* [PULL 0/1] virtio-scsi patch for QEMU 1.10-rc3
@ 2026-04-09 10:33 Paolo Bonzini
2026-04-09 10:33 ` [PULL 1/1] virtio-scsi: pass the same cdb_size to virtio_scsi_pop_req and virtio_scsi_handle_cmd_req_prepare Paolo Bonzini
2026-04-09 14:12 ` [PULL 0/1] virtio-scsi patch for QEMU 1.10-rc3 Peter Maydell
0 siblings, 2 replies; 5+ messages in thread
From: Paolo Bonzini @ 2026-04-09 10:33 UTC (permalink / raw)
To: qemu-devel
The following changes since commit b6a7d06213e5d2f7d124d16418bc289c4a8a4b82:
Update version for v11.0.0-rc2 release (2026-04-01 20:48:02 +0100)
are available in the Git repository at:
https://gitlab.com/bonzini/qemu.git tags/for-upstream
for you to fetch changes up to 6c0f11de6118a870e6dd5e1928586885e4363ae7:
virtio-scsi: pass the same cdb_size to virtio_scsi_pop_req and virtio_scsi_handle_cmd_req_prepare (2026-04-09 12:29:49 +0200)
----------------------------------------------------------------
* virtio-scsi: fix cdb_size issue
----------------------------------------------------------------
Paolo Bonzini (1):
virtio-scsi: pass the same cdb_size to virtio_scsi_pop_req and virtio_scsi_handle_cmd_req_prepare
hw/scsi/virtio-scsi.c | 26 +++++++++++++++-----------
1 file changed, 15 insertions(+), 11 deletions(-)
--
2.53.0
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PULL 1/1] virtio-scsi: pass the same cdb_size to virtio_scsi_pop_req and virtio_scsi_handle_cmd_req_prepare
2026-04-09 10:33 [PULL 0/1] virtio-scsi patch for QEMU 1.10-rc3 Paolo Bonzini
@ 2026-04-09 10:33 ` Paolo Bonzini
2026-04-09 10:49 ` Daniel P. Berrangé
2026-04-09 14:12 ` [PULL 0/1] virtio-scsi patch for QEMU 1.10-rc3 Peter Maydell
1 sibling, 1 reply; 5+ messages in thread
From: Paolo Bonzini @ 2026-04-09 10:33 UTC (permalink / raw)
To: qemu-devel; +Cc: Jihe Wang, Stefan Hajnoczi
Ensure that there is no allocation/usage mismatch when requests
are processed in virtio_scsi_handle_cmd_vq. To do this,
retrieve the value once and pass it to both functions.
For other calls to virtio_scsi_pop_req the extra size
can be 0, because control and event requests fit
entirely in VirtIOSCSIReq.
Reported-by: Jihe Wang <wangjihe.mail@gmail.com>
Tested-by: Jihe Wang <wangjihe.mail@gmail.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
hw/scsi/virtio-scsi.c | 26 +++++++++++++++-----------
1 file changed, 15 insertions(+), 11 deletions(-)
diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c
index 774968d8c70..6c737680119 100644
--- a/hw/scsi/virtio-scsi.c
+++ b/hw/scsi/virtio-scsi.c
@@ -227,16 +227,16 @@ static int virtio_scsi_parse_req(VirtIOSCSIReq *req,
return 0;
}
-static VirtIOSCSIReq *virtio_scsi_pop_req(VirtIOSCSI *s, VirtQueue *vq, QemuMutex *vq_lock)
+static VirtIOSCSIReq *virtio_scsi_pop_req(VirtIOSCSI *s, VirtQueue *vq, size_t extra_req_size,
+ QemuMutex *vq_lock)
{
