Series comparison

-[PULL for-6.1 0/3] Block patches
+[PULL 0/1] Block patches
-The following changes since commit 3521ade3510eb5cefb2e27a101667f25dad89935:
+The following changes since commit 871af84dd599fab68c8ed414d9ecbdb2bcfc5801:
-  Merge remote-tracking branch 'remotes/thuth-gitlab/tags/pull-request-2021-07-29' into staging (2021-07-29 13:17:20 +0100)
+  Merge tag 'for-upstream' of https://gitlab.com/bonzini/qemu into staging (2025-01-29 09:51:03 -0500)
 are available in the Git repository at:
   https://gitlab.com/stefanha/qemu.git tags/block-pull-request
-for you to fetch changes up to cc8eecd7f105a1dff5876adeb238a14696061a4a:
+for you to fetch changes up to 58607752d173438994d28dea7e2c2587726663e6:
-  MAINTAINERS: Added myself as a reviewer for the NVMe Block Driver (2021-07-29 17:17:34 +0100)
+  parallels: fix ext_off assertion failure due to overflow (2025-01-30 15:22:28 -0500)
 ----------------------------------------------------------------
 Pull request
-The main fix here is for io_uring. Spurious -EAGAIN errors can happen and the
-request needs to be resubmitted.
-The MAINTAINERS changes carry no risk and we might as well include them in QEMU
-.1.
 ----------------------------------------------------------------
-Fabian Ebner (1):
+Denis Rastyogin (1):
-  block/io_uring: resubmit when result is -EAGAIN
+  parallels: fix ext_off assertion failure due to overflow
-Philippe Mathieu-Daudé (1):
+ block/parallels.c | 4 ++++
-  MAINTAINERS: Added myself as a reviewer for the NVMe Block Driver
+file changed, 4 insertions(+)
 Stefano Garzarella (1):
   MAINTAINERS: add Stefano Garzarella as io_uring reviewer
  MAINTAINERS      |  2 ++
  block/io_uring.c | 16 +++++++++++++++-
 files changed, 17 insertions(+), 1 deletion(-)
 --
-.31.1
+.48.1

-[PULL for-6.1 1/3] MAINTAINERS: add Stefano Garzarella as io_uring reviewer
+Deleted patch
-From: Stefano Garzarella <sgarzare@redhat.com>
-I've been working with io_uring for a while so I'd like to help
-with reviews.
-Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
-Message-Id: <20210728131515.131045-1-sgarzare@redhat.com>
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
----
- MAINTAINERS | 1 +
-file changed, 1 insertion(+)
-diff --git a/MAINTAINERS b/MAINTAINERS
-index XXXXXXX..XXXXXXX 100644
---- a/MAINTAINERS
-+++ b/MAINTAINERS
-@@ -XXX,XX +XXX,XX @@ Linux io_uring
- M: Aarushi Mehta <mehta.aaru20@gmail.com>
- M: Julia Suvorova <jusual@redhat.com>
- M: Stefan Hajnoczi <stefanha@redhat.com>
-+R: Stefano Garzarella <sgarzare@redhat.com>
- L: qemu-block@nongnu.org
- S: Maintained
- F: block/io_uring.c
---
-.31.1

-[PULL for-6.1 2/3] block/io_uring: resubmit when result is -EAGAIN
+Deleted patch
-From: Fabian Ebner <f.ebner@proxmox.com>
-Linux SCSI can throw spurious -EAGAIN in some corner cases in its
-completion path, which will end up being the result in the completed
-io_uring request.
-Resubmitting such requests should allow block jobs to complete, even
-if such spurious errors are encountered.
-Co-authored-by: Stefan Hajnoczi <stefanha@gmail.com>
-Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
-Signed-off-by: Fabian Ebner <f.ebner@proxmox.com>
-Message-id: 20210729091029.65369-1-f.ebner@proxmox.com
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
----
- block/io_uring.c | 16 +++++++++++++++-
-file changed, 15 insertions(+), 1 deletion(-)
-diff --git a/block/io_uring.c b/block/io_uring.c
-index XXXXXXX..XXXXXXX 100644
---- a/block/io_uring.c
-+++ b/block/io_uring.c
-@@ -XXX,XX +XXX,XX @@ static void luring_process_completions(LuringState *s)
-         total_bytes = ret + luringcb->total_read;
-         if (ret < 0) {
--            if (ret == -EINTR) {
-+            /*
-+             * Only writev/readv/fsync requests on regular files or host block
-+             * devices are submitted. Therefore -EAGAIN is not expected but it's
-+             * known to happen sometimes with Linux SCSI. Submit again and hope
-+             * the request completes successfully.
-+             *
-+             * For more information, see:
-+             * https://lore.kernel.org/io-uring/20210727165811.284510-3-axboe@kernel.dk/T/#u
-+             *
-+             * If the code is changed to submit other types of requests in the
-+             * future, then this workaround may need to be extended to deal with
-+             * genuine -EAGAIN results that should not be resubmitted
-+             * immediately.
-+             */
-+            if (ret == -EINTR || ret == -EAGAIN) {
-                 luring_resubmit(s, luringcb);
-                 continue;
-             }
---
-.31.1

