[PULL 0/1] virtio-scsi patch for QEMU 1.10-rc3

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PULL 0/1] virtio-scsi patch for QEMU 1.10-rc3
@ 2026-04-09 10:33 Paolo Bonzini
  2026-04-09 10:33 ` [PULL 1/1] virtio-scsi: pass the same cdb_size to virtio_scsi_pop_req and virtio_scsi_handle_cmd_req_prepare Paolo Bonzini
  2026-04-09 14:12 ` [PULL 0/1] virtio-scsi patch for QEMU 1.10-rc3 Peter Maydell
  0 siblings, 2 replies; 5+ messages in thread
From: Paolo Bonzini @ 2026-04-09 10:33 UTC (permalink / raw)
  To: qemu-devel

The following changes since commit b6a7d06213e5d2f7d124d16418bc289c4a8a4b82:

  Update version for v11.0.0-rc2 release (2026-04-01 20:48:02 +0100)

are available in the Git repository at:

  https://gitlab.com/bonzini/qemu.git tags/for-upstream

for you to fetch changes up to 6c0f11de6118a870e6dd5e1928586885e4363ae7:

  virtio-scsi: pass the same cdb_size to virtio_scsi_pop_req and virtio_scsi_handle_cmd_req_prepare (2026-04-09 12:29:49 +0200)

----------------------------------------------------------------
* virtio-scsi: fix cdb_size issue

----------------------------------------------------------------
Paolo Bonzini (1):
      virtio-scsi: pass the same cdb_size to virtio_scsi_pop_req and virtio_scsi_handle_cmd_req_prepare

 hw/scsi/virtio-scsi.c | 26 +++++++++++++++-----------
 1 file changed, 15 insertions(+), 11 deletions(-)
-- 
2.53.0



^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PULL 1/1] virtio-scsi: pass the same cdb_size to virtio_scsi_pop_req and virtio_scsi_handle_cmd_req_prepare
  2026-04-09 10:33 [PULL 0/1] virtio-scsi patch for QEMU 1.10-rc3 Paolo Bonzini
@ 2026-04-09 10:33 ` Paolo Bonzini
  2026-04-09 10:49   ` Daniel P. Berrangé
  2026-04-09 14:12 ` [PULL 0/1] virtio-scsi patch for QEMU 1.10-rc3 Peter Maydell
  1 sibling, 1 reply; 5+ messages in thread
From: Paolo Bonzini @ 2026-04-09 10:33 UTC (permalink / raw)
  To: qemu-devel; +Cc: Jihe Wang, Stefan Hajnoczi

Ensure that there is no allocation/usage mismatch when requests
are processed in virtio_scsi_handle_cmd_vq.  To do this,
retrieve the value once and pass it to both functions.

For other calls to virtio_scsi_pop_req the extra size
can be 0, because control and event requests fit
entirely in VirtIOSCSIReq.

Reported-by: Jihe Wang <wangjihe.mail@gmail.com>
Tested-by: Jihe Wang <wangjihe.mail@gmail.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 hw/scsi/virtio-scsi.c | 26 +++++++++++++++-----------
 1 file changed, 15 insertions(+), 11 deletions(-)

diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c
index 774968d8c70..6c737680119 100644
--- a/hw/scsi/virtio-scsi.c
+++ b/hw/scsi/virtio-scsi.c
@@ -227,16 +227,16 @@ static int virtio_scsi_parse_req(VirtIOSCSIReq *req,
     return 0;
 }
 
-static VirtIOSCSIReq *virtio_scsi_pop_req(VirtIOSCSI *s, VirtQueue *vq, QemuMutex *vq_lock)
+static VirtIOSCSIReq *virtio_scsi_pop_req(VirtIOSCSI *s, VirtQueue *vq, size_t extra_req_size,
+                                          QemuMutex *vq_lock)
 {
-    VirtIOSCSICommon *vs = (VirtIOSCSICommon *)s;
     VirtIOSCSIReq *req;
 
     if (vq_lock) {
         qemu_mutex_lock(vq_lock);
     }
 
-    req = virtqueue_pop(vq, sizeof(VirtIOSCSIReq) + vs->cdb_size);
+    req = virtqueue_pop(vq, sizeof(VirtIOSCSIReq) + extra_req_size);
 
     if (vq_lock) {
         qemu_mutex_unlock(vq_lock);
@@ -682,7 +682,7 @@ static void virtio_scsi_handle_ctrl_vq(VirtIOSCSI *s, VirtQueue *vq)
 {
     VirtIOSCSIReq *req;
 
