Page MenuHomeFreeBSD
Differential D53470

bhyve/virtio-scsi: check LUN address validity
Needs ReviewPublic
Actions

Authored by rosenfeld_grumpf.hope-2000.org on Oct 30 2025, 7:38 AM.
Tags
None
Referenced Files
F139100417: D53470.id165404.diff
Sun, Dec 7, 7:42 PM
F139066906: D53470.id165401.diff
Sun, Dec 7, 7:57 AM
Unknown Object (File)
Fri, Dec 5, 3:10 AM
Unknown Object (File)
Tue, Dec 2, 2:26 PM
Unknown Object (File)
Sun, Nov 30, 10:09 PM
Unknown Object (File)
Fri, Nov 28, 10:25 AM
Unknown Object (File)
Thu, Nov 27, 11:48 AM
Unknown Object (File)
Tue, Nov 25, 12:05 AM
View All 33 Files
Subscribers
bcran
crest_freebsd_rlwinm.de
imp
rgrimes

Details

Reviewers
jhb
corvink
markj
Group Reviewers
bhyve
Summary

Instead of blindly trusting the guest OS driver that it sends us well-
formed LUN addresses, check the LUN address for validity and fail the
request if it is invalid. While here, constify the members of the virtio
requests which aren't device-writable anyway.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 69048
Build 65931: arc lint + arc unit

Event Timeline

rosenfeld_grumpf.hope-2000.org created this revision.Oct 30 2025, 7:38 AM
Herald added a reviewer: bhyve. · View Herald TranscriptOct 30 2025, 7:38 AM
rosenfeld_grumpf.hope-2000.org requested review of this revision.Oct 30 2025, 7:38 AM
Harbormaster completed remote builds in B68265: Diff 165401.Oct 30 2025, 7:38 AM
rosenfeld_grumpf.hope-2000.org added a parent revision: D53469: bhyve/virtio-scsi: preallocate all I/O requests.Oct 30 2025, 7:38 AM
rosenfeld_grumpf.hope-2000.org updated this revision to Diff 165404.Oct 30 2025, 7:52 AM

Rebase, revert unintentional white space change.

Harbormaster completed remote builds in B68268: Diff 165404.Oct 30 2025, 7:52 AM
corvink added inline comments.Nov 3 2025, 8:21 AM
usr.sbin/bhyve/pci_virtio_scsi.c
412
434–436

Should we really just assert here? It's a guest give value isn't it? So, we should omit the check on release builds. I know bhyve doesn't opt out assert on release builds. However, we shouldn't add new asserts which are required for release builds too.

rosenfeld_grumpf.hope-2000.org updated this revision to Diff 167543.Thu, Dec 4, 6:24 PM

Improve the comments describing the LUN address parsing.

Harbormaster completed remote builds in B69048: Diff 167543.Thu, Dec 4, 6:24 PM
rosenfeld_grumpf.hope-2000.org added inline comments.Thu, Dec 4, 6:28 PM
usr.sbin/bhyve/pci_virtio_scsi.c
412

No, they must be zero, thats why we return false if any one of them isn't.

434–436

Every code path using pci_vtscsi_get_lun() (and pci_vtscsi_get_target() in a later change) is supposed to use pci_vtscsi_check_lun() to check LUN validity before even getting there and return an appropriate error to the guest.

Having these asserts in pci_vtscsi_get_lun() is thus a matter of defensive programming. These checks cost next to nothing, and they blow up only if there's a coding error, which is precisely what assertions are for.

Revision Contents
Changeset List

PathSize
usr.sbin/
bhyve/
117 lines

Diff 167543

View Options

usr.sbin/bhyve/pci_virtio_scsi.c

Loading...