storage: add usermode storvsc disk backend for OpenHCL

[juantian8seattle]

Summary

Add disk_storvsc, a DiskIo backend that handles guest SCSI I/O in VTL2
userspace via storvsc_driver over VMBus UIO. When enabled, OpenHCL
intercepts VScsi controller channels and translates block I/O into
SCSI CDBs, bypassing the kernel hv_storvsc driver for relay controllers.

Opt-in via OPENHCL_STORVSC_USERMODE=1 environment variable.
Not enabled by default.

What's included

New crate: disk_storvsc

• DiskIo implementation using SCSI CDBs over storvsc_driver
• Async constructor pre-fetches device metadata (capacity, disk ID, read-only, unmap support)
• READ(16), WRITE(16), UNMAP, READ_CAPACITY, INQUIRY, MODE_SENSE CDB formatting
• CD-ROM detection via INQUIRY for READ_CAPACITY(10) vs (16) selection

storvsc_driver enhancements

• DMA buffer allocation for bounce-buffer I/O
• Resize listener support (host-initiated disk resize)
• Save/restore for live migration
• Mesh-based async lifecycle

OpenHCL integration (underhill_core)

• StorvscManager: actor-based manager following NvmeManager pattern
• StorvscDiskResolver: resolves StorvscDiskConfig from VTL2 settings
• On-demand UIO channel claiming (claim_vmbus_device_for_uio)
• VScsi device routing in vtl2_settings_worker
• Save/restore state at mesh(10004)

Supporting changes

• scsi_defs: additional SCSI structs for CDB construction
• storvsp_protocol: Inspect derive on protocol types
• vmbus_user_channel: configurable ring buffer sizes for message_pipe
• guestmem: LockedPages::va() accessor

Testing

• cargo test -p storvsc_driver -- 3 unit tests pass
• All openvmm_openhcl_linux_x64_storvsp* VMM tests pass with STORVSC_USERMODE=1
• DVD tests pass (SenseData decode fix)
• Boot, reboot, dynamic disk add tests pass
• No regressions when STORVSC_USERMODE=0 (default)

Related issues

Closes #3094, closes #3095, closes #3096
Ref #273

Notes for reviewers

• OPENHCL_STORVSC_USERMODE=1 is set in openhcl_boot/src/main.rs for testing.
  Will be removed before merge (feature is opt-in only via env var).

[github-actions]

⚠️ Unsafe Code Detected

This PR modifies files containing unsafe Rust code. Extra scrutiny is required during review.

For more on why we check whole files, instead of just diffs, check out the Rustonomicon

[Copilot]

Pull request overview

This PR adds a new OpenHCL storage path for servicing guest SCSI I/O in VTL2 userspace using a new disk_storvsc DiskIo backend backed by storvsc_driver over VMBus UIO, and wires it into Underhill behind the OPENHCL_STORVSC_USERMODE opt-in flag.

Changes:

• Add new disk_storvsc crate implementing DiskIo by formatting and issuing SCSI CDBs through storvsc_driver.
• Extend storvsc_driver with DMA buffer support, resize listeners, and save/restore state handling.
• Integrate a new StorvscManager/resolver into underhill_core, update servicing save/restore, and add VTL2 settings routing for VScsi devices.

Reviewed changes

Copilot reviewed 21 out of 22 changed files in this pull request and generated 13 comments.

