specs} aren't built yet and
-therefore a few syntax errors have slipped through.  Fix them.
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
-Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
-Message-Id: <20191111094411.427174-1-stefanha@redhat.com>
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
----
- docs/arm-cpu-features.rst    |  6 +++---
- docs/virtio-net-failover.rst |  4 ++--
- docs/virtio-pmem.rst         | 19 ++++++++++---------
-files changed, 15 insertions(+), 14 deletions(-)
-diff --git a/docs/arm-cpu-features.rst b/docs/arm-cpu-features.rst
-index XXXXXXX..XXXXXXX 100644
---- a/docs/arm-cpu-features.rst
-+++ b/docs/arm-cpu-features.rst
-@@ -XXX,XX +XXX,XX @@ CPU type is possible with the `query-cpu-model-expansion` QMP command.
- Below are some examples where `scripts/qmp/qmp-shell` (see the top comment
- block in the script for usage) is used to issue the QMP commands.
--(1) Determine which CPU features are available for the `max` CPU type
--    (Note, we started QEMU with qemu-system-aarch64, so `max` is
--     implementing the ARMv8-A reference manual in this case)::
-+1. Determine which CPU features are available for the `max` CPU type
-+   (Note, we started QEMU with qemu-system-aarch64, so `max` is
-+   implementing the ARMv8-A reference manual in this case)::
-       (QEMU) query-cpu-model-expansion type=full model={"name":"max"}
-       { "return": {
-diff --git a/docs/virtio-net-failover.rst b/docs/virtio-net-failover.rst
-index XXXXXXX..XXXXXXX 100644
---- a/docs/virtio-net-failover.rst
-+++ b/docs/virtio-net-failover.rst
-@@ -XXX,XX +XXX,XX @@
--========================
-+======================================
- QEMU virtio-net standby (net_failover)
--========================
-+======================================
- This document explains the setup and usage of virtio-net standby feature which
- is used to create a net_failover pair of devices.
-diff --git a/docs/virtio-pmem.rst b/docs/virtio-pmem.rst
-index XXXXXXX..XXXXXXX 100644
---- a/docs/virtio-pmem.rst
-+++ b/docs/virtio-pmem.rst
-@@ -XXX,XX +XXX,XX @@ virtio pmem usage
- -----------------
-   A virtio pmem device backed by a memory-backend-file can be created on
--  the QEMU command line as in the following example:
-+  the QEMU command line as in the following example::
--  -object memory-backend-file,id=mem1,share,mem-path=./virtio_pmem.img,size=4G
--  -device virtio-pmem-pci,memdev=mem1,id=nv1
-+    -object memory-backend-file,id=mem1,share,mem-path=./virtio_pmem.img,size=4G
-+    -device virtio-pmem-pci,memdev=mem1,id=nv1
--   where:
--   - "object memory-backend-file,id=mem1,share,mem-path=<image>, size=<image size>"
--     creates a backend file with the specified size.
-+  where:
--   - "device virtio-pmem-pci,id=nvdimm1,memdev=mem1" creates a virtio pmem
--     pci device whose storage is provided by above memory backend device.
-+  - "object memory-backend-file,id=mem1,share,mem-path=<image>, size=<image size>"
-+    creates a backend file with the specified size.
-+
-+  - "device virtio-pmem-pci,id=nvdimm1,memdev=mem1" creates a virtio pmem
-+    pci device whose storage is provided by above memory backend device.
-   Multiple virtio pmem devices can be created if multiple pairs of "-object"
-   and "-device" are provided.
-@@ -XXX,XX +XXX,XX @@ memory backing has to be added via 'object_add'; afterwards, the virtio
- pmem device can be added via 'device_add'.
- For example, the following commands add another 4GB virtio pmem device to
--the guest:
-+the guest::
-  (qemu) object_add memory-backend-file,id=mem2,share=on,mem-path=virtio_pmem2.img,size=4G
-  (qemu) device_add virtio-pmem-pci,id=virtio_pmem2,memdev=mem2
---
-.23.0
---
-libvir-list mailing list
-libvir-list@redhat.com
-https://www.redhat.com/mailman/listinfo/libvir-list

