storage: add usermode storvsc disk backend for OpenHCL

[juantian8seattle]

Summary

Add disk_storvsc, a DiskIo backend that handles guest SCSI I/O in VTL2
userspace via storvsc_driver over VMBus UIO. When enabled, OpenHCL
intercepts VScsi controller channels and translates block I/O into
SCSI CDBs, bypassing the kernel hv_storvsc driver for relay controllers.

Opt-in via OPENHCL_STORVSC_USERMODE=1 environment variable.
Not enabled by default.

What's included

New crate: disk_storvsc

• DiskIo implementation using SCSI CDBs over storvsc_driver
• Async constructor pre-fetches device metadata (capacity, disk ID, read-only, unmap support)
• READ(16), WRITE(16), UNMAP, READ_CAPACITY, INQUIRY, MODE_SENSE CDB formatting
• CD-ROM detection via INQUIRY for READ_CAPACITY(10) vs (16) selection

storvsc_driver enhancements

• DMA buffer allocation for bounce-buffer I/O
• Resize listener support (host-initiated disk resize)
• Save/restore for live migration
• Mesh-based async lifecycle

OpenHCL integration (underhill_core)

• StorvscManager: actor-based manager following NvmeManager pattern
• StorvscDiskResolver: resolves StorvscDiskConfig from VTL2 settings
• On-demand UIO channel claiming (claim_vmbus_device_for_uio)
• VScsi device routing in vtl2_settings_worker
• Save/restore state at mesh(10004)

Supporting changes

• scsi_defs: additional SCSI structs for CDB construction
• storvsp_protocol: Inspect derive on protocol types
• vmbus_user_channel: configurable ring buffer sizes for message_pipe
• guestmem: LockedPages::va() accessor

Testing

• cargo test -p storvsc_driver -- 3 unit tests pass
• All openvmm_openhcl_linux_x64_storvsp* VMM tests pass with STORVSC_USERMODE=1
• DVD tests pass (SenseData decode fix)
• Boot, reboot, dynamic disk add tests pass
• No regressions when STORVSC_USERMODE=0 (default)

Related issues

Closes #3094, closes #3095, closes #3096
Ref #273

Notes for reviewers

• OPENHCL_STORVSC_USERMODE=1 is set in openhcl_boot/src/main.rs for testing.
  Will be removed before merge (feature is opt-in only via env var).

[github-actions]

⚠️ Unsafe Code Detected

This PR modifies files containing unsafe Rust code. Extra scrutiny is required during review.

For more on why we check whole files, instead of just diffs, check out the Rustonomicon

[Copilot]

Pull request overview

This PR adds a new OpenHCL storage path for servicing guest SCSI I/O in VTL2 userspace using a new disk_storvsc DiskIo backend backed by storvsc_driver over VMBus UIO, and wires it into Underhill behind the OPENHCL_STORVSC_USERMODE opt-in flag.

Changes:

• Add new disk_storvsc crate implementing DiskIo by formatting and issuing SCSI CDBs through storvsc_driver.
• Extend storvsc_driver with DMA buffer support, resize listeners, and save/restore state handling.
• Integrate a new StorvscManager/resolver into underhill_core, update servicing save/restore, and add VTL2 settings routing for VScsi devices.

Reviewed changes

Copilot reviewed 21 out of 22 changed files in this pull request and generated 13 comments.

