[{"id":3675644,"web_url":"http://patchwork.ozlabs.org/comment/3675644/","msgid":"<878d1716-230f-4bcf-9806-1076c19246b7@kernel.org>","list_archive_url":null,"date":"2026-04-10T03:58:53","subject":"Re: [PATCH for-11.0] virtio-blk: fix zone report buffer out-of-memory\n (CVE-2026-5761)","submitter":{"id":86188,"url":"http://patchwork.ozlabs.org/api/people/86188/","name":"Damien Le Moal","email":"dlemoal@kernel.org"},"content":"On 2026/04/09 22:07, Stefan Hajnoczi wrote:\n> An internal buffer is used when processing VIRTIO_BLK_T_ZONE_REPORT\n> requests. The buffer's size is controlled by the guest. A large value\n> can result in g_malloc() failure and the QEMU process aborts, resulting\n> in a Denial of Service (DoS) (most likely in cases where an untrusted\n> guest application or a nested guest with virtio-blk passthrough is able\n> to abort QEMU).\n> \n> Modify the zone report implementation to work incrementally with a\n> bounded buffer size.\n> \n> This is purely a QEMU implementation issue and no VIRTIO spec changes\n> are needed.\n> \n> Mingyuan Luo found this bug and provided a reproducer which I haven't\n> put into tests/qtest/ because it requires a zoned storage device (e.g.\n> root and modprobe null_blk):\n> \n> 1) Prepare a zoned nullblk backend (/dev/nullb0):\n> \n> sudo modprobe -r null_blk || true\n> sudo modprobe null_blk nr_devices=1 zoned=1\n> sudo chmod 0666 /dev/nullb0\n> cat /sys/block/nullb0/queue/zoned\n> \n> 2) Create qtest input:\n> \n> cat >/tmp/vblk-zone-report-oom.qtest <<'EOF'\n> outl 0xcf8 0x80002004\n> outw 0xcfc 0x0007\n> outl 0xcf8 0x80002010\n> outl 0xcfc 0x0000c001\n> outb 0xc012 0x00\n> outb 0xc012 0x01\n> outb 0xc012 0x03\n> outl 0xc004 0x00000000\n> outw 0xc00e 0x0000\n> outl 0xc008 0x00000100\n> outb 0xc012 0x07\n> writel 0x00020000 0x00000010\n> writel 0x00020004 0x00000000\n> writeq 0x00020008 0x0000000000000000\n> writeq 0x00100000 0x0000000000020000\n> writel 0x00100008 0x00000010\n> writew 0x0010000c 0x0001\n> writew 0x0010000e 0x0001\n> EOF\n> \n> for i in $(seq 1 1022); do\n> d=$((0x00100000 + i * 16))\n> n=$((i + 1))\n> printf 'writeq 0x%08x 0x0000000000200000\\n' \"$d\" >> /tmp/vblk-zone-report-oom.qtest\n> printf 'writel 0x%08x 0x1fe00000\\n' $((d + 8)) >> /tmp/vblk-zone-report-oom.qtest\n> printf 'writew 0x%08x 0x0003\\n' $((d + 12)) >> /tmp/vblk-zone-report-oom.qtest\n> printf 'writew 0x%08x 0x%04x\\n' $((d + 14)) \"$n\" >> /tmp/vblk-zone-report-oom.qtest\n> done\n> \n> d=$((0x00100000 + 1023 * 16))\n> printf 'writeq 0x%08x 0x0000000000200000\\n' \"$d\" >> /tmp/vblk-zone-report-oom.qtest\n> printf 'writel 0x%08x 0x1fe00000\\n' $((d + 8)) >> /tmp/vblk-zone-report-oom.qtest\n> printf 'writew 0x%08x 0x0002\\n' $((d + 12)) >> /tmp/vblk-zone-report-oom.qtest\n> printf 'writew 0x%08x 0x0000\\n' $((d + 14)) >> /tmp/vblk-zone-report-oom.qtest\n> cat >> /tmp/vblk-zone-report-oom.qtest <<'EOF'\n> writew 0x00104000 0x0000\n> writew 0x00104002 0x0001\n> writew 0x00104004 0x0000\n> outw 0xc010 0x0000\n> EOF\n> \n> 3) Run the qtest input with ASAN build (compile qemu with --enable-asan):\n> \n> build/qemu-system-x86_64 -display none \\\n> -accel qtest -qtest stdio \\\n> -machine pc -nodefaults -m 512M -monitor none -serial none \\\n> -blockdev driver=host_device,node-name=disk0,filename=/dev/nullb0 \\\n> -device virtio-blk-pci-transitional,drive=disk0,addr=04.0,queue-size=1024 \\\n> < /tmp/vblk-zone-report-oom.qtest\n> \n> Cc: Sam Li \n> Cc: Damien Le Moal \n> Cc: Dmitry Fomichev \n> Fixes: CVE-2026-5761\n> Fixes: 4f7366506a9 (\"virtio-blk: add zoned storage emulation for zoned devices\")\n> Reported-by: Mingyuan Luo \n> Signed-off-by: Stefan Hajnoczi \n\nOverall, looks OK to me, modulo one nit below.