-    while ((req = virtio_scsi_pop_req(s, vq, &s->ctrl_lock))) {
+    while ((req = virtio_scsi_pop_req(s, vq, 0, &s->ctrl_lock))) {
         virtio_scsi_handle_ctrl_req(s, req);
     }
 }
@@ -850,13 +850,14 @@ static void virtio_scsi_fail_cmd_req(VirtIOSCSIReq *req)
     virtio_scsi_complete_cmd_req(req);
 }
 
-static int virtio_scsi_handle_cmd_req_prepare(VirtIOSCSI *s, VirtIOSCSIReq *req)
+static int virtio_scsi_handle_cmd_req_prepare(VirtIOSCSI *s, VirtIOSCSIReq *req,
+                                              size_t cdb_size)
 {
     VirtIOSCSICommon *vs = VIRTIO_SCSI_COMMON(s);
     SCSIDevice *d;
     int rc;
 
-    rc = virtio_scsi_parse_req(req, sizeof(VirtIOSCSICmdReq) + vs->cdb_size,
+    rc = virtio_scsi_parse_req(req, sizeof(VirtIOSCSICmdReq) + cdb_size,
                                sizeof(VirtIOSCSICmdResp) + vs->sense_size);
     if (rc < 0) {
         if (rc == -ENOTSUP) {
@@ -878,7 +879,7 @@ static int virtio_scsi_handle_cmd_req_prepare(VirtIOSCSI *s, VirtIOSCSIReq *req)
     }
     req->sreq = scsi_req_new(d, req->req.cmd.tag,
                              virtio_scsi_get_lun(req->req.cmd.lun),
-                             req->req.cmd.cdb, vs->cdb_size, req);
+                             req->req.cmd.cdb, cdb_size, req);
 
     if (req->sreq->cmd.mode != SCSI_XFER_NONE
         && (req->sreq->cmd.mode != req->mode ||
@@ -913,12 +914,15 @@ static void virtio_scsi_handle_cmd_vq(VirtIOSCSI *s, VirtQueue *vq)
     QTAILQ_HEAD(, VirtIOSCSIReq) reqs = QTAILQ_HEAD_INITIALIZER(reqs);
 
     do {
+        VirtIOSCSICommon *vs = (VirtIOSCSICommon *)s;
+        size_t cdb_size = qatomic_read(&vs->cdb_size);
+
         if (suppress_notifications) {
             virtio_queue_set_notification(vq, 0);
         }
 
-        while ((req = virtio_scsi_pop_req(s, vq, NULL))) {
-            ret = virtio_scsi_handle_cmd_req_prepare(s, req);
+        while ((req = virtio_scsi_pop_req(s, vq, cdb_size, NULL))) {
+            ret = virtio_scsi_handle_cmd_req_prepare(s, req, cdb_size);
             if (!ret) {
                 QTAILQ_INSERT_TAIL(&reqs, req, next);
             } else if (ret == -EINVAL) {
@@ -989,7 +993,7 @@ static void virtio_scsi_set_config(VirtIODevice *vdev,
     }
 
     vs->sense_size = virtio_ldl_p(vdev, &scsiconf->sense_size);
-    vs->cdb_size = virtio_ldl_p(vdev, &scsiconf->cdb_size);
+    qatomic_set(&vs->cdb_size, virtio_ldl_p(vdev, &scsiconf->cdb_size));
 }
 
 static uint64_t virtio_scsi_get_features(VirtIODevice *vdev,
@@ -1050,7 +1054,7 @@ static void virtio_scsi_push_event(VirtIOSCSI *s,
         return;
     }
 