- VirtIOSCSICommon *vs = (VirtIOSCSICommon *)s;
VirtIOSCSIReq *req;
if (vq_lock) {
qemu_mutex_lock(vq_lock);
}
- req = virtqueue_pop(vq, sizeof(VirtIOSCSIReq) + vs->cdb_size);
+ req = virtqueue_pop(vq, sizeof(VirtIOSCSIReq) + extra_req_size);
if (vq_lock) {
qemu_mutex_unlock(vq_lock);
@@ -682,7 +682,7 @@ static void virtio_scsi_handle_ctrl_vq(VirtIOSCSI *s, VirtQueue *vq)
{
VirtIOSCSIReq *req;
- while ((req = virtio_scsi_pop_req(s, vq, &s->ctrl_lock))) {
+ while ((req = virtio_scsi_pop_req(s, vq, 0, &s->ctrl_lock))) {
virtio_scsi_handle_ctrl_req(s, req);
}
}
@@ -850,13 +850,14 @@ static void virtio_scsi_fail_cmd_req(VirtIOSCSIReq *req)
virtio_scsi_complete_cmd_req(req);
}
-static int virtio_scsi_handle_cmd_req_prepare(VirtIOSCSI *s, VirtIOSCSIReq *req)
+static int virtio_scsi_handle_cmd_req_prepare(VirtIOSCSI *s, VirtIOSCSIReq *req,
+ size_t cdb_size)
{
VirtIOSCSICommon *vs = VIRTIO_SCSI_COMMON(s);
SCSIDevice *d;
int rc;
- rc = virtio_scsi_parse_req(req, sizeof(VirtIOSCSICmdReq) + vs->cdb_size,
+ rc = virtio_scsi_parse_req(req, sizeof(VirtIOSCSICmdReq) + cdb_size,
sizeof(VirtIOSCSICmdResp) + vs->sense_size);
if (rc < 0) {
if (rc == -ENOTSUP) {
@@ -878,7 +879,7 @@ static int virtio_scsi_handle_cmd_req_prepare(VirtIOSCSI *s, VirtIOSCSIReq *req)
}
req->sreq = scsi_req_new(d, req->req.cmd.tag,
virtio_scsi_get_lun(req->req.cmd.lun),
- req->req.cmd.cdb, vs->cdb_size, req);
+ req->req.cmd.cdb, cdb_size, req);
if (req->sreq->cmd.mode != SCSI_XFER_NONE
&& (req->sreq->cmd.mode != req->mode ||
@@ -913,12 +914,15 @@ static void virtio_scsi_handle_cmd_vq(VirtIOSCSI *s, VirtQueue *vq)
QTAILQ_HEAD(, VirtIOSCSIReq) reqs = QTAILQ_HEAD_INITIALIZER(reqs);
do {
+ VirtIOSCSICommon *vs = (VirtIOSCSICommon *)s;
+ size_t cdb_size = qatomic_read(&vs->cdb_size);
+
if (suppress_notifications) {
virtio_queue_set_notification(vq, 0);
}
- while ((req = virtio_scsi_pop_req(s, vq, NULL))) {
- ret = virtio_scsi_handle_cmd_req_prepare(s, req);
+ while ((req = virtio_scsi_pop_req(s, vq, cdb_size, NULL))) {
+ ret = virtio_scsi_handle_cmd_req_prepare(s, req, cdb_size);
if (!ret) {
QTAILQ_INSERT_TAIL(&reqs, req, next);
} else if (ret == -EINVAL) {
@@ -989,7 +993,7 @@ static void virtio_scsi_set_config(VirtIODevice *vdev,
}
vs->sense_size = virtio_ldl_p(vdev, &scsiconf->sense_size);
- vs->cdb_size = virtio_ldl_p(vdev, &scsiconf->cdb_size);
+ qatomic_set(&vs->cdb_size, virtio_ldl_p(vdev, &scsiconf->cdb_size));
}
static uint64_t virtio_scsi_get_features(VirtIODevice *vdev,
@@ -1050,7 +1054,7 @@ static void virtio_scsi_push_event(VirtIOSCSI *s,
return;
}
- req = virtio_scsi_pop_req(s, vs->event_vq, &s->event_lock);
+ req = virtio_scsi_pop_req(s, vs->event_vq, 0, &s->event_lock);
WITH_QEMU_LOCK_GUARD(&s->event_lock) {
if (!req) {
s->events_dropped = true;
--