-[libvirt] [PULL 3/3] virtio-blk: fix out-of-bounds access to bitmap in notify_guest_bh
+[PULL 1/1] parallels: fix ext_off assertion failure due to overflow
-From: Li Hangjing <lihangjing@baidu.com>
+From: Denis Rastyogin <gerben@altlinux.org>
-When the number of a virtio-blk device's virtqueues is larger than
+This error was discovered by fuzzing qemu-img.
 BITS_PER_LONG, the out-of-bounds access to bitmap[ ] will occur.
-Fixes: e21737ab15 ("virtio-blk: multiqueue batch notify")
+When ph.ext_off has a sufficiently large value, the operation
-Cc: qemu-stable@nongnu.org
+le64_to_cpu(ph.ext_off) << BDRV_SECTOR_BITS in
-Cc: Stefan Hajnoczi <stefanha@redhat.com>
+parallels_read_format_extension() can cause an overflow in int64_t.
-Signed-off-by: Li Hangjing <lihangjing@baidu.com>
+This overflow triggers the assert(ext_off > 0)
-Reviewed-by: Xie Yongji <xieyongji@baidu.com>
+check in block/parallels-ext.c: parallels_read_format_extension(),
-Reviewed-by: Chai Wen <chaiwen@baidu.com>
+leading to a crash.
-Message-id: 20191216023050.48620-1-lihangjing@baidu.com
-Message-Id: <20191216023050.48620-1-lihangjing@baidu.com>
+This commit adds a check to prevent overflow when shifting ph.ext_off
 by BDRV_SECTOR_BITS, ensuring that the value remains within a valid range.
 Reported-by: Leonid Reviakin <L.reviakin@fobos-nt.ru>
 Signed-off-by: Denis Rastyogin <gerben@altlinux.org>
 Reviewed-by: Denis V. Lunev <den@openvz.org>
 Message-ID: <20241212104212.513947-2-gerben@altlinux.org>
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
 ---
- hw/block/dataplane/virtio-blk.c | 2 +-
+ block/parallels.c | 4 ++++
-file changed, 1 insertion(+), 1 deletion(-)
+file changed, 4 insertions(+)
-diff --git a/hw/block/dataplane/virtio-blk.c b/hw/block/dataplane/virtio-blk.c
+diff --git a/block/parallels.c b/block/parallels.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/block/dataplane/virtio-blk.c
+--- a/block/parallels.c
-+++ b/hw/block/dataplane/virtio-blk.c
++++ b/block/parallels.c
-@@ -XXX,XX +XXX,XX @@ static void notify_guest_bh(void *opaque)
+@@ -XXX,XX +XXX,XX @@ static int parallels_open(BlockDriverState *bs, QDict *options, int flags,
-     memset(s->batch_notify_vqs, 0, sizeof(bitmap));
+         error_setg(errp, "Catalog too large");
+         return -EFBIG;
-     for (j = 0; j < nvqs; j += BITS_PER_LONG) {
+     }
--        unsigned long bits = bitmap[j];
++    if (le64_to_cpu(ph.ext_off) >= (INT64_MAX >> BDRV_SECTOR_BITS)) {
-+        unsigned long bits = bitmap[j / BITS_PER_LONG];
++        error_setg(errp, "Invalid image: Too big offset");
++        return -EFBIG;
-         while (bits != 0) {
++    }
-             unsigned i = j + ctzl(bits);
      size = bat_entry_off(s->bat_size);
      s->header_size = ROUND_UP(size, bdrv_opt_mem_align(bs->file->bs));
 --
-.23.0
+.48.1
 --
 libvir-list mailing list
 libvir-list@redhat.com
 https://www.redhat.com/mailman/listinfo/libvir-list

The following changes since commit aceeaa69d28e6f08a24395d0aa6915b687d0a681:

Merge remote-tracking branch 'remotes/huth-gitlab/tags/pull-request-2019-12-17' into staging (2019-12-17 15:55:20 +0000)

are available in the Git repository at:

https://github.com/stefanha/qemu.git tags/block-pull-request

for you to fetch changes up to 725fe5d10dbd4259b1853b7d253cef83a3c0d22a:

virtio-blk: fix out-of-bounds access to bitmap in notify_guest_bh (2019-12-19 16:20:25 +0000)

----------------------------------------------------------------
Pull request

----------------------------------------------------------------

Li Hangjing (1):
  virtio-blk: fix out-of-bounds access to bitmap in notify_guest_bh