Show a summary per file

File	Description
vm/vmcore/guestmem/src/lib.rs	Adds LockedPages::va() accessor used by DMA/driver plumbing.
vm/devices/vmbus/vmbus_user_channel/src/lib.rs	Makes ring sizes configurable when opening UIO-backed channels.
vm/devices/storage/storvsp/src/lib.rs	Sets storvsp channel type to message-mode pipe for the SCSI interface.
vm/devices/storage/storvsp_protocol/src/lib.rs	Adds Inspect derive to protocol types for diagnostics.
vm/devices/storage/storvsp_protocol/Cargo.toml	Adds inspect dependency to support protocol inspection.
vm/devices/storage/storvsc_driver/src/test_helpers.rs	Updates test harness to new request shape (GPN list + resize listener channel).
vm/devices/storage/storvsc_driver/src/lib.rs	Major driver enhancements: DMA buffers, resize listeners, save/restore, request API changes.
vm/devices/storage/storvsc_driver/Cargo.toml	Adds dependencies needed for DMA, tracing, events, and save/restore.
vm/devices/storage/scsi_defs/src/lib.rs	Improves SCSI struct types (e.g., big-endian wrappers, typed opcodes).
vm/devices/storage/disk_storvsc/src/lib.rs	New DiskIo backend implementing I/O via SCSI CDBs over usermode storvsc.
vm/devices/storage/disk_storvsc/Cargo.toml	Declares the new disk_storvsc crate and its dependencies.
openhcl/underhill_core/src/worker.rs	Adds storvsc_usermode env config and instantiates StorvscManager.
openhcl/underhill_core/src/storvsc_manager.rs	New actor-style manager + disk resolver + sysfs UIO claiming + save/restore wiring.
openhcl/underhill_core/src/servicing.rs	Adds servicing saved-state plumbing for storvsc at mesh(10004).
openhcl/underhill_core/src/options.rs	Adds OPENHCL_STORVSC_USERMODE option parsing and config propagation.
openhcl/underhill_core/src/lib.rs	Wires new option field and module into worker launch path.
openhcl/underhill_core/src/dispatch/vtl2_settings_worker.rs	Routes VScsi devices to StorvscDiskResolver when usermode storvsc is enabled.
openhcl/underhill_core/src/dispatch/mod.rs	Adds storvsc manager lifecycle (shutdown + save state) to LoadedVm.
openhcl/underhill_core/Cargo.toml	Adds disk_storvsc, storvsc_driver, and storvsp_protocol dependencies.
openhcl/openhcl_boot/src/main.rs	Temporarily forces OPENHCL_STORVSC_USERMODE=1 in kernel cmdline for CI testing.
Cargo.toml	Adds disk_storvsc to workspace members and workspace dependencies.
Cargo.lock	Locks new crate and dependency graph updates.

[Copilot]

LockedPages::va() can panic when gpns is empty because it unconditionally unwraps self.pages.first(). Since lock_gpns() can return an empty LockedPages (gpns slice length 0), consider returning Option<u64>/Result<u64, _> or explicitly documenting/enforcing a non-empty invariant before exposing this accessor.

Suggested change

	pub fn va(&self) -> u64 {
	self.pages.first().unwrap().0 as u64
	pub fn va(&self) -> Option<u64> {
	self.pages.first().map(|page| page.0 as u64)

[Copilot]

storvsc.negotiate().await.unwrap() will panic on protocol negotiation failure. This is a host-facing boundary and should return an error instead (propagate with ? and map into StorvscErrorInner), so OpenHCL doesn’t crash on unexpected/malformed host responses.

Suggested change

	storvsc.negotiate().await.unwrap();
	storvsc.negotiate().await?;

[Copilot]

PagedRange::new(...).unwrap() can panic if gpn_offset/byte_len are inconsistent with the provided gpns slice (e.g., empty gpns, offset >= page size, length too large). Please convert this to fallible error handling and return a StorvscError instead of panicking; also remove the empty if byte_len == 0 {} no-op (callers already gate on byte_len > 0).

[Copilot]

The UNIT ATTENTION path cancels the pending transaction but never removes it from self.transactions (it uses get_mut() and then .cancel(...)). This will leak slab entries over time and prevent transaction IDs from being reused, eventually growing memory and possibly failing new requests. Consider using remove() (or equivalent) when completing/cancelling a transaction.

Suggested change

	// Match completion against pending transactions
	match self
	.transactions
	.get_mut(completion.transaction_id as usize)
	{
	Some(t) => Ok(t),
	None => Err(StorvscError(StorvscErrorInner::PacketError(
	PacketError::UnexpectedTransaction(completion.transaction_id),
	))),
	}?
	.cancel(StorvscCompleteReason::UnitAttention);
	// Match completion against pending transactions and remove the
	// cancelled transaction so the slot can be reused.
	let transaction_id = completion.transaction_id as usize;
	let mut transaction = if self.transactions.contains(transaction_id) {
	Ok(self.transactions.remove(transaction_id))
	} else {
	Err(StorvscError(StorvscErrorInner::PacketError(
	PacketError::UnexpectedTransaction(completion.transaction_id),
	)))
	}?;
	transaction.cancel(StorvscCompleteReason::UnitAttention);

[Copilot]

The normal completion path calls .complete(result) on a transaction found via self.transactions.get_mut(...), but does not remove the entry afterward. This causes unbounded growth of the Slab<PendingOperation> and can eventually break I/O. Consider removing the transaction from the slab when the completion is handled.

[Copilot]

UNMAP CDB allocation_length should be the total parameter list length (header + descriptors), but it’s currently set to only size_of::<UnmapBlockDescriptor>(). This likely makes UNMAP fail (the device will read an incomplete parameter list). Consider setting the CDB length and the data-out byte_len to the actual list size (and only sending that many bytes).

[Copilot]

On capacity refetch failure, wait_resize() logs and continues without awaiting the resize event (or any backoff), which can spin in a tight loop if the host keeps returning errors. Consider awaiting listen (or adding a small delay/backoff) on error to avoid CPU burn.