2.53.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PULL 1/1] virtio-scsi: pass the same cdb_size to virtio_scsi_pop_req and virtio_scsi_handle_cmd_req_prepare
2026-04-09 10:33 ` [PULL 1/1] virtio-scsi: pass the same cdb_size to virtio_scsi_pop_req and virtio_scsi_handle_cmd_req_prepare Paolo Bonzini
@ 2026-04-09 10:49 ` Daniel P. Berrangé
2026-04-09 10:53 ` Paolo Bonzini
0 siblings, 1 reply; 5+ messages in thread
From: Daniel P. Berrangé @ 2026-04-09 10:49 UTC (permalink / raw)
To: Paolo Bonzini; +Cc: qemu-devel, Jihe Wang, Stefan Hajnoczi
On Thu, Apr 09, 2026 at 12:33:09PM +0200, Paolo Bonzini wrote:
> Ensure that there is no allocation/usage mismatch when requests
> are processed in virtio_scsi_handle_cmd_vq. To do this,
> retrieve the value once and pass it to both functions.
>
> For other calls to virtio_scsi_pop_req the extra size
> can be 0, because control and event requests fit
> entirely in VirtIOSCSIReq.
>
> Reported-by: Jihe Wang <wangjihe.mail@gmail.com>
> Tested-by: Jihe Wang <wangjihe.mail@gmail.com>
> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> ---
> hw/scsi/virtio-scsi.c | 26 +++++++++++++++-----------
> 1 file changed, 15 insertions(+), 11 deletions(-)
This issue is tagged CVE-2026-5763 - if possible can we get that
in the commit message before merging.
>
> diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c
> index 774968d8c70..6c737680119 100644
> --- a/hw/scsi/virtio-scsi.c
> +++ b/hw/scsi/virtio-scsi.c
> @@ -227,16 +227,16 @@ static int virtio_scsi_parse_req(VirtIOSCSIReq *req,
> return 0;
> }
>
> -static VirtIOSCSIReq *virtio_scsi_pop_req(VirtIOSCSI *s, VirtQueue *vq, QemuMutex *vq_lock)
> +static VirtIOSCSIReq *virtio_scsi_pop_req(VirtIOSCSI *s, VirtQueue *vq, size_t extra_req_size,
> + QemuMutex *vq_lock)
> {
> - VirtIOSCSICommon *vs = (VirtIOSCSICommon *)s;
> VirtIOSCSIReq *req;
>
> if (vq_lock) {
> qemu_mutex_lock(vq_lock);
> }
>
> - req = virtqueue_pop(vq, sizeof(VirtIOSCSIReq) + vs->cdb_size);
> + req = virtqueue_pop(vq, sizeof(VirtIOSCSIReq) + extra_req_size);
>
> if (vq_lock) {
> qemu_mutex_unlock(vq_lock);
> @@ -682,7 +682,7 @@ static void virtio_scsi_handle_ctrl_vq(VirtIOSCSI *s, VirtQueue *vq)
> {
> VirtIOSCSIReq *req;
>
> - while ((req = virtio_scsi_pop_req(s, vq, &s->ctrl_lock))) {
> + while ((req = virtio_scsi_pop_req(s, vq, 0, &s->ctrl_lock))) {
> virtio_scsi_handle_ctrl_req(s, req);
> }
> }
> @@ -850,13 +850,14 @@ static void virtio_scsi_fail_cmd_req(VirtIOSCSIReq *req)
> virtio_scsi_complete_cmd_req(req);
> }
>
> -static int virtio_scsi_handle_cmd_req_prepare(VirtIOSCSI *s, VirtIOSCSIReq *req)
> +static int virtio_scsi_handle_cmd_req_prepare(VirtIOSCSI *s, VirtIOSCSIReq *req,
> + size_t cdb_size)
> {
> VirtIOSCSICommon *vs = VIRTIO_SCSI_COMMON(s);
> SCSIDevice *d;
> int rc;
>
> - rc = virtio_scsi_parse_req(req, sizeof(VirtIOSCSICmdReq) + vs->cdb_size,