Stefan Hajnoczi (2):
  virtio-blk: deprecate SCSI passthrough
  docs: fix rst syntax errors in unbuilt docs

-- 
2.23.0

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

The Linux virtio_blk.ko guest driver is removing legacy SCSI passthrough
support.  Deprecate this feature in QEMU too.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-id: 20191213144626.1208237-1-stefanha@redhat.com
Message-Id: <20191213144626.1208237-1-stefanha@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 qemu-deprecated.texi | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/qemu-deprecated.texi b/qemu-deprecated.texi
index XXXXXXX..XXXXXXX 100644
--- a/qemu-deprecated.texi
+++ b/qemu-deprecated.texi
@@ -XXX,XX +XXX,XX @@ spec you can use the ``-cpu rv64gcsu,priv_spec=v1.9.1`` command line argument.
 
 @section Device options
 
+@subsection Emulated device options
+
+@subsubsection -device virtio-blk,scsi=on|off (since 5.0.0)
+
+The virtio-blk SCSI passthrough feature is a legacy VIRTIO feature.  VIRTIO 1.0
+and later do not support it because the virtio-scsi device was introduced for
+full SCSI support.  Use virtio-scsi instead when SCSI passthrough is required.
+
+Note this also applies to ``-device virtio-blk-pci,scsi=on|off'', which is an
+alias.
+
 @subsection Block device options
 
 @subsubsection "backing": "" (since 2.12.0)
-- 
2.23.0

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

The .rst files outside docs/{devel,interop,specs} aren't built yet and
therefore a few syntax errors have slipped through.  Fix them.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Message-Id: <20191111094411.427174-1-stefanha@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 docs/arm-cpu-features.rst    |  6 +++---
 docs/virtio-net-failover.rst |  4 ++--
 docs/virtio-pmem.rst         | 19 ++++++++++---------
 3 files changed, 15 insertions(+), 14 deletions(-)

diff --git a/docs/arm-cpu-features.rst b/docs/arm-cpu-features.rst
index XXXXXXX..XXXXXXX 100644
--- a/docs/arm-cpu-features.rst
+++ b/docs/arm-cpu-features.rst
@@ -XXX,XX +XXX,XX @@ CPU type is possible with the `query-cpu-model-expansion` QMP command.
 Below are some examples where `scripts/qmp/qmp-shell` (see the top comment
 block in the script for usage) is used to issue the QMP commands.
 
-(1) Determine which CPU features are available for the `max` CPU type
-    (Note, we started QEMU with qemu-system-aarch64, so `max` is
-     implementing the ARMv8-A reference manual in this case)::
+1. Determine which CPU features are available for the `max` CPU type
+   (Note, we started QEMU with qemu-system-aarch64, so `max` is
+   implementing the ARMv8-A reference manual in this case)::
 
       (QEMU) query-cpu-model-expansion type=full model={"name":"max"}
       { "return": {
diff --git a/docs/virtio-net-failover.rst b/docs/virtio-net-failover.rst
index XXXXXXX..XXXXXXX 100644
--- a/docs/virtio-net-failover.rst
+++ b/docs/virtio-net-failover.rst
@@ -XXX,XX +XXX,XX @@
-========================
+======================================
 QEMU virtio-net standby (net_failover)
-========================
+======================================
 
 This document explains the setup and usage of virtio-net standby feature which
 is used to create a net_failover pair of devices.
diff --git a/docs/virtio-pmem.rst b/docs/virtio-pmem.rst
index XXXXXXX..XXXXXXX 100644
--- a/docs/virtio-pmem.rst
+++ b/docs/virtio-pmem.rst
@@ -XXX,XX +XXX,XX @@ virtio pmem usage
 -----------------
 
   A virtio pmem device backed by a memory-backend-file can be created on
-  the QEMU command line as in the following example:
+  the QEMU command line as in the following example::
 
-  -object memory-backend-file,id=mem1,share,mem-path=./virtio_pmem.img,size=4G
-  -device virtio-pmem-pci,memdev=mem1,id=nv1
+    -object memory-backend-file,id=mem1,share,mem-path=./virtio_pmem.img,size=4G
+    -device virtio-pmem-pci,memdev=mem1,id=nv1
 
-   where:
-   - "object memory-backend-file,id=mem1,share,mem-path=<image>, size=<image size>"
-     creates a backend file with the specified size.
+  where:
 
-   - "device virtio-pmem-pci,id=nvdimm1,memdev=mem1" creates a virtio pmem
-     pci device whose storage is provided by above memory backend device.
+  - "object memory-backend-file,id=mem1,share,mem-path=<image>, size=<image size>"
+    creates a backend file with the specified size.
+
+  - "device virtio-pmem-pci,id=nvdimm1,memdev=mem1" creates a virtio pmem
+    pci device whose storage is provided by above memory backend device.
 