\n\nWith that fixed, feel free to add:\n\nReviewed-by: Damien Le Moal \n\n[...]\n\n> @@ -529,28 +538,18 @@ static void virtio_blk_zone_report_complete(void *opaque, int ret)\n> goto out;\n> }\n> \n> - zrp_size = sizeof(struct virtio_blk_zone_report)\n> - + sizeof(struct virtio_blk_zone_descriptor) * nz;\n> - n = iov_from_buf(in_iov, in_num, 0, &zrp_hdr, sizeof(zrp_hdr));\n> - if (n != sizeof(zrp_hdr)) {\n> - virtio_error(vdev, \"Driver provided input buffer that is too small!\");\n> - err_status = VIRTIO_BLK_S_ZONE_INVALID_CMD;\n> - goto out;\n> - }\n> -\n> - for (size_t i = sizeof(zrp_hdr); i < zrp_size;\n> - i += sizeof(struct virtio_blk_zone_descriptor), ++j) {\n> + for (size_t j = 0; j < nz; j++) {\n\nnz is an int64_t, so signed, but j is an unsigned size_t. This can generate\ncompiler/code checker warnings.","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=kernel.org header.i=@kernel.org header.a=rsa-sha256\n header.s=k20201202 header.b=jK0rLa7m;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists.gnu.org (lists1p.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fsNNy2gQvz1y2d\n\tfor ; Fri, 10 Apr 2026 14:00:00 +1000 (AEST)","from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from )\n\tid 1wB31O-0000EX-3g; Thu, 09 Apr 2026 23:59:06 -0400","from eggs.gnu.org ([2001:470:142:3::10])\n by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from )\n id 1wB31M-0000DV-85; Thu, 09 Apr 2026 23:59:04 -0400","from tor.source.kernel.org ([2600:3c04:e001:324:0:1991:8:25])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from )\n id 1wB31K-0000SL-Cj; Thu, 09 Apr 2026 23:59:03 -0400","from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58])\n by tor.source.kernel.org (Postfix) with ESMTP id C36A160103;\n Fri, 10 Apr 2026 03:58:57 +0000 (UTC)","by smtp.kernel.org (Postfix) with ESMTPSA id 5C2C6C19421;\n Fri, 10 Apr 2026 03:58:55 +0000 (UTC)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;\n s=k20201202; t=1775793537;\n bh=P216gWB7EJf35akZ9fpqTwc5cSqB13u0DyttGQ/3VgI=;\n h=Date:Subject:To:Cc:References:From:In-Reply-To:From;\n b=jK0rLa7midV14F0zbB9r1ltXwDCloV208k6XvGiGx3sHlRcSvmJb0bWfS6XjIcWVN\n fRYELEV7t1FNeaVjTCmghS18tDSnD2XKRgKoX7yydD9ByptP+atPr8hFG+2LkdfHUO\n BJkuSxYEgzQMCc8+4CnvA0T3iNtE1eJBSrKhFXh+KEdlzrPFUjlZVxS9swIilb1zca\n 3U6epxmUKSLTpdS00pcg6HZpEkGDdCf73U4P1EMPCJRjsFAxjiXb2W2sLxJkMSUoPT\n b0oouAUfOfjajkaapfvwdAzjfy0kroBTHSqka/UUfu7h00bs4oO4YeDkHkraYiwZny\n Fa26Zelxq7MyQ==","Message-ID":"<878d1716-230f-4bcf-9806-1076c19246b7@kernel.org>","Date":"Fri, 10 Apr 2026 05:58:53 +0200","MIME-Version":"1.0","User-Agent":"Mozilla Thunderbird","Subject":"Re: [PATCH for-11.0] virtio-blk: fix zone report buffer out-of-memory\n (CVE-2026-5761)","To":"Stefan Hajnoczi , qemu-devel@nongnu.org","Cc":"Hanna Reitz , qemu-stable@nongnu.org,\n qemu-block@nongnu.org, Kevin Wolf ,\n Peter Maydell , \"Michael S. Tsirkin\"\n , Sam Li ,\n Dmitry Fomichev ,\n Mingyuan Luo ","References":"<20260409200749.458162-1-stefanha@redhat.com>","Content-Language":"en-US","From":"Damien Le Moal ","Organization":"Western Digital