> + rc = virtio_scsi_parse_req(req, sizeof(VirtIOSCSICmdReq) + cdb_size,
> sizeof(VirtIOSCSICmdResp) + vs->sense_size);
> if (rc < 0) {
> if (rc == -ENOTSUP) {
> @@ -878,7 +879,7 @@ static int virtio_scsi_handle_cmd_req_prepare(VirtIOSCSI *s, VirtIOSCSIReq *req)
> }
> req->sreq = scsi_req_new(d, req->req.cmd.tag,
> virtio_scsi_get_lun(req->req.cmd.lun),
> - req->req.cmd.cdb, vs->cdb_size, req);
> + req->req.cmd.cdb, cdb_size, req);
>
> if (req->sreq->cmd.mode != SCSI_XFER_NONE
> && (req->sreq->cmd.mode != req->mode ||
> @@ -913,12 +914,15 @@ static void virtio_scsi_handle_cmd_vq(VirtIOSCSI *s, VirtQueue *vq)
> QTAILQ_HEAD(, VirtIOSCSIReq) reqs = QTAILQ_HEAD_INITIALIZER(reqs);
>
> do {
> + VirtIOSCSICommon *vs = (VirtIOSCSICommon *)s;
> + size_t cdb_size = qatomic_read(&vs->cdb_size);
> +
> if (suppress_notifications) {
> virtio_queue_set_notification(vq, 0);
> }
>
> - while ((req = virtio_scsi_pop_req(s, vq, NULL))) {
> - ret = virtio_scsi_handle_cmd_req_prepare(s, req);
> + while ((req = virtio_scsi_pop_req(s, vq, cdb_size, NULL))) {
> + ret = virtio_scsi_handle_cmd_req_prepare(s, req, cdb_size);
> if (!ret) {
> QTAILQ_INSERT_TAIL(&reqs, req, next);
> } else if (ret == -EINVAL) {
> @@ -989,7 +993,7 @@ static void virtio_scsi_set_config(VirtIODevice *vdev,
> }
>
> vs->sense_size = virtio_ldl_p(vdev, &scsiconf->sense_size);
> - vs->cdb_size = virtio_ldl_p(vdev, &scsiconf->cdb_size);
> + qatomic_set(&vs->cdb_size, virtio_ldl_p(vdev, &scsiconf->cdb_size));
> }
>
> static uint64_t virtio_scsi_get_features(VirtIODevice *vdev,
> @@ -1050,7 +1054,7 @@ static void virtio_scsi_push_event(VirtIOSCSI *s,
> return;
> }
>
> - req = virtio_scsi_pop_req(s, vs->event_vq, &s->event_lock);
> + req = virtio_scsi_pop_req(s, vs->event_vq, 0, &s->event_lock);
> WITH_QEMU_LOCK_GUARD(&s->event_lock) {
> if (!req) {
> s->events_dropped = true;
> --
> 2.53.0
>
>
With regards,
Daniel
--
|: https://berrange.com ~~ https://hachyderm.io/@berrange :|
|: https://libvirt.org ~~ https://entangle-photo.org :|
|: https://pixelfed.art/berrange ~~ https://fstop138.berrange.com :|
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PULL 1/1] virtio-scsi: pass the same cdb_size to virtio_scsi_pop_req and virtio_scsi_handle_cmd_req_prepare
2026-04-09 10:49 ` Daniel P. Berrangé
@ 2026-04-09 10:53 ` Paolo Bonzini
0 siblings, 0 replies; 5+ messages in thread
From: Paolo Bonzini @ 2026-04-09 10:53 UTC (permalink / raw)
To: Daniel P. Berrangé; +Cc: qemu-devel, Jihe Wang, Stefan Hajnoczi
On Thu, Apr 9, 2026 at 12:49 PM Daniel P. Berrangé <berrange@redhat.com> wrote:
>
> On Thu, Apr 09, 2026 at 12:33:09PM +0200, Paolo Bonzini wrote:
> > Ensure that there is no allocation/usage mismatch when requests
> > are processed in virtio_scsi_handle_cmd_vq. To do this,
> > retrieve the value once and pass it to both functions.
