[PULL 0/2] hw/nvme fixes

[PULL 0/2] hw/nvme fixes

[Klaus Jensen]

From: Klaus Jensen <k.jensen@samsung.com>

Hi,

The following changes since commit a11f65ec1b8adcb012b89c92819cbda4dc25aaf1:

  Merge tag 'block-pull-request' of https://gitlab.com/stefanha/qemu into staging (2022-11-01 13:49:33 -0400)

are available in the Git repository at:

  git://git.infradead.org/qemu-nvme.git tags/nvme-fixes-pull-request

for you to fetch changes up to 632cb6cf07122b330d8ef419ec2f4aab561a9fba:

  hw/nvme: Abort copy command when format is one while pif (2022-11-02 09:23:05 +0100)

----------------------------------------------------------------
hw/nvme fixes

Two small fixes.

----------------------------------------------------------------

Francis Pravin Antony Michael Raj (1):
  hw/nvme: Abort copy command when format is one while pif

Klaus Jensen (1):
  hw/nvme: reenable cqe batching

 hw/nvme/ctrl.c | 29 +++++++++++++----------------
 hw/nvme/nvme.h |  4 ++--
 2 files changed, 15 insertions(+), 18 deletions(-)

-- 
2.38.1

Re: [PULL 0/2] hw/nvme fixes

[Stefan Hajnoczi]

[-- Attachment #1: Type: text/plain, Size: 115 bytes --]

Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/7.2 for any user-visible changes.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

[PULL 0/2] hw/nvme fixes

[Klaus Jensen]

From: Klaus Jensen <k.jensen@samsung.com>

Hi Peter,

The following changes since commit e3debd5e7d0ce031356024878a0a18b9d109354a:

  Merge tag 'pull-request-2023-03-24' of https://gitlab.com/thuth/qemu into staging (2023-03-24 16:08:46 +0000)

are available in the Git repository at:

  https://gitlab.com/birkelund/qemu.git tags/nvme-next-pull-request

for you to fetch changes up to ca2a091802872b265bc6007a2d36276d51d8e4b3:

  hw/nvme: fix missing DNR on compare failure (2023-03-27 19:05:23 +0200)

----------------------------------------------------------------
hw/nvme fixes

----------------------------------------------------------------

Klaus Jensen (1):
  hw/nvme: fix missing DNR on compare failure

Mateusz Kozlowski (1):
  hw/nvme: Change alignment in dma functions for nvme_blk_*

 hw/nvme/ctrl.c | 26 +++++++++++++-------------
 1 file changed, 13 insertions(+), 13 deletions(-)

-- 
2.39.2

Re: [PULL 0/2] hw/nvme fixes

[Peter Maydell]

On Mon, 27 Mar 2023 at 18:09, Klaus Jensen <its@irrelevant.dk> wrote:
>
> From: Klaus Jensen <k.jensen@samsung.com>
>
> Hi Peter,
>
> The following changes since commit e3debd5e7d0ce031356024878a0a18b9d109354a:
>
>   Merge tag 'pull-request-2023-03-24' of https://gitlab.com/thuth/qemu into staging (2023-03-24 16:08:46 +0000)
>
> are available in the Git repository at:
>
>   https://gitlab.com/birkelund/qemu.git tags/nvme-next-pull-request
>
> for you to fetch changes up to ca2a091802872b265bc6007a2d36276d51d8e4b3:
>
>   hw/nvme: fix missing DNR on compare failure (2023-03-27 19:05:23 +0200)
>
> ----------------------------------------------------------------
> hw/nvme fixes
>
> ----------------------------------------------------------------
>
> Klaus Jensen (1):
>   hw/nvme: fix missing DNR on compare failure
>
> Mateusz Kozlowski (1):
>   hw/nvme: Change alignment in dma functions for nvme_blk_*
>
>  hw/nvme/ctrl.c | 26 +++++++++++++-------------
>  1 file changed, 13 insertions(+), 13 deletions(-)


Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/8.0
for any user-visible changes.