Research","In-Reply-To":"<20260409200749.458162-1-stefanha@redhat.com>","Content-Type":"text/plain; charset=UTF-8","Content-Transfer-Encoding":"7bit","Received-SPF":"pass client-ip=2600:3c04:e001:324:0:1991:8:25;\n envelope-from=dlemoal@kernel.org; helo=tor.source.kernel.org","X-Spam_score_int":"-25","X-Spam_score":"-2.6","X-Spam_bar":"--","X-Spam_report":"(-2.6 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.54,\n DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,\n SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no","X-Spam_action":"no action","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"qemu development ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org"}},{"id":3675856,"web_url":"http://patchwork.ozlabs.org/comment/3675856/","msgid":"<20260410120153.GA481491@fedora>","list_archive_url":null,"date":"2026-04-10T12:01:53","subject":"Re: [PATCH for-11.0] virtio-blk: fix zone report buffer\n out-of-memory (CVE-2026-5761)","submitter":{"id":17227,"url":"http://patchwork.ozlabs.org/api/people/17227/","name":"Stefan Hajnoczi","email":"stefanha@redhat.com"},"content":"On Fri, Apr 10, 2026 at 05:58:53AM +0200, Damien Le Moal wrote:\n> On 2026/04/09 22:07, Stefan Hajnoczi wrote:\n> > An internal buffer is used when processing VIRTIO_BLK_T_ZONE_REPORT\n> > requests. The buffer's size is controlled by the guest. A large value\n> > can result in g_malloc() failure and the QEMU process aborts, resulting\n> > in a Denial of Service (DoS) (most likely in cases where an untrusted\n> > guest application or a nested guest with virtio-blk passthrough is able\n> > to abort QEMU).\n> > \n> > Modify the zone report implementation to work incrementally with a\n> > bounded buffer size.\n> > \n> > This is purely a QEMU implementation issue and no VIRTIO spec changes\n> > are needed.\n> > \n> > Mingyuan Luo found this bug and provided a reproducer which I haven't\n> > put into tests/qtest/ because it requires a zoned storage device (e.g.\n> > root and modprobe null_blk):\n> > \n> > 1) Prepare a zoned nullblk backend (/dev/nullb0):\n> > \n> > sudo modprobe -r null_blk || true\n> > sudo modprobe null_blk nr_devices=1 zoned=1\n> > sudo chmod 0666 /dev/nullb0\n> > cat /sys/block/nullb0/queue/zoned\n> > \n> > 2) Create qtest input:\n> > \n> > cat >/tmp/vblk-zone-report-oom.qtest <<'EOF'\n> > outl 0xcf8 0x80002004\n> > outw 0xcfc 0x0007\n> > outl 0xcf8 0x80002010\n> > outl 0xcfc 0x0000c001\n> > outb 0xc012 0x00\n> > outb 0xc012 0x01\n> > outb 0xc012 0x03\n> > outl 0xc004 0x00000000\n> > outw 0xc00e 0x0000\n> > outl 0xc008 0x00000100\n> > outb 0xc012 0x07\n> > writel 0x00020000 0x00000010\n> > writel 0x00020004 0x00000000\n> > writeq 0x00020008 0x0000000000000000\n> > writeq 0x00100000 0x0000000000020000\n> > writel 0x00100008 0x00000010\n> > writew 0x0010000c 0x0001\n> > writew 0x0010000e 0x0001\n> > EOF\n> > \n> > for i in $(seq 1 1022); do\n> > d=$((0x00100000 + i * 16))\n> > n=$((i + 1))\n> > printf 'writeq 0x%08x 0x0000000000200000\\n' \"$d\" >> /tmp/vblk-zone-report-oom.qtest\n> > printf 'writel 0x%08x 0x1fe00000\\n' $((d + 8)) >> /tmp/vblk-zone-report-oom.qtest\n> > printf 'writew 0x%08x 0x0003\\n' $((d + 12)) >> /tmp/vblk-zone-report-oom.qtest\n> > printf 'writew 0x%08x 0x%04x\\n' $((d + 14)) \"$n\" >> /tmp/vblk-zone-report-oom.qtest\n> > done\n> > \n> > d=$((0x00100000 + 1023 * 16))\n> > printf 'writeq 0x%08x 0x0000000000200000\\n' \"$d\" >> /tmp/vblk-zone-report-oom.qtest\n> > printf 'writel 0x%08x 0x1fe00000\\n' $((d + 