bhyve/nvme: Fix Infinite loop in queue processing

In the functions pci_nvme_handle_admin_cmd and pci_nvme_handle_io_cmd
infinite loops are possible in the bhyve process if the sq->tail value
is grea

bhyve/nvme: Fix Infinite loop in queue processing

In the functions pci_nvme_handle_admin_cmd and pci_nvme_handle_io_cmd
infinite loops are possible in the bhyve process if the sq->tail value
is greater than sq->size.

An attacker could overload the host CPU.

Fix is to validate that doorbell values:
- Are for a valid (i.e., created) queue
- Are not the same as the previous value
- Fit within the available capacity

The emulation will generate an Asynchronous Event Notification (Invalid
Doorbell or Invalid Doorbell Value) if enabled and ignore the doorbell
update.

While in the neighborhood, remove a redundant bounds check.

Reported by: Synacktiv
MFC after: 1 week
Security: HYP-14
Sponsored by: Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46064

show more ...

bhyve/nvme: Fix out-of-bounds read in NVMe log page

The function nvme_opc_get_log_page in the file usr.sbin/bhyve/pci_nvme.c
is vulnerable to buffer over-read. The value logoff is user controlled
bu

bhyve/nvme: Fix out-of-bounds read in NVMe log page

The function nvme_opc_get_log_page in the file usr.sbin/bhyve/pci_nvme.c
is vulnerable to buffer over-read. The value logoff is user controlled
but never checked against the value of logsize. Thus the difference:
logsize - logoff
can underflow.

Due to the sc structure layout, an attacker can dump internals fields of
sc and the content of next heap allocation.

Reported by: Synacktiv
Reviewed by: emaste, jhb
Security: HYP-07
Sponsored by: Alpha-Omega Project, The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46021

show more ...

bhyve: Use NVMEF macro to construct fields

Reviewed by: corvink, chuck (older version)
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D43607

bhyve: Use the NVMEM macro instead of expanded versions

Reviewed by: corvink, chuck
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D43603

nvme: Rename NVMEB helper macro to NVMEM

The current macro always builds a full mask for a named field, so use
the M suffix for mask.

Reviewed by: chuck, imp
Sponsored by: Chelsio Communications
Di

nvme: Rename NVMEB helper macro to NVMEM

The current macro always builds a full mask for a named field, so use
the M suffix for mask.

Reviewed by: chuck, imp
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D43601

show more ...

bhyve: Use NVMEV to read the ASQS field of AQA

This is not a functional change, but just being consistent instead of
omitting a shift by 0.

Reviewed by: corvink, chuck, imp
Sponsored by: Chelsio Co

bhyve: Use NVMEV to read the ASQS field of AQA

This is not a functional change, but just being consistent instead of
omitting a shift by 0.

Reviewed by: corvink, chuck, imp
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D43600

show more ...

bhyve: Use the NVMEV macro instead of expanded versions

Reviewed by: corvink, chuck (older version)
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D43598

bhyve nvme: Add NQN value

Add a NVMe Qualified Name (NQN) to the Controller Data structure using
the "first format" (i.e., "... used by any organization that owns a
domain name" Section 7.9 NVM-Expr

bhyve nvme: Add NQN value

Add a NVMe Qualified Name (NQN) to the Controller Data structure using
the "first format" (i.e., "... used by any organization that owns a
domain name" Section 7.9 NVM-Express 1.4c 2021.06.28 Ratified).

This avoids a Linux kernel warning about a missing or invalid NQN.

Reviewed by: jhb
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D42058

show more ...

bhyve: Store the FreeBSD OUI in little-endian in the controller data

Section 7.10.3 of the NVME 1.4b specification states that the IEEE OUI
in the identify controller structure is stored in little-e

bhyve: Store the FreeBSD OUI in little-endian in the controller data

Section 7.10.3 of the NVME 1.4b specification states that the IEEE OUI
in the identify controller structure is stored in little-endian format
(unlike the embedded OUI in EUI64 identifiers).

Reviewed by: corvink, chuck, imp
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D41487

show more ...

Remove $FreeBSD$: one-line .c pattern

Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/

bhyve: Stop calling pci_lintr_request() in the NVMe device model

The device model effectively assumes that MSI-X is enabled (it never
asserts the legacy interrupt), so any guest which relies on bein

bhyve: Stop calling pci_lintr_request() in the NVMe device model

The device model effectively assumes that MSI-X is enabled (it never
asserts the legacy interrupt), so any guest which relies on being able
to use the legacy PCI interrupt will fail.

The WIP arm64 port does not implement legacy PCI interrupts, but NVMe
emulation is potentially useful there. Simply remove the call.

Reviewed by: corvink, chuck, jhb
Tested by: chuck
MFC after: 1 month
Sponsored by: Innovate UK
Differential Revision: https://reviews.freebsd.org/D40731

show more ...

bhyve: add bootindex option for several devices

The bootindex option creates an entry in the "bootorder" fwcfg file.
This file can be picked up by the guest firmware to determine the
bootorder. Neve

bhyve: add bootindex option for several devices

The bootindex option creates an entry in the "bootorder" fwcfg file.
This file can be picked up by the guest firmware to determine the
bootorder. Nevertheless, it's not guaranteed that the guest firmware
uses the bootorder. At the moment, our OVMF ignores the bootorder. This
will change in the future.