-- PMM

[PULL 0/2] hw/nvme fixes

[Klaus Jensen]

From: Klaus Jensen <k.jensen@samsung.com>

Hi,

The following changes since commit 9400601a689a128c25fa9c21e932562e0eeb7a26:

  Merge tag 'pull-tcg-20230806-3' of https://gitlab.com/rth7680/qemu into staging (2023-08-06 16:47:48 -0700)

are available in the Git repository at:

  https://gitlab.com/birkelund/qemu.git tags/nvme-next-pull-request

for you to fetch changes up to 6a33f2e920ec0b489a77200888e3692664077f2d:

  hw/nvme: fix compliance issue wrt. iosqes/iocqes (2023-08-07 12:27:24 +0200)

----------------------------------------------------------------
hw/nvme fixes

- two fixes for hw/nvme
-----BEGIN PGP SIGNATURE-----

iQEzBAABCgAdFiEEUigzqnXi3OaiR2bATeGvMW1PDekFAmTQ2y4ACgkQTeGvMW1P
DenpWQf/WFgEljzgTcgxlfZhCyzWGwVNgKqRxlTuF6ELqm8BajCuCeA5ias6AXOr
x/gZ0VqrL91L5tRIH5Q0sdC+HBFC1yMs66jopdzc1oL1eYu1HTrLIqMDtkXp/K/P
PyGah2t4qEMtacSkad+hmB68ViUkkmhkxrWYIeufUQTfLNF5pBqNvB1kQON3jmXE
a1jI/PabYxi8Km0rfFJD6SUGmL9+m7MY/SyZAy+4EZZ1OEnp5jb3o9lbdwbhIU5e
dRX4NW4BEDiOJeIcNVDiQkXv2/Lna1B51RVMvM4owpk0eRvRXMSqs2DQ5/jp/nGb
8uChUJ0QW68I4e9ptTfxmBsr4pSktg==
=0nwp
-----END PGP SIGNATURE-----

----------------------------------------------------------------

Klaus Jensen (2):
  hw/nvme: fix oob memory read in fdp events log
  hw/nvme: fix compliance issue wrt. iosqes/iocqes

 hw/nvme/ctrl.c       | 51 +++++++++++++++-----------------------------
 hw/nvme/nvme.h       |  9 ++++++--
 hw/nvme/trace-events |  1 +
 3 files changed, 25 insertions(+), 36 deletions(-)

-- 
2.41.0

Re: [PULL 0/2] hw/nvme fixes

[Richard Henderson]

On 8/7/23 04:54, Klaus Jensen wrote:
> From: Klaus Jensen<k.jensen@samsung.com>
> 
> Hi,
> 
> The following changes since commit 9400601a689a128c25fa9c21e932562e0eeb7a26:
> 
>    Merge tag 'pull-tcg-20230806-3' ofhttps://gitlab.com/rth7680/qemu  into staging (2023-08-06 16:47:48 -0700)
> 
> are available in the Git repository at:
> 
>    https://gitlab.com/birkelund/qemu.git  tags/nvme-next-pull-request
> 
> for you to fetch changes up to 6a33f2e920ec0b489a77200888e3692664077f2d:
> 
>    hw/nvme: fix compliance issue wrt. iosqes/iocqes (2023-08-07 12:27:24 +0200)
> 
> ----------------------------------------------------------------
> hw/nvme fixes

Applied, thanks.  Please update https://wiki.qemu.org/ChangeLog/8.1 as appropriate.


r~

[PULL 0/2] hw/nvme fixes

[Klaus Jensen]

From: Klaus Jensen <k.jensen@samsung.com>

Hi,

The following changes since commit 007b29752ed06e467d3c830bc2c17a8851f8bcd3:

  Merge tag 'for-upstream' of https://gitlab.com/kmwolf/qemu into staging (2026-03-25 09:16:13 +0000)

are available in the Git repository at:

  https://gitlab.com/birkelund/qemu.git tags/pull-nvme-20260326

for you to fetch changes up to eb5cc99aff17cbfdad16b18d3503c6f22233eeb5:

  hw/nvme: fix heap-buffer-overflow in nvme_abort (2026-03-26 09:14:35 +0100)

----------------------------------------------------------------
nvme queue

----------------------------------------------------------------
Kaixuan Li (1):
      hw/nvme: fix heap-buffer-overflow in nvme_abort

Pankaj Raghav (1):
      hw/nvme: re-enable wzds bit in namespace dlfeat

 hw/nvme/ctrl.c | 4 +++-
 hw/nvme/ns.c   | 2 +-
 2 files changed, 4 insertions(+), 2 deletions(-)

[PULL 1/2] hw/nvme: re-enable wzds bit in namespace dlfeat

[Klaus Jensen]

From: Pankaj Raghav <p.raghav@samsung.com>

dlfeat was changed from 0x9 to 0x1 when PI support was added.
It was removed because we can't rely on unmap and have to physically
clear it to get the checksums right but that doesnt mean that we do not
support the bit.

The spec says that if wzds is enabled, then the controller supports
deallocate (DEAC) on write zeroes. But DEAC bit in write zeroes command
is only a hint, the controller might choose to physically write zeroes in
those areas.