   Multiple virtio pmem devices can be created if multiple pairs of "-object"
   and "-device" are provided.
@@ -XXX,XX +XXX,XX @@ memory backing has to be added via 'object_add'; afterwards, the virtio
 pmem device can be added via 'device_add'.
 
 For example, the following commands add another 4GB virtio pmem device to
-the guest:
+the guest::
 
  (qemu) object_add memory-backend-file,id=mem2,share=on,mem-path=virtio_pmem2.img,size=4G
  (qemu) device_add virtio-pmem-pci,id=virtio_pmem2,memdev=mem2
-- 
2.23.0

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

From: Li Hangjing <lihangjing@baidu.com>

When the number of a virtio-blk device's virtqueues is larger than
BITS_PER_LONG, the out-of-bounds access to bitmap[ ] will occur.

Fixes: e21737ab15 ("virtio-blk: multiqueue batch notify")
Cc: qemu-stable@nongnu.org
Cc: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Li Hangjing <lihangjing@baidu.com>
Reviewed-by: Xie Yongji <xieyongji@baidu.com>
Reviewed-by: Chai Wen <chaiwen@baidu.com>
Message-id: 20191216023050.48620-1-lihangjing@baidu.com
Message-Id: <20191216023050.48620-1-lihangjing@baidu.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 hw/block/dataplane/virtio-blk.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/block/dataplane/virtio-blk.c b/hw/block/dataplane/virtio-blk.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/block/dataplane/virtio-blk.c
+++ b/hw/block/dataplane/virtio-blk.c
@@ -XXX,XX +XXX,XX @@ static void notify_guest_bh(void *opaque)
     memset(s->batch_notify_vqs, 0, sizeof(bitmap));
 
     for (j = 0; j < nvqs; j += BITS_PER_LONG) {
-        unsigned long bits = bitmap[j];
+        unsigned long bits = bitmap[j / BITS_PER_LONG];
 
         while (bits != 0) {
             unsigned i = j + ctzl(bits);
-- 
2.23.0

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

From: Denis Rastyogin <gerben@altlinux.org>

This error was discovered by fuzzing qemu-img.

When ph.ext_off has a sufficiently large value, the operation
le64_to_cpu(ph.ext_off) << BDRV_SECTOR_BITS in
parallels_read_format_extension() can cause an overflow in int64_t.
This overflow triggers the assert(ext_off > 0)
check in block/parallels-ext.c: parallels_read_format_extension(),
leading to a crash.

This commit adds a check to prevent overflow when shifting ph.ext_off
by BDRV_SECTOR_BITS, ensuring that the value remains within a valid range.

Reported-by: Leonid Reviakin <L.reviakin@fobos-nt.ru>
Signed-off-by: Denis Rastyogin <gerben@altlinux.org>
Reviewed-by: Denis V. Lunev <den@openvz.org>
Message-ID: <20241212104212.513947-2-gerben@altlinux.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 block/parallels.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/block/parallels.c b/block/parallels.c
index XXXXXXX..XXXXXXX 100644
--- a/block/parallels.c
+++ b/block/parallels.c
@@ -XXX,XX +XXX,XX @@ static int parallels_open(BlockDriverState *bs, QDict *options, int flags,
         error_setg(errp, "Catalog too large");
         return -EFBIG;
     }
+    if (le64_to_cpu(ph.ext_off) >= (INT64_MAX >> BDRV_SECTOR_BITS)) {
+        error_setg(errp, "Invalid image: Too big offset");
+        return -EFBIG;
+    }
 
     size = bat_entry_off(s->bat_size);
     s->header_size = ROUND_UP(size, bdrv_opt_mem_align(bs->file->bs));
-- 
2.48.1