8)) >> /tmp/vblk-zone-report-oom.qtest\n> > printf 'writew 0x%08x 0x0002\\n' $((d + 12)) >> /tmp/vblk-zone-report-oom.qtest\n> > printf 'writew 0x%08x 0x0000\\n' $((d + 14)) >> /tmp/vblk-zone-report-oom.qtest\n> > cat >> /tmp/vblk-zone-report-oom.qtest <<'EOF'\n> > writew 0x00104000 0x0000\n> > writew 0x00104002 0x0001\n> > writew 0x00104004 0x0000\n> > outw 0xc010 0x0000\n> > EOF\n> > \n> > 3) Run the qtest input with ASAN build (compile qemu with --enable-asan):\n> > \n> > build/qemu-system-x86_64 -display none \\\n> > -accel qtest -qtest stdio \\\n> > -machine pc -nodefaults -m 512M -monitor none -serial none \\\n> > -blockdev driver=host_device,node-name=disk0,filename=/dev/nullb0 \\\n> > -device virtio-blk-pci-transitional,drive=disk0,addr=04.0,queue-size=1024 \\\n> > < /tmp/vblk-zone-report-oom.qtest\n> > \n> > Cc: Sam Li \n> > Cc: Damien Le Moal \n> > Cc: Dmitry Fomichev \n> > Fixes: CVE-2026-5761\n> > Fixes: 4f7366506a9 (\"virtio-blk: add zoned storage emulation for zoned devices\")\n> > Reported-by: Mingyuan Luo \n> > Signed-off-by: Stefan Hajnoczi \n> \n> Overall, looks OK to me, modulo one nit below.\n> \n> With that fixed, feel free to add:\n> \n> Reviewed-by: Damien Le Moal \n> \n> [...]\n> \n> > @@ -529,28 +538,18 @@ static void virtio_blk_zone_report_complete(void *opaque, int ret)\n> > goto out;\n> > }\n> > \n> > - zrp_size = sizeof(struct virtio_blk_zone_report)\n> > - + sizeof(struct virtio_blk_zone_descriptor) * nz;\n> > - n = iov_from_buf(in_iov, in_num, 0, &zrp_hdr, sizeof(zrp_hdr));\n> > - if (n != sizeof(zrp_hdr)) {\n> > - virtio_error(vdev, \"Driver provided input buffer that is too small!\");\n> > - err_status = VIRTIO_BLK_S_ZONE_INVALID_CMD;\n> > - goto out;\n> > - }\n> > -\n> > - for (size_t i = sizeof(zrp_hdr); i < zrp_size;\n> > - i += sizeof(struct virtio_blk_zone_descriptor), ++j) {\n> > + for (size_t j = 0; j < nz; j++) {\n> \n> nz is an int64_t, so signed, but j is an unsigned size_t. This can generate\n> compiler/code checker warnings.\n\nHi Damien,\nThanks for the review! blk_aio_report_zones() takes an unsigned int\n*nr_zones in/out argument and that's also the type of the\nZoneReportData->nr_zones field that nz is initialized from. So I ended\nup changing both nz and j's types to unsigned since that is ultimately\nthe type that blk_aio_report_zones() uses. The int64_t range wasn't\nactually being used and size_t wasn't necessary since the value is\ncapped by nz.\n\nI will send a v2 with the following change on top:\n\ndiff --git i/hw/block/virtio-blk.c w/hw/block/virtio-blk.c\nindex 7fd883320a..9cb9f1fb2b 100644\n--- i/hw/block/virtio-blk.c\n+++ w/hw/block/virtio-blk.c\n@@ -528,7 +528,7 @@ static void virtio_blk_zone_report_complete(void *opaque, int ret)\n struct iovec *in_iov = data->in_iov;\n unsigned in_num = data->in_num;\n int64_t n;\n- int64_t nz = zrd->nr_zones;\n+ unsigned nz = zrd->nr_zones;\n int8_t err_status = VIRTIO_BLK_S_OK;\n struct virtio_blk_zone_report zrp_hdr = {};\n\n@@ -538,7 +538,7 @@ static void virtio_blk_zone_report_complete(void *opaque, int ret)\n goto out;\n }\n\n- for (size_t j = 0; j < nz; j++) {\n+ for (unsigned j = 0; j < nz; j++) {\n struct virtio_blk_zone_descriptor desc =\n (struct virtio_blk_zone_descriptor) {\n .z_start = cpu_to_le64(zrd->zones[j].start","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256\n header.s=mimecast20190719 header.b=b3TtpUs4;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists.gnu.org (lists1p.