As we are sending write zeroes command with BDRV_REQ_MAY_UNMAP to the
underlying block device anyway (if the unmap operation is supported),
change the dlfeat value back to 0x9.

A new flag FALLOC_FL_WRITE_ZEROES has been introduced in linux for
fallocate which will use the wzds bit in dlfeat to quickly zeroout extents
using unmap operation whenever possible[1].

[1] https://lore.kernel.org/linux-fsdevel/20250619111806.3546162-1-yi.zhang@huaweicloud.com/

Fixes: 146f720c55 ("hw/block/nvme: end-to-end data protection")
Suggested-by: Klaus Jensen <k.jensen@samsung.com>
Signed-off-by: Pankaj Raghav <p.raghav@samsung.com>
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
---
 hw/nvme/ns.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/nvme/ns.c b/hw/nvme/ns.c
index 38f86a17268f..b0106eaa5c8f 100644
--- a/hw/nvme/ns.c
+++ b/hw/nvme/ns.c
@@ -75,7 +75,7 @@ static int nvme_ns_init(NvmeNamespace *ns, Error **errp)
     ns->csi = NVME_CSI_NVM;
     ns->status = 0x0;
 
-    ns->id_ns.dlfeat = 0x1;
+    ns->id_ns.dlfeat = 0x9;
 
     /* support DULBE and I/O optimization fields */
     id_ns->nsfeat |= (NVME_ID_NS_NSFEAT_DAE | NVME_ID_NS_NSFEAT_OPTPERF_ALL);
-- 
2.53.0

[PULL 2/2] hw/nvme: fix heap-buffer-overflow in nvme_abort

[Klaus Jensen]

From: Kaixuan Li <kaixuanli@ntu.edu.sg>

In nvme_abort(), the submission queue pointer is dereferenced from the
guest-controlled sqid before validating it with nvme_check_sqid():

    NvmeSQueue *sq = n->sq[sqid];

Since sqid is a 16-bit value (range 0-65535) taken directly from CDW10,
and n->sq[] is typically only max_ioqpairs+1 (65) entries, a malicious
guest can trigger an out-of-bounds heap read by sending an Abort command
with a large sqid.

ASan reports this as heap-buffer-overflow in nvme_abort.

Fix this by moving the array dereference to after the nvme_check_sqid()
bounds validation.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3348
Fixes: 75209c071a ("hw/nvme: actually implement abort")
Cc: qemu-stable@nongnu.org
Signed-off-by: Kaixuan Li <kaixuanli@ntu.edu.sg>
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
---
 hw/nvme/ctrl.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c
index cc4593cd427a..be6c7028cb58 100644
--- a/hw/nvme/ctrl.c
+++ b/hw/nvme/ctrl.c
@@ -6111,7 +6111,7 @@ static uint16_t nvme_abort(NvmeCtrl *n, NvmeRequest *req)
 {
     uint16_t sqid = le32_to_cpu(req->cmd.cdw10) & 0xffff;
     uint16_t cid  = (le32_to_cpu(req->cmd.cdw10) >> 16) & 0xffff;
-    NvmeSQueue *sq = n->sq[sqid];
+    NvmeSQueue *sq;
     NvmeRequest *r, *next;
     int i;
 
@@ -6120,6 +6120,8 @@ static uint16_t nvme_abort(NvmeCtrl *n, NvmeRequest *req)
         return NVME_INVALID_FIELD | NVME_DNR;
     }
 
+    sq = n->sq[sqid];
+
     if (sqid == 0) {
         for (i = 0; i < n->outstanding_aers; i++) {
             NvmeRequest *re = n->aer_reqs[i];
-- 
2.53.0

Re: [PULL 0/2] hw/nvme fixes

[Peter Maydell]

On Thu, 26 Mar 2026 at 08:24, Klaus Jensen <its@irrelevant.dk> wrote:
>
> From: Klaus Jensen <k.jensen@samsung.com>
>
> Hi,
>
> The following changes since commit 007b29752ed06e467d3c830bc2c17a8851f8bcd3:
>
>   Merge tag 'for-upstream' of https://gitlab.com/kmwolf/qemu into staging (2026-03-25 09:16:13 +0000)
>
> are available in the Git repository at:
>
>   https://gitlab.com/birkelund/qemu.git tags/pull-nvme-20260326
>
> for you to fetch changes up to eb5cc99aff17cbfdad16b18d3503c6f22233eeb5:
>
>   hw/nvme: fix heap-buffer-overflow in nvme_abort (2026-03-26 09:14:35 +0100)
>
> ----------------------------------------------------------------
> nvme queue
>
> ----------------------------------------------------------------



Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/11.0
for any user-visible changes.

-- PMM