Suggested change

	);
	);
	listen.await;

[Copilot]

sub_device_path is a u32 but is cast to u8 for lun without validation. If sub_device_path > 255, this will silently truncate and route I/O to the wrong LUN. Consider validating the range and returning an error if it doesn’t fit in u8.

Suggested change

	return Ok(Resource::new(StorvscDiskConfig {
	instance_guid: controller_instance_id,
	lun: sub_device_path as u8,
	let lun = u8::try_from(sub_device_path).context(format!(
	"VScsi sub_device_path {} does not fit in a u8 LUN",
	sub_device_path
	))?;
	return Ok(Resource::new(StorvscDiskConfig {
	instance_guid: controller_instance_id,
	lun,

[Copilot]

This hard-codes OPENHCL_STORVSC_USERMODE=1 into the boot command line, which enables the feature by default and contradicts the PR’s stated opt-in behavior. Please remove this before merge (or gate it behind a test-only/dev-only configuration) so production images remain opt-in via environment only.

[Copilot]

On shutdown, drivers are only stopped when !save_restore_supported. If save_restore_supported is true, this exits the manager without explicitly stopping the per-controller StorvscDriver tasks, which can leak work/resources and diverges from the NVMe manager shutdown pattern. Consider stopping drivers unconditionally on shutdown (save/restore support should affect servicing behavior, not shutdown cleanup).

Suggested change

	if !self.save_restore_supported {
	async {
	join_all(self.drivers.drain().map(|(guid, driver)| {
	let guid_str = guid.to_string();
	async move {
	driver
	.stop()
	.instrument(tracing::info_span!(
	"shutdown_storvsc_driver",
	guid = guid_str
	))
	.await
	}
	}))
	.await
	}
	.instrument(join_span)
	.await;
	}
	async {
	join_all(self.drivers.drain().map(|(guid, driver)| {
	let guid_str = guid.to_string();
	async move {
	driver
	.stop()
	.instrument(tracing::info_span!(
	"shutdown_storvsc_driver",
	guid = guid_str
	))
	.await
	}
	}))
	.await
	}
	.instrument(join_span)
	.await;

[Copilot]

Pull request overview

Copilot reviewed 23 out of 24 changed files in this pull request and generated 3 comments.

[Copilot]

state.inner.transactions is a slab::Slab<PendingOperation>, and Slab::drain() yields (usize, PendingOperation) items. The current loop binds the tuple to transaction and then calls transaction.cancel(...), which won't compile. Destructure the drain items (e.g., for (_id, mut op) in ...) before calling cancel.

Suggested change

	for mut transaction in state.inner.transactions.drain() {
	for (_id, mut transaction) in state.inner.transactions.drain() {

[Copilot]

UNMAP builds a parameter list whose length matches the CDB allocation_length, but the request sends byte_len = data_out_size (a full 4K page). This makes ScsiRequest.data_transfer_length larger than the UNMAP parameter list length, which can cause protocol/target errors and adds unnecessary transfer. Send only the actual parameter list length (header + descriptor), even if the backing DMA allocation is a full page.

[Copilot]

This hard-codes OPENHCL_STORVSC_USERMODE=1 into the default kernel command line, which contradicts the stated "opt-in only" behavior and would enable usermode storvsc by default for all boots that use this image. Please remove this before merge (or gate it behind a test-only build/feature) so the default remains disabled unless the environment variable is explicitly set at runtime.

Suggested change

	// TODO(juantian): TEMP -- enable usermode storvsc to validate via CI pipeline.
	// MUST be removed before merge. See PR description.
	"OPENHCL_STORVSC_USERMODE=1",

[github-actions]

217 Petri tests failed (0 unstable)

[github-actions]

17 Petri tests failed (0 unstable)

[Copilot]

Pull request overview

Copilot reviewed 22 out of 23 changed files in this pull request and generated 5 comments.

[Copilot]

size_of::<T>() is used throughout this module but size_of is never imported/qualified, which will fail to compile. Add use core::mem::size_of; (or qualify calls as core::mem::size_of).

[Copilot]

stop() (and save()) stop/remove the worker task but leave new_request_sender/add_resize_listener_sender intact. If a caller uses an Arc<StorvscDriver<_>> after stop/save begins, send_request() can enqueue a request with a live completion sender and then await forever because the worker is no longer draining the request channel. Consider clearing/closing the senders during stop/save or gating send_request/add_resize_listener on an explicit running-state check so they fail fast when the task is not running.