Show a summary per file

File	Description
vm/vmcore/guestmem/src/lib.rs	Adds LockedPages::va() accessor used by DMA/driver plumbing.
vm/devices/vmbus/vmbus_user_channel/src/lib.rs	Makes ring sizes configurable when opening UIO-backed channels.
vm/devices/storage/storvsp/src/lib.rs	Sets storvsp channel type to message-mode pipe for the SCSI interface.
vm/devices/storage/storvsp_protocol/src/lib.rs	Adds Inspect derive to protocol types for diagnostics.
vm/devices/storage/storvsp_protocol/Cargo.toml	Adds inspect dependency to support protocol inspection.
vm/devices/storage/storvsc_driver/src/test_helpers.rs	Updates test harness to new request shape (GPN list + resize listener channel).
vm/devices/storage/storvsc_driver/src/lib.rs	Major driver enhancements: DMA buffers, resize listeners, save/restore, request API changes.
vm/devices/storage/storvsc_driver/Cargo.toml	Adds dependencies needed for DMA, tracing, events, and save/restore.
vm/devices/storage/scsi_defs/src/lib.rs	Improves SCSI struct types (e.g., big-endian wrappers, typed opcodes).
vm/devices/storage/disk_storvsc/src/lib.rs	New DiskIo backend implementing I/O via SCSI CDBs over usermode storvsc.
vm/devices/storage/disk_storvsc/Cargo.toml	Declares the new disk_storvsc crate and its dependencies.
openhcl/underhill_core/src/worker.rs	Adds storvsc_usermode env config and instantiates StorvscManager.
openhcl/underhill_core/src/storvsc_manager.rs	New actor-style manager + disk resolver + sysfs UIO claiming + save/restore wiring.
openhcl/underhill_core/src/servicing.rs	Adds servicing saved-state plumbing for storvsc at mesh(10004).
openhcl/underhill_core/src/options.rs	Adds OPENHCL_STORVSC_USERMODE option parsing and config propagation.
openhcl/underhill_core/src/lib.rs	Wires new option field and module into worker launch path.
openhcl/underhill_core/src/dispatch/vtl2_settings_worker.rs	Routes VScsi devices to StorvscDiskResolver when usermode storvsc is enabled.
openhcl/underhill_core/src/dispatch/mod.rs	Adds storvsc manager lifecycle (shutdown + save state) to LoadedVm.
openhcl/underhill_core/Cargo.toml	Adds disk_storvsc, storvsc_driver, and storvsp_protocol dependencies.
openhcl/openhcl_boot/src/main.rs	Temporarily forces OPENHCL_STORVSC_USERMODE=1 in kernel cmdline for CI testing.
Cargo.toml	Adds disk_storvsc to workspace members and workspace dependencies.
Cargo.lock	Locks new crate and dependency graph updates.

[Copilot]

LockedPages::va() can panic when gpns is empty because it unconditionally unwraps self.pages.first(). Since lock_gpns() can return an empty LockedPages (gpns slice length 0), consider returning Option<u64>/Result<u64, _> or explicitly documenting/enforcing a non-empty invariant before exposing this accessor.

Suggested change

	pub fn va(&self) -> u64 {
	self.pages.first().unwrap().0 as u64
	pub fn va(&self) -> Option<u64> {
	self.pages.first().map(|page| page.0 as u64)

[Copilot]

storvsc.negotiate().await.unwrap() will panic on protocol negotiation failure. This is a host-facing boundary and should return an error instead (propagate with ? and map into StorvscErrorInner), so OpenHCL doesn’t crash on unexpected/malformed host responses.

Suggested change

	storvsc.negotiate().await.unwrap();
	storvsc.negotiate().await?;

[Copilot]

PagedRange::new(...).unwrap() can panic if gpn_offset/byte_len are inconsistent with the provided gpns slice (e.g., empty gpns, offset >= page size, length too large). Please convert this to fallible error handling and return a StorvscError instead of panicking; also remove the empty if byte_len == 0 {} no-op (callers already gate on byte_len > 0).

[Copilot]

The UNIT ATTENTION path cancels the pending transaction but never removes it from self.transactions (it uses get_mut() and then .cancel(...)). This will leak slab entries over time and prevent transaction IDs from being reused, eventually growing memory and possibly failing new requests. Consider using remove() (or equivalent) when completing/cancelling a transaction.