-    req = virtio_scsi_pop_req(s, vs->event_vq, &s->event_lock);
+    req = virtio_scsi_pop_req(s, vs->event_vq, 0, &s->event_lock);
     WITH_QEMU_LOCK_GUARD(&s->event_lock) {
         if (!req) {
             s->events_dropped = true;
-- 
2.53.0



^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PULL 1/1] virtio-scsi: pass the same cdb_size to virtio_scsi_pop_req and virtio_scsi_handle_cmd_req_prepare
  2026-04-09 10:33 ` [PULL 1/1] virtio-scsi: pass the same cdb_size to virtio_scsi_pop_req and virtio_scsi_handle_cmd_req_prepare Paolo Bonzini
@ 2026-04-09 10:49   ` Daniel P. Berrangé
  2026-04-09 10:53     ` Paolo Bonzini
  0 siblings, 1 reply; 5+ messages in thread
From: Daniel P. Berrangé @ 2026-04-09 10:49 UTC (permalink / raw)
  To: Paolo Bonzini; +Cc: qemu-devel, Jihe Wang, Stefan Hajnoczi

On Thu, Apr 09, 2026 at 12:33:09PM +0200, Paolo Bonzini wrote:
> Ensure that there is no allocation/usage mismatch when requests
> are processed in virtio_scsi_handle_cmd_vq.  To do this,
> retrieve the value once and pass it to both functions.
> 
> For other calls to virtio_scsi_pop_req the extra size
> can be 0, because control and event requests fit
> entirely in VirtIOSCSIReq.
> 
> Reported-by: Jihe Wang <wangjihe.mail@gmail.com>
> Tested-by: Jihe Wang <wangjihe.mail@gmail.com>
> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> ---
>  hw/scsi/virtio-scsi.c | 26 +++++++++++++++-----------
>  1 file changed, 15 insertions(+), 11 deletions(-)

This issue is tagged CVE-2026-5763   - if possible can we get that
in the commit message before merging.

