From owner-dev-commits-src-branches@freebsd.org  Fri Jul  9 14:26:01 2021
Return-Path: <owner-dev-commits-src-branches@freebsd.org>
Delivered-To: dev-commits-src-branches@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1E3B6660C18;
 Fri,  9 Jul 2021 14:26:01 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4GLwST088Cz3j67;
 Fri,  9 Jul 2021 14:26:01 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:5])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id E0C7E162B7;
 Fri,  9 Jul 2021 14:26:00 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
 by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 169EQ0xk043402;
 Fri, 9 Jul 2021 14:26:00 GMT (envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
 by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 169EQ0uW043401;
 Fri, 9 Jul 2021 14:26:00 GMT (envelope-from git)
Date: Fri, 9 Jul 2021 14:26:00 GMT
Message-Id: <202107091426.169EQ0uW043401@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
 dev-commits-src-branches@FreeBSD.org
From: Chuck Tuffli <chuck@FreeBSD.org>
Subject: git: a7761d19dacd - stable/13 - bhyve: Fix NVMe iovec construction
 for large IOs
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: chuck
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/13
X-Git-Reftype: branch
X-Git-Commit: a7761d19dacd414c8b8269a6cf909ab4528783dc
Auto-Submitted: auto-generated
X-BeenThere: dev-commits-src-branches@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Commits to the stable branches of the FreeBSD src repository
 <dev-commits-src-branches.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/dev-commits-src-branches>, 
 <mailto:dev-commits-src-branches-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/dev-commits-src-branches/>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Help: <mailto:dev-commits-src-branches-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/dev-commits-src-branches>, 
 <mailto:dev-commits-src-branches-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Jul 2021 14:26:01 -0000

The branch stable/13 has been updated by chuck:

URL: https://cgit.FreeBSD.org/src/commit/?id=a7761d19dacd414c8b8269a6cf909ab4528783dc

commit a7761d19dacd414c8b8269a6cf909ab4528783dc
Author:     Chuck Tuffli <chuck@FreeBSD.org>
AuthorDate: 2021-06-27 22:14:52 +0000
Commit:     Chuck Tuffli <chuck@FreeBSD.org>
CommitDate: 2021-07-09 14:24:14 +0000

    bhyve: Fix NVMe iovec construction for large IOs
    
    The UEFI driver included with Rocky Linux 8.4 uncovered an existing bug
    in the NVMe emulation's construction of iovec's.
    
    By default, NVMe data transfer operations use a scatter-gather list in
    which all entries point to a fixed size memory region. For example, if
    the Memory Page Size is 4KiB, a 2MiB IO requires 512 entries. Lists
    themselves are also fixed size (default is 512 entries).
    
    Because the list size is fixed, the last entry is special. If the IO
    requires more than 512 entries, the last entry in the list contains the
    address of the next list of entries. But if the IO requires exactly 512
    entries, the last entry points to data.
    
    The NVMe emulation missed this logic and unconditionally treated the
    last entry as a pointer to the next list. Fix is to check if the
    remaining data is greater than the page size before using the last entry
    as a pointer to the next list.
    
    PR:             256422
    Reported by:    dave@syix.com
    Tested by:      jason@tubnor.net
    Relnotes:       yes
    
    (cherry picked from commit 91064841d72b285a146a3f1c32cb447251e062ea)
---
 usr.sbin/bhyve/pci_nvme.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/usr.sbin/bhyve/pci_nvme.c b/usr.sbin/bhyve/pci_nvme.c
index 24f401630d6d..bd21819f0607 100644
--- a/usr.sbin/bhyve/pci_nvme.c
+++ b/usr.sbin/bhyve/pci_nvme.c
@@ -1976,7 +1976,7 @@ nvme_write_read_blockif(struct pci_nvme_softc *sc,
 		/* PRP2 is pointer to a physical region page list */
 		while (bytes) {
 			/* Last entry in list points to the next list */
-			if (prp_list == last) {
+			if ((prp_list == last) && (bytes > PAGE_SIZE)) {
 				uint64_t prp = *prp_list;
 
 				prp_list = paddr_guest2host(vmctx, prp,