Suggested change

	// Match completion against pending transactions
	match self
	.transactions
	.get_mut(completion.transaction_id as usize)
	{
	Some(t) => Ok(t),
	None => Err(StorvscError(StorvscErrorInner::PacketError(
	PacketError::UnexpectedTransaction(completion.transaction_id),
	))),
	}?
	.cancel(StorvscCompleteReason::UnitAttention);
	// Match completion against pending transactions and remove the
	// cancelled transaction so the slot can be reused.
	let transaction_id = completion.transaction_id as usize;
	let mut transaction = if self.transactions.contains(transaction_id) {
	Ok(self.transactions.remove(transaction_id))
	} else {
	Err(StorvscError(StorvscErrorInner::PacketError(
	PacketError::UnexpectedTransaction(completion.transaction_id),
	)))
	}?;
	transaction.cancel(StorvscCompleteReason::UnitAttention);

[Copilot]

The normal completion path calls .complete(result) on a transaction found via self.transactions.get_mut(...), but does not remove the entry afterward. This causes unbounded growth of the Slab<PendingOperation> and can eventually break I/O. Consider removing the transaction from the slab when the completion is handled.

[Copilot]

UNMAP CDB allocation_length should be the total parameter list length (header + descriptors), but it’s currently set to only size_of::<UnmapBlockDescriptor>(). This likely makes UNMAP fail (the device will read an incomplete parameter list). Consider setting the CDB length and the data-out byte_len to the actual list size (and only sending that many bytes).

[Copilot]

On capacity refetch failure, wait_resize() logs and continues without awaiting the resize event (or any backoff), which can spin in a tight loop if the host keeps returning errors. Consider awaiting listen (or adding a small delay/backoff) on error to avoid CPU burn.

Suggested change

	);
	);
	listen.await;

[Copilot]

sub_device_path is a u32 but is cast to u8 for lun without validation. If sub_device_path > 255, this will silently truncate and route I/O to the wrong LUN. Consider validating the range and returning an error if it doesn’t fit in u8.

Suggested change

	return Ok(Resource::new(StorvscDiskConfig {
	instance_guid: controller_instance_id,
	lun: sub_device_path as u8,
	let lun = u8::try_from(sub_device_path).context(format!(
	"VScsi sub_device_path {} does not fit in a u8 LUN",
	sub_device_path
	))?;
	return Ok(Resource::new(StorvscDiskConfig {
	instance_guid: controller_instance_id,
	lun,

[Copilot]

This hard-codes OPENHCL_STORVSC_USERMODE=1 into the boot command line, which enables the feature by default and contradicts the PR’s stated opt-in behavior. Please remove this before merge (or gate it behind a test-only/dev-only configuration) so production images remain opt-in via environment only.

[Copilot]

On shutdown, drivers are only stopped when !save_restore_supported. If save_restore_supported is true, this exits the manager without explicitly stopping the per-controller StorvscDriver tasks, which can leak work/resources and diverges from the NVMe manager shutdown pattern. Consider stopping drivers unconditionally on shutdown (save/restore support should affect servicing behavior, not shutdown cleanup).

Suggested change

	if !self.save_restore_supported {
	async {
	join_all(self.drivers.drain().map(|(guid, driver)| {
	let guid_str = guid.to_string();
	async move {
	driver
	.stop()
	.instrument(tracing::info_span!(
	"shutdown_storvsc_driver",
	guid = guid_str
	))
	.await
	}
	}))
	.await
	}
	.instrument(join_span)
	.await;
	}
	async {
	join_all(self.drivers.drain().map(|(guid, driver)| {
	let guid_str = guid.to_string();
	async move {
	driver
	.stop()
	.instrument(tracing::info_span!(
	"shutdown_storvsc_driver",
	guid = guid_str
	))
	.await
	}
	}))
	.await
	}
	.instrument(join_span)
	.await;

[Copilot]

Pull request overview

Copilot reviewed 23 out of 24 changed files in this pull request and generated 3 comments.

[Copilot]

state.inner.transactions is a slab::Slab<PendingOperation>, and Slab::drain() yields (usize, PendingOperation) items. The current loop binds the tuple to transaction and then calls transaction.cancel(...), which won't compile. Destructure the drain items (e.g., for (_id, mut op) in ...) before calling cancel.