Suggested change

	// Cancel pending operations with save/restore reason.
	for mut transaction in state.inner.transactions.drain() {
	transaction.cancel(StorvscCompleteReason::SaveRestore);
	}
	Ok(StorvscDriverSavedState {
	version: state.version.major_minor,
	has_negotiated: state.has_negotiated,
	let version = state.version.major_minor;
	let has_negotiated = state.has_negotiated;
	// Cancel pending operations with save/restore reason.
	for mut transaction in state.inner.transactions.drain() {
	transaction.cancel(StorvscCompleteReason::SaveRestore);
	}
	// Remove the stopped worker state so its request/listener receivers
	// are dropped and future sends fail fast instead of queueing work
	// that no task will ever drain.
	s.remove();
	Ok(StorvscDriverSavedState {
	version,
	has_negotiated,

[Copilot]

The comment says the UNIT ATTENTION path will “resend this request”, but the implementation cancels the pending operation with StorvscCompleteReason::UnitAttention and does not resend. Either update the comment to match behavior (caller must retry) or implement the resend logic here.

Suggested change

	// resend this request
	// cancel the pending request with UnitAttention so the caller can retry it.

[Copilot]

This hard-codes OPENHCL_STORVSC_USERMODE=1 into the default kernel command line, which contradicts the PR’s “opt-in only / not enabled by default” requirement. Please remove this before merge (or gate it behind an explicit test-only feature/build flag) so production boots remain opt-in via environment.

[Copilot]

disk_storvsc introduces substantial new disk I/O behavior (bounce-buffer vs zero-copy, retry logic on CancelledRetry, capacity refresh on resize), but the crate has no unit tests. Adding targeted tests (e.g., for send_scsi_request retry semantics and wait_resize behavior) would help prevent regressions.

Suggested change

	// TODO: Add unit tests for wait_resize -- cover error retry with
	// listen.await backoff, and capacity change detection.
	async fn wait_resize(&self, sector_count: u64) -> u64 {
	loop {
	let listen = self.resize_event.listen();
	// Refetch capacity from host (we're in async context here)
	let capacity = match self.fetch_capacity().await {
	Ok(c) => c,
	Err(e) => {
	tracing::error!(
	error = e.as_ref() as &dyn std::error::Error,
	"failed to refetch capacity on resize"
	);
	listen.await;
	continue;
	}
	};
	if capacity.num_sectors != sector_count {
	break capacity.num_sectors;
	}
	listen.await;
	}
	}
	}
	async fn wait_resize(&self, sector_count: u64) -> u64 {
	loop {
	let listen = self.resize_event.listen();
	let next = match self.fetch_capacity().await {
	Ok(capacity) => {
	wait_resize_next_action(sector_count, Ok(capacity.num_sectors))
	}
	Err(e) => {
	tracing::error!(
	error = e.as_ref() as &dyn std::error::Error,
	"failed to refetch capacity on resize"
	);
	wait_resize_next_action(sector_count, Err(()))
	}
	};
	match next {
	WaitResizeAction::ReturnUpdatedCapacity(num_sectors) => break num_sectors,
	WaitResizeAction::WaitForNotification => listen.await,
	}
	}
	}
	}
	#[derive(Debug, Clone, Copy, PartialEq, Eq)]
	enum WaitResizeAction {
	WaitForNotification,
	ReturnUpdatedCapacity(u64),
	}
	fn wait_resize_next_action(
	sector_count: u64,
	observed_sector_count: Result<u64, ()>,
	) -> WaitResizeAction {
	match observed_sector_count {
	Ok(observed_sector_count) if observed_sector_count != sector_count => {
	WaitResizeAction::ReturnUpdatedCapacity(observed_sector_count)
	}
	Ok(_) | Err(()) => WaitResizeAction::WaitForNotification,
	}
	}
	#[cfg(test)]
	mod tests {
	use super::WaitResizeAction;
	use super::wait_resize_next_action;
	use test_with_tracing::test;
	#[test]
	fn wait_resize_retries_after_capacity_refresh_error() {
	assert_eq!(
	wait_resize_next_action(1024, Err(())),
	WaitResizeAction::WaitForNotification
	);
	}
	#[test]
	fn wait_resize_waits_when_capacity_is_unchanged() {
	assert_eq!(
	wait_resize_next_action(1024, Ok(1024)),
	WaitResizeAction::WaitForNotification
	);
	}
	#[test]
	fn wait_resize_returns_when_capacity_changes() {
	assert_eq!(
	wait_resize_next_action(1024, Ok(2048)),
	WaitResizeAction::ReturnUpdatedCapacity(2048)
	);
	}
	}

[github-actions]

13 Petri tests failed (0 unstable)

[github-actions]

9 Petri tests failed (0 unstable)