> 
> diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c
> index 774968d8c70..6c737680119 100644
> --- a/hw/scsi/virtio-scsi.c
> +++ b/hw/scsi/virtio-scsi.c
> @@ -227,16 +227,16 @@ static int virtio_scsi_parse_req(VirtIOSCSIReq *req,
>      return 0;
>  }
>  
> -static VirtIOSCSIReq *virtio_scsi_pop_req(VirtIOSCSI *s, VirtQueue *vq, QemuMutex *vq_lock)
> +static VirtIOSCSIReq *virtio_scsi_pop_req(VirtIOSCSI *s, VirtQueue *vq, size_t extra_req_size,
> +                                          QemuMutex *vq_lock)
>  {
> -    VirtIOSCSICommon *vs = (VirtIOSCSICommon *)s;
>      VirtIOSCSIReq *req;
>  
>      if (vq_lock) {
>          qemu_mutex_lock(vq_lock);
>      }
>  
> -    req = virtqueue_pop(vq, sizeof(VirtIOSCSIReq) + vs->cdb_size);
> +    req = virtqueue_pop(vq, sizeof(VirtIOSCSIReq) + extra_req_size);
>  
>      if (vq_lock) {
>          qemu_mutex_unlock(vq_lock);
> @@ -682,7 +682,7 @@ static void virtio_scsi_handle_ctrl_vq(VirtIOSCSI *s, VirtQueue *vq)
>  {
>      VirtIOSCSIReq *req;
>  
> -    while ((req = virtio_scsi_pop_req(s, vq, &s->ctrl_lock))) {
> +    while ((req = virtio_scsi_pop_req(s, vq, 0, &s->ctrl_lock))) {
>          virtio_scsi_handle_ctrl_req(s, req);
>      }
>  }
> @@ -850,13 +850,14 @@ static void virtio_scsi_fail_cmd_req(VirtIOSCSIReq *req)
>      virtio_scsi_complete_cmd_req(req);
>  }
>  
> -static int virtio_scsi_handle_cmd_req_prepare(VirtIOSCSI *s, VirtIOSCSIReq *req)
> +static int virtio_scsi_handle_cmd_req_prepare(VirtIOSCSI *s, VirtIOSCSIReq *req,
> +                                              size_t cdb_size)
>  {
>      VirtIOSCSICommon *vs = VIRTIO_SCSI_COMMON(s);
>      SCSIDevice *d;
>      int rc;
>  
> -    rc = virtio_scsi_parse_req(req, sizeof(VirtIOSCSICmdReq) + vs->cdb_size,
> +    rc = virtio_scsi_parse_req(req, sizeof(VirtIOSCSICmdReq) + cdb_size,
>                                 sizeof(VirtIOSCSICmdResp) + vs->sense_size);
>      if (rc < 0) {
>          if (rc == -ENOTSUP) {
> @@ -878,7 +879,7 @@ static int virtio_scsi_handle_cmd_req_prepare(VirtIOSCSI *s, VirtIOSCSIReq *req)
>      }
>      req->sreq = scsi_req_new(d, req->req.cmd.tag,
>                               virtio_scsi_get_lun(req->req.cmd.lun),
> -                             req->req.cmd.cdb, vs->cdb_size, req);
> +                             req->req.cmd.cdb, cdb_size, req);
>  
>      if (req->sreq->cmd.mode != SCSI_XFER_NONE
>          && (req->sreq->cmd.mode != req->mode ||
> @@ -913,12 +914,15 @@ static void virtio_scsi_handle_cmd_vq(VirtIOSCSI *s, VirtQueue *vq)
>      QTAILQ_HEAD(, VirtIOSCSIReq) reqs = QTAILQ_HEAD_INITIALIZER(reqs);
>  
>      do {
> +        VirtIOSCSICommon *vs = (VirtIOSCSICommon *)s;
> +        size_t cdb_size = qatomic_read(&vs->cdb_size);
> +
>          if (suppress_notifications) {
>              virtio_queue_set_notification(vq, 0);
>          }
>  
> -        while ((req = virtio_scsi_pop_req(s, vq, NULL))) {
> -            ret = virtio_scsi_handle_cmd_req_prepare(s, req);
> +        while ((req = virtio_scsi_pop_req(s, vq, cdb_size, NULL))) {
> +            ret = virtio_scsi_handle_cmd_req_prepare(s, req, cdb_size);
>              if (!ret) {
>                  QTAILQ_INSERT_TAIL(&reqs, req, next);
>              } else if (ret == -EINVAL) {
> @@ -989,7 +993,7 @@ static void virtio_scsi_set_config(VirtIODevice *vdev,
>      }
>  
>      vs->sense_size = virtio_ldl_p(vdev, &scsiconf->sense_size);
> -    vs->cdb_size = virtio_ldl_p(vdev, &scsiconf->cdb_size);
> +    qatomic_set(&vs->cdb_size, virtio_ldl_p(vdev, &scsiconf->cdb_size));
>  }
>  
>  static uint64_t virtio_scsi_get_features(VirtIODevice *vdev,
> @@ -1050,7 +1054,7 @@ static void virtio_scsi_push_event(VirtIOSCSI *s,
>          return;
>      }
>  
> -    req = virtio_scsi_pop_req(s, vs->event_vq, &s->event_lock);
> +    req = virtio_scsi_pop_req(s, vs->event_vq, 0, &s->event_lock);
>      WITH_QEMU_LOCK_GUARD(&s->event_lock) {
>          if (!req) {
>              s->events_dropped = true;
> -- 
> 2.53.0
> 
> 

With regards,
Daniel
-- 
|: https://berrange.com       ~~        https://hachyderm.io/@berrange :|
|: https://libvirt.org          ~~          https://entangle-photo.org :|
|: https://pixelfed.art/berrange   ~~    https://fstop138.berrange.com :|