-[PULL for-6.1 3/3] MAINTAINERS: Added myself as a reviewer for the NVMe Block Driver
+[PULL 1/1] parallels: fix ext_off assertion failure due to overflow
-From: Philippe Mathieu-Daudé <philmd@redhat.com>
+From: Denis Rastyogin <gerben@altlinux.org>
-I'm interested in following the activity around the NVMe bdrv.
+This error was discovered by fuzzing qemu-img.
-Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+When ph.ext_off has a sufficiently large value, the operation
-Message-id: 20210728183340.2018313-1-philmd@redhat.com
+le64_to_cpu(ph.ext_off) << BDRV_SECTOR_BITS in
 parallels_read_format_extension() can cause an overflow in int64_t.
 This overflow triggers the assert(ext_off > 0)
 check in block/parallels-ext.c: parallels_read_format_extension(),
 leading to a crash.
 This commit adds a check to prevent overflow when shifting ph.ext_off
 by BDRV_SECTOR_BITS, ensuring that the value remains within a valid range.
 Reported-by: Leonid Reviakin <L.reviakin@fobos-nt.ru>
 Signed-off-by: Denis Rastyogin <gerben@altlinux.org>
 Reviewed-by: Denis V. Lunev <den@openvz.org>
 Message-ID: <20241212104212.513947-2-gerben@altlinux.org>
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
 ---
- MAINTAINERS | 1 +
+ block/parallels.c | 4 ++++
-file changed, 1 insertion(+)
+file changed, 4 insertions(+)
-diff --git a/MAINTAINERS b/MAINTAINERS
+diff --git a/block/parallels.c b/block/parallels.c
 index XXXXXXX..XXXXXXX 100644
---- a/MAINTAINERS
+--- a/block/parallels.c
-+++ b/MAINTAINERS
++++ b/block/parallels.c
-@@ -XXX,XX +XXX,XX @@ F: block/null.c
+@@ -XXX,XX +XXX,XX @@ static int parallels_open(BlockDriverState *bs, QDict *options, int flags,
- NVMe Block Driver
+         error_setg(errp, "Catalog too large");
- M: Stefan Hajnoczi <stefanha@redhat.com>
+         return -EFBIG;
- R: Fam Zheng <fam@euphon.net>
+     }
-+R: Philippe Mathieu-Daudé <philmd@redhat.com>
++    if (le64_to_cpu(ph.ext_off) >= (INT64_MAX >> BDRV_SECTOR_BITS)) {
- L: qemu-block@nongnu.org
++        error_setg(errp, "Invalid image: Too big offset");
- S: Supported
++        return -EFBIG;
- F: block/nvme*
++    }
      size = bat_entry_off(s->bat_size);
      s->header_size = ROUND_UP(size, bdrv_opt_mem_align(bs->file->bs));
 --
-.31.1
+.48.1

The following changes since commit 3521ade3510eb5cefb2e27a101667f25dad89935:

Merge remote-tracking branch 'remotes/thuth-gitlab/tags/pull-request-2021-07-29' into staging (2021-07-29 13:17:20 +0100)

are available in the Git repository at:

https://gitlab.com/stefanha/qemu.git tags/block-pull-request

for you to fetch changes up to cc8eecd7f105a1dff5876adeb238a14696061a4a:

MAINTAINERS: Added myself as a reviewer for the NVMe Block Driver (2021-07-29 17:17:34 +0100)

----------------------------------------------------------------
Pull request

The main fix here is for io_uring. Spurious -EAGAIN errors can happen and the
request needs to be resubmitted.