> >
> > For other calls to virtio_scsi_pop_req the extra size
> > can be 0, because control and event requests fit
> > entirely in VirtIOSCSIReq.
> >
> > Reported-by: Jihe Wang <wangjihe.mail@gmail.com>
> > Tested-by: Jihe Wang <wangjihe.mail@gmail.com>
> > Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
> > Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> > ---
> > hw/scsi/virtio-scsi.c | 26 +++++++++++++++-----------
> > 1 file changed, 15 insertions(+), 11 deletions(-)
>
> This issue is tagged CVE-2026-5763 - if possible can we get that
> in the commit message before merging.
Done, new commit hash is 79971302935472232a68073faddb085177e3ca54.
Paolo
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PULL 0/1] virtio-scsi patch for QEMU 1.10-rc3
2026-04-09 10:33 [PULL 0/1] virtio-scsi patch for QEMU 1.10-rc3 Paolo Bonzini
2026-04-09 10:33 ` [PULL 1/1] virtio-scsi: pass the same cdb_size to virtio_scsi_pop_req and virtio_scsi_handle_cmd_req_prepare Paolo Bonzini
@ 2026-04-09 14:12 ` Peter Maydell
1 sibling, 0 replies; 5+ messages in thread
From: Peter Maydell @ 2026-04-09 14:12 UTC (permalink / raw)
To: Paolo Bonzini; +Cc: qemu-devel
On Thu, 9 Apr 2026 at 11:34, Paolo Bonzini <pbonzini@redhat.com> wrote:
>
> The following changes since commit b6a7d06213e5d2f7d124d16418bc289c4a8a4b82:
>
> Update version for v11.0.0-rc2 release (2026-04-01 20:48:02 +0100)
>
> are available in the Git repository at:
>
> https://gitlab.com/bonzini/qemu.git tags/for-upstream
>
> for you to fetch changes up to 6c0f11de6118a870e6dd5e1928586885e4363ae7:
>
> virtio-scsi: pass the same cdb_size to virtio_scsi_pop_req and virtio_scsi_handle_cmd_req_prepare (2026-04-09 12:29:49 +0200)
>
> ----------------------------------------------------------------
> * virtio-scsi: fix cdb_size issue
>
> ----------------------------------------------------------------
> Paolo Bonzini (1):
> virtio-scsi: pass the same cdb_size to virtio_scsi_pop_req and virtio_scsi_handle_cmd_req_prepare
Applied, thanks (the 7997130293 version with the CVE tag in the commit message).
Please update the changelog at https://wiki.qemu.org/ChangeLog/11.0
for any user-visible changes.
-- PMM
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-04-09 14:13 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-09 10:33 [PULL 0/1] virtio-scsi patch for QEMU 1.10-rc3 Paolo Bonzini
2026-04-09 10:33 ` [PULL 1/1] virtio-scsi: pass the same cdb_size to virtio_scsi_pop_req and virtio_scsi_handle_cmd_req_prepare Paolo Bonzini
2026-04-09 10:49 ` Daniel P. Berrangé
2026-04-09 10:53 ` Paolo Bonzini
2026-04-09 14:12 ` [PULL 0/1] virtio-scsi patch for QEMU 1.10-rc3 Peter Maydell
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.