If guest firmware supports the "bootorder" fwcfg file and no device uses
the bootindex option, the boot order is determined by the firmware
itself. If one or more devices specify a bootindex, the first bootable
device with the lowest bootindex will be booted. It's not garanteed that
devices without a bootindex will be recognized as bootable from the
firmware in that case.

Reviewed by: jhb
MFC after: 1 week
Sponsored by: Beckhoff Automation GmbH & Co. KG
Differential Revision: https://reviews.freebsd.org/D39285

show more ...

bhyve: Fix typos

Signed-off-by: Elyes Haouas <ehaouas@noos.fr>
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/653

spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD

The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch
up to that fact and revert to their recommended match of

spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD

The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch
up to that fact and revert to their recommended match of BSD-2-Clause.

Discussed with: pfg
MFC After: 3 days
Sponsored by: Netflix

show more ...

ext2fs: extract crc16 into sys/crc16.h

deduplicate this as it might be needed for other drivers (e.g. Apple SPI-HID)

Sponsored by: https://www.patreon.com/valpackett
Reviewed by: chuck, imp
MFC aft

ext2fs: extract crc16 into sys/crc16.h

deduplicate this as it might be needed for other drivers (e.g. Apple SPI-HID)

Sponsored by: https://www.patreon.com/valpackett
Reviewed by: chuck, imp
MFC after: 1 month
Differential revision: https://reviews.freebsd.org/D32879

show more ...

bhyve: Remove trailing semicolon

Macros shouldn't use trailing semicolon.

Signed-off-by: Elyes Haouas <ehaouas@noos.fr>
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/654

bhyve: Remove vmctx argument from PCI device model methods.

Most of these arguments were unused. Device models which do need
access to the vmctx in one of these methods can obtain it from the
pi_vm

bhyve: Remove vmctx argument from PCI device model methods.

Most of these arguments were unused. Device models which do need
access to the vmctx in one of these methods can obtain it from the
pi_vmctx member of the pci_devinst argument instead.

Reviewed by: corvink, markj
Differential Revision: https://reviews.freebsd.org/D38096

show more ...

bhyve: Remove unused vcpu argument from PCI read/write methods.

Reviewed by: corvink, markj
Differential Revision: https://reviews.freebsd.org/D37652

bhyve: Remove unused argument from pci_nvme_handle_doorbell.

Reviewed by: corvink, chuck, markj
Differential Revision: https://reviews.freebsd.org/D37650

bhyve: Fix sign compare warnings in the NVMe device model.

Reviewed by: corvink
Differential Revision: https://reviews.freebsd.org/D37489

bhyve: Avoid unlikely truncation of the blockif ident strings.

The ident string for NVMe and VirtIO block deivces do not contain the
bus, and the various fields can potentially use up to three chara

bhyve: Avoid unlikely truncation of the blockif ident strings.

The ident string for NVMe and VirtIO block deivces do not contain the
bus, and the various fields can potentially use up to three characters
when printed as unsigned values (full range of uint8_t) even if not
likely in practice.

Reviewed by: corvink, chuck
Differential Revision: https://reviews.freebsd.org/D37488

show more ...

bhyve: Clear lid to 0 for internal device errors for NVMe AENs.

Reported by: GCC
Reviewed by: corvink, chuck, imp, markj
Differential Revision: https://reviews.freebsd.org/D37487

bhyve: Don't leak uninitialized bits in NVMe completion statuses.

In some cases, some bits in the 16-bit status word were never
initialized.

Reported by: GCC
Reviewed by: corvink, chuck, markj
Diff

bhyve: Don't leak uninitialized bits in NVMe completion statuses.

In some cases, some bits in the 16-bit status word were never
initialized.

Reported by: GCC
Reviewed by: corvink, chuck, markj
Differential Revision: https://reviews.freebsd.org/D37486

show more ...

bhyve: nvme controller obey async event setting when reporting critical temperature

Async event report is controlled by async event configuration feature
setting. When reporting a critical temperatu

bhyve: nvme controller obey async event setting when reporting critical temperature

Async event report is controlled by async event configuration feature
setting. When reporting a critical temperature warning, check the async
event configuration.

Approved by: manu (mentor)
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D37355

show more ...

bhyve: return FEATURE_NOT_CHANGEABLE for unimplemented feature of NVMe controller

Set Feature is a feature specified function. Currently only some
features have the set procedure. For features that

bhyve: return FEATURE_NOT_CHANGEABLE for unimplemented feature of NVMe controller

Set Feature is a feature specified function. Currently only some
features have the set procedure. For features that are not handled by
the controller, we should return a FEATURE_NOT_CHANGEABLE error message.

Approved by: manu (mentor)
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D32802

show more ...