The MAINTAINERS changes carry no risk and we might as well include them in QEMU
6.1.

----------------------------------------------------------------

Fabian Ebner (1):
  block/io_uring: resubmit when result is -EAGAIN

Philippe Mathieu-Daudé (1):
  MAINTAINERS: Added myself as a reviewer for the NVMe Block Driver

Stefano Garzarella (1):
  MAINTAINERS: add Stefano Garzarella as io_uring reviewer

MAINTAINERS      |  2 ++
 block/io_uring.c | 16 +++++++++++++++-
 2 files changed, 17 insertions(+), 1 deletion(-)

-- 
2.31.1

From: Fabian Ebner <f.ebner@proxmox.com>

Linux SCSI can throw spurious -EAGAIN in some corner cases in its
completion path, which will end up being the result in the completed
io_uring request.

Resubmitting such requests should allow block jobs to complete, even
if such spurious errors are encountered.

Co-authored-by: Stefan Hajnoczi <stefanha@gmail.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: Fabian Ebner <f.ebner@proxmox.com>
Message-id: 20210729091029.65369-1-f.ebner@proxmox.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 block/io_uring.c | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/block/io_uring.c b/block/io_uring.c
index XXXXXXX..XXXXXXX 100644
--- a/block/io_uring.c
+++ b/block/io_uring.c
@@ -XXX,XX +XXX,XX @@ static void luring_process_completions(LuringState *s)
         total_bytes = ret + luringcb->total_read;
 
         if (ret < 0) {
-            if (ret == -EINTR) {
+            /*
+             * Only writev/readv/fsync requests on regular files or host block
+             * devices are submitted. Therefore -EAGAIN is not expected but it's
+             * known to happen sometimes with Linux SCSI. Submit again and hope
+             * the request completes successfully.
+             *
+             * For more information, see:
+             * https://lore.kernel.org/io-uring/20210727165811.284510-3-axboe@kernel.dk/T/#u
+             *
+             * If the code is changed to submit other types of requests in the
+             * future, then this workaround may need to be extended to deal with
+             * genuine -EAGAIN results that should not be resubmitted
+             * immediately.
+             */
+            if (ret == -EINTR || ret == -EAGAIN) {
                 luring_resubmit(s, luringcb);
                 continue;
             }
-- 
2.31.1

From: Denis Rastyogin <gerben@altlinux.org>

This error was discovered by fuzzing qemu-img.

When ph.ext_off has a sufficiently large value, the operation
le64_to_cpu(ph.ext_off) << BDRV_SECTOR_BITS in
parallels_read_format_extension() can cause an overflow in int64_t.
This overflow triggers the assert(ext_off > 0)
check in block/parallels-ext.c: parallels_read_format_extension(),
leading to a crash.

This commit adds a check to prevent overflow when shifting ph.ext_off
by BDRV_SECTOR_BITS, ensuring that the value remains within a valid range.

Reported-by: Leonid Reviakin <L.reviakin@fobos-nt.ru>
Signed-off-by: Denis Rastyogin <gerben@altlinux.org>
Reviewed-by: Denis V. Lunev <den@openvz.org>
Message-ID: <20241212104212.513947-2-gerben@altlinux.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 block/parallels.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/block/parallels.c b/block/parallels.c
index XXXXXXX..XXXXXXX 100644
--- a/block/parallels.c
+++ b/block/parallels.c
@@ -XXX,XX +XXX,XX @@ static int parallels_open(BlockDriverState *bs, QDict *options, int flags,
         error_setg(errp, "Catalog too large");
         return -EFBIG;
     }
+    if (le64_to_cpu(ph.ext_off) >= (INT64_MAX >> BDRV_SECTOR_BITS)) {
+        error_setg(errp, "Invalid image: Too big offset");
+        return -EFBIG;
+    }
 
     size = bat_entry_off(s->bat_size);
     s->header_size = ROUND_UP(size, bdrv_opt_mem_align(bs->file->bs));
-- 
2.48.1