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PULL 1/1] virtio-scsi: pass the same cdb_size to virtio_scsi_pop_req and virtio_scsi_handle_cmd_req_prepare
  2026-04-09 10:49   ` Daniel P. Berrangé
@ 2026-04-09 10:53     ` Paolo Bonzini
  0 siblings, 0 replies; 5+ messages in thread
From: Paolo Bonzini @ 2026-04-09 10:53 UTC (permalink / raw)
  To: Daniel P. Berrangé; +Cc: qemu-devel, Jihe Wang, Stefan Hajnoczi

On Thu, Apr 9, 2026 at 12:49 PM Daniel P. Berrangé <berrange@redhat.com> wrote:
>
> On Thu, Apr 09, 2026 at 12:33:09PM +0200, Paolo Bonzini wrote:
> > Ensure that there is no allocation/usage mismatch when requests
> > are processed in virtio_scsi_handle_cmd_vq.  To do this,
> > retrieve the value once and pass it to both functions.
> >
> > For other calls to virtio_scsi_pop_req the extra size
> > can be 0, because control and event requests fit
> > entirely in VirtIOSCSIReq.
> >
> > Reported-by: Jihe Wang <wangjihe.mail@gmail.com>
> > Tested-by: Jihe Wang <wangjihe.mail@gmail.com>
> > Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
> > Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> > ---
> >  hw/scsi/virtio-scsi.c | 26 +++++++++++++++-----------
> >  1 file changed, 15 insertions(+), 11 deletions(-)
>
> This issue is tagged CVE-2026-5763   - if possible can we get that
> in the commit message before merging.

Done, new commit hash is 79971302935472232a68073faddb085177e3ca54.

Paolo



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PULL 0/1] virtio-scsi patch for QEMU 1.10-rc3
  2026-04-09 10:33 [PULL 0/1] virtio-scsi patch for QEMU 1.10-rc3 Paolo Bonzini
  2026-04-09 10:33 ` [PULL 1/1] virtio-scsi: pass the same cdb_size to virtio_scsi_pop_req and virtio_scsi_handle_cmd_req_prepare Paolo Bonzini
@ 2026-04-09 14:12 ` Peter Maydell
  1 sibling, 0 replies; 5+ messages in thread
From: Peter Maydell @ 2026-04-09 14:12 UTC (permalink / raw)
  To: Paolo Bonzini; +Cc: qemu-devel

On Thu, 9 Apr 2026 at 11:34, Paolo Bonzini <pbonzini@redhat.com> wrote:
>
> The following changes since commit b6a7d06213e5d2f7d124d16418bc289c4a8a4b82:
>
>   Update version for v11.0.0-rc2 release (2026-04-01 20:48:02 +0100)
>
> are available in the Git repository at:
>
>   https://gitlab.com/bonzini/qemu.git tags/for-upstream
>
> for you to fetch changes up to 6c0f11de6118a870e6dd5e1928586885e4363ae7:
>
>   virtio-scsi: pass the same cdb_size to virtio_scsi_pop_req and virtio_scsi_handle_cmd_req_prepare (2026-04-09 12:29:49 +0200)
>
> ----------------------------------------------------------------
> * virtio-scsi: fix cdb_size issue
>
> ----------------------------------------------------------------
> Paolo Bonzini (1):
>       virtio-scsi: pass the same cdb_size to virtio_scsi_pop_req and virtio_scsi_handle_cmd_req_prepare



Applied, thanks (the 7997130293 version with the CVE tag in the commit message).

Please update the changelog at https://wiki.qemu.org/ChangeLog/11.0
for any user-visible changes.

-- PMM


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2026-04-09 14:13 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-09 10:33 [PULL 0/1] virtio-scsi patch for QEMU 1.10-rc3 Paolo Bonzini
2026-04-09 10:33 ` [PULL 1/1] virtio-scsi: pass the same cdb_size to virtio_scsi_pop_req and virtio_scsi_handle_cmd_req_prepare Paolo Bonzini
2026-04-09 10:49   ` Daniel P. Berrangé
2026-04-09 10:53     ` Paolo Bonzini
2026-04-09 14:12 ` [PULL 0/1] virtio-scsi patch for QEMU 1.10-rc3 Peter Maydell

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.