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fsb5x690yz1yGS\n\tfor ; Fri, 10 Apr 2026 22:02:44 +1000 (AEST)","from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from )\n\tid 1wBAYt-0005Pi-Qz; Fri, 10 Apr 2026 08:02:11 -0400","from eggs.gnu.org ([2001:470:142:3::10])\n by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from )\n id 1wBAYr-0005JP-MW\n for qemu-devel@nongnu.org; Fri, 10 Apr 2026 08:02:09 -0400","from us-smtp-delivery-124.mimecast.com ([170.10.129.124])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from )\n id 1wBAYo-0005AZ-Nn\n for qemu-devel@nongnu.org; Fri, 10 Apr 2026 08:02:09 -0400","from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com\n (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by\n relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,\n cipher=TLS_AES_256_GCM_SHA384) id us-mta-671-UOhkKfTyMUWEeLf5ESUjmQ-1; Fri,\n 10 Apr 2026 08:02:00 -0400","from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com\n (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS\n id A96F118011FF; Fri, 10 Apr 2026 12:01:57 +0000 (UTC)","from localhost (unknown [10.44.33.180])\n by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP\n id 06DFA1955E91; Fri, 10 Apr 2026 12:01:55 +0000 (UTC)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;\n s=mimecast20190719; t=1775822525;\n h=from:from:reply-to:subject:subject:date:date:message-id:message-id:\n to:to:cc:cc:mime-version:mime-version:content-type:content-type:\n in-reply-to:in-reply-to:references:references;\n bh=YcwUlNTLg8meN835NcvInFasrq51Nb4EJ+AHGuTr3XE=;\n b=b3TtpUs4GawvaFzuXb76Ducz4iOt2UnyZl4kOl1n9qj5mGFn6Rhpy6K2DGEjWrOd0VHaqH\n mFt4kWnGrJkAAp9d5vbLtq9mrY6LvRw/xWk6RjZVYPVpQxQob1EfR3xMAwVGYJbNtxhswR\n Mo9YcL95PYahVpAi9bTYeqk9RE4yyao=","X-MC-Unique":"UOhkKfTyMUWEeLf5ESUjmQ-1","X-Mimecast-MFC-AGG-ID":"UOhkKfTyMUWEeLf5ESUjmQ_1775822518","Date":"Fri, 10 Apr 2026 08:01:53 -0400","From":"Stefan Hajnoczi ","To":"Damien Le Moal ","Cc":"qemu-devel@nongnu.org, Hanna Reitz ,\n qemu-stable@nongnu.org, qemu-block@nongnu.org,\n Kevin Wolf , Peter Maydell ,\n \"Michael S. Tsirkin\" , Sam Li ,\n Dmitry Fomichev ,\n Mingyuan Luo ","Subject":"Re: [PATCH for-11.0] virtio-blk: fix zone report buffer\n out-of-memory (CVE-2026-5761)","Message-ID":"<20260410120153.GA481491@fedora>","References":"<20260409200749.458162-1-stefanha@redhat.com>\n <878d1716-230f-4bcf-9806-1076c19246b7@kernel.org>","MIME-Version":"1.0","Content-Type":"multipart/signed; micalg=pgp-sha512;\n protocol=\"application/pgp-signature\"; boundary=\"JulgWeMwUqY2q9Ty\"","Content-Disposition":"inline","In-Reply-To":"<878d1716-230f-4bcf-9806-1076c19246b7@kernel.org>","X-Scanned-By":"MIMEDefang 3.0 on 10.30.177.12","Received-SPF":"pass client-ip=170.10.129.124;\n envelope-from=stefanha@redhat.com;\n helo=us-smtp-delivery-124.mimecast.com","X-Spam_score_int":"-25","X-Spam_score":"-2.6","X-Spam_bar":"--","X-Spam_report":"(-2.6 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.54,\n DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,\n RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001,\n RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001,\n SPF_HELO_PASS=-0.001,\n SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no","X-Spam_action":"no action","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"qemu development ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org"}}]