Series comparison

 [PULL 0/1] Block patches
-The following changes since commit 61c265f0660ee476985808c8aa7915617c44fd53:
+The following changes since commit ea9cdbcf3a0b8d5497cddf87990f1b39d8f3bb0a:
-  Merge remote-tracking branch 'remotes/dgilbert/tags/pull-migration-20200313a' into staging (2020-03-13 10:33:04 +0000)
+  Merge tag 'hw-misc-20240913' of https://github.com/philmd/qemu into staging (2024-09-15 18:27:40 +0100)
 are available in the Git repository at:
-  https://github.com/stefanha/qemu.git tags/block-pull-request
+  https://gitlab.com/stefanha/qemu.git tags/block-pull-request
-for you to fetch changes up to 4ab78b19189a81038e744728ed949d09aa477550:
+for you to fetch changes up to 89cd6254b80784a1b3f574407192493ef92fe65f:
-  block/io: fix bdrv_co_do_copy_on_readv (2020-03-16 11:46:11 +0000)
+  hw/block: fix uint32 overflow (2024-09-17 12:12:30 +0200)
 ----------------------------------------------------------------
 Pull request
+An integer overflow fix for the last zone on a zoned block device whose
+capacity is not a multiple of the zone size.
 ----------------------------------------------------------------
-Vladimir Sementsov-Ogievskiy (1):
+Dmitry Frolov (1):
-  block/io: fix bdrv_co_do_copy_on_readv
+  hw/block: fix uint32 overflow
- block/io.c | 2 +-
+ hw/block/virtio-blk.c | 2 +-
 file changed, 1 insertion(+), 1 deletion(-)
 --
-.24.1
+.46.0

-[PULL 1/1] block/io: fix bdrv_co_do_copy_on_readv
+[PULL 1/1] hw/block: fix uint32 overflow
-From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
+From: Dmitry Frolov <frolov@swemel.ru>
-Prior to 1143ec5ebf4 it was OK to qemu_iovec_from_buf() from aligned-up
+The product bs->bl.zone_size * (bs->bl.nr_zones - 1) may overflow
-buffer to original qiov, as qemu_iovec_from_buf() will stop at qiov end
+uint32.
 anyway.
-But after 1143ec5ebf4 we assume that bdrv_co_do_copy_on_readv works on
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
 part of original qiov, defined by qiov_offset and bytes. So we must not
 touch qiov behind qiov_offset+bytes bound. Fix it.
-Cc: qemu-stable@nongnu.org # v4.2
+Signed-off-by: Dmitry Frolov <frolov@swemel.ru>
-Fixes: 1143ec5ebf4
+Message-id: 20240917080356.270576-2-frolov@swemel.ru
 Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
 Reviewed-by: John Snow <jsnow@redhat.com>
 Message-id: 20200312081949.5350-1-vsementsov@virtuozzo.com
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
 ---
- block/io.c | 2 +-
+ hw/block/virtio-blk.c | 2 +-
 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/block/io.c b/block/io.c
+diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c
 index XXXXXXX..XXXXXXX 100644
---- a/block/io.c
+--- a/hw/block/virtio-blk.c
-+++ b/block/io.c
++++ b/hw/block/virtio-blk.c
-@@ -XXX,XX +XXX,XX @@ static int coroutine_fn bdrv_co_do_copy_on_readv(BdrvChild *child,
+@@ -XXX,XX +XXX,XX @@ static int virtio_blk_handle_zone_mgmt(VirtIOBlockReq *req, BlockZoneOp op)
-             if (!(flags & BDRV_REQ_PREFETCH)) {
+     } else {
-                 qemu_iovec_from_buf(qiov, qiov_offset + progress,
+         if (bs->bl.zone_size > capacity - offset) {
-                                     bounce_buffer + skip_bytes,
+             /* The zoned device allows the last smaller zone. */
--                                    pnum - skip_bytes);
+-            len = capacity - bs->bl.zone_size * (bs->bl.nr_zones - 1);
-+                                    MIN(pnum - skip_bytes, bytes - progress));
++            len = capacity - bs->bl.zone_size * (bs->bl.nr_zones - 1ull);
-             }
+         } else {
-         } else if (!(flags & BDRV_REQ_PREFETCH)) {
+             len = bs->bl.zone_size;
-             /* Read directly into the destination */
+         }
 --
-.24.1
+.46.0

From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>

Prior to 1143ec5ebf4 it was OK to qemu_iovec_from_buf() from aligned-up
buffer to original qiov, as qemu_iovec_from_buf() will stop at qiov end
anyway.

But after 1143ec5ebf4 we assume that bdrv_co_do_copy_on_readv works on
part of original qiov, defined by qiov_offset and bytes. So we must not
touch qiov behind qiov_offset+bytes bound. Fix it.

Cc: qemu-stable@nongnu.org # v4.2
Fixes: 1143ec5ebf4
Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Reviewed-by: John Snow <jsnow@redhat.com>
Message-id: 20200312081949.5350-1-vsementsov@virtuozzo.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 block/io.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/block/io.c b/block/io.c
index XXXXXXX..XXXXXXX 100644
--- a/block/io.c
+++ b/block/io.c
@@ -XXX,XX +XXX,XX @@ static int coroutine_fn bdrv_co_do_copy_on_readv(BdrvChild *child,
             if (!(flags & BDRV_REQ_PREFETCH)) {
                 qemu_iovec_from_buf(qiov, qiov_offset + progress,
                                     bounce_buffer + skip_bytes,
-                                    pnum - skip_bytes);
+                                    MIN(pnum - skip_bytes, bytes - progress));
             }
         } else if (!(flags & BDRV_REQ_PREFETCH)) {
             /* Read directly into the destination */
-- 
2.24.1

From: Dmitry Frolov <frolov@swemel.ru>

The product bs->bl.zone_size * (bs->bl.nr_zones - 1) may overflow
uint32.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Signed-off-by: Dmitry Frolov <frolov@swemel.ru>
Message-id: 20240917080356.270576-2-frolov@swemel.ru
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 hw/block/virtio-blk.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/block/virtio-blk.c
+++ b/hw/block/virtio-blk.c
@@ -XXX,XX +XXX,XX @@ static int virtio_blk_handle_zone_mgmt(VirtIOBlockReq *req, BlockZoneOp op)
     } else {
         if (bs->bl.zone_size > capacity - offset) {
             /* The zoned device allows the last smaller zone. */
-            len = capacity - bs->bl.zone_size * (bs->bl.nr_zones - 1);
+            len = capacity - bs->bl.zone_size * (bs->bl.nr_zones - 1ull);
         } else {
             len = bs->bl.zone_size;
         }
-- 
2.46.0