Suggested change

	for mut transaction in state.inner.transactions.drain() {
	for (_id, mut transaction) in state.inner.transactions.drain() {

[Copilot]

UNMAP builds a parameter list whose length matches the CDB allocation_length, but the request sends byte_len = data_out_size (a full 4K page). This makes ScsiRequest.data_transfer_length larger than the UNMAP parameter list length, which can cause protocol/target errors and adds unnecessary transfer. Send only the actual parameter list length (header + descriptor), even if the backing DMA allocation is a full page.

[Copilot]

This hard-codes OPENHCL_STORVSC_USERMODE=1 into the default kernel command line, which contradicts the stated "opt-in only" behavior and would enable usermode storvsc by default for all boots that use this image. Please remove this before merge (or gate it behind a test-only build/feature) so the default remains disabled unless the environment variable is explicitly set at runtime.

Suggested change

	// TODO(juantian): TEMP -- enable usermode storvsc to validate via CI pipeline.
	// MUST be removed before merge. See PR description.
	"OPENHCL_STORVSC_USERMODE=1",

[github-actions]

217 Petri tests failed (0 unstable)

[github-actions]

17 Petri tests failed (0 unstable)

[Copilot]

Pull request overview

Copilot reviewed 22 out of 23 changed files in this pull request and generated 5 comments.

[Copilot]

size_of::<T>() is used throughout this module but size_of is never imported/qualified, which will fail to compile. Add use core::mem::size_of; (or qualify calls as core::mem::size_of).

[Copilot]

stop() (and save()) stop/remove the worker task but leave new_request_sender/add_resize_listener_sender intact. If a caller uses an Arc<StorvscDriver<_>> after stop/save begins, send_request() can enqueue a request with a live completion sender and then await forever because the worker is no longer draining the request channel. Consider clearing/closing the senders during stop/save or gating send_request/add_resize_listener on an explicit running-state check so they fail fast when the task is not running.

Suggested change

	// Cancel pending operations with save/restore reason.
	for mut transaction in state.inner.transactions.drain() {
	transaction.cancel(StorvscCompleteReason::SaveRestore);
	}
	Ok(StorvscDriverSavedState {
	version: state.version.major_minor,
	has_negotiated: state.has_negotiated,
	let version = state.version.major_minor;
	let has_negotiated = state.has_negotiated;
	// Cancel pending operations with save/restore reason.
	for mut transaction in state.inner.transactions.drain() {
	transaction.cancel(StorvscCompleteReason::SaveRestore);
	}
	// Remove the stopped worker state so its request/listener receivers
	// are dropped and future sends fail fast instead of queueing work
	// that no task will ever drain.
	s.remove();
	Ok(StorvscDriverSavedState {
	version,
	has_negotiated,

[Copilot]

The comment says the UNIT ATTENTION path will “resend this request”, but the implementation cancels the pending operation with StorvscCompleteReason::UnitAttention and does not resend. Either update the comment to match behavior (caller must retry) or implement the resend logic here.

Suggested change

	// resend this request
	// cancel the pending request with UnitAttention so the caller can retry it.

[Copilot]

This hard-codes OPENHCL_STORVSC_USERMODE=1 into the default kernel command line, which contradicts the PR’s “opt-in only / not enabled by default” requirement. Please remove this before merge (or gate it behind an explicit test-only feature/build flag) so production boots remain opt-in via environment.

[Copilot]

disk_storvsc introduces substantial new disk I/O behavior (bounce-buffer vs zero-copy, retry logic on CancelledRetry, capacity refresh on resize), but the crate has no unit tests. Adding targeted tests (e.g., for send_scsi_request retry semantics and wait_resize behavior) would help prevent regressions.

Suggested change

	// TODO: Add unit tests for wait_resize -- cover error retry with
	// listen.await backoff, and capacity change detection.
	async fn wait_resize(&self, sector_count: u64) -> u64 {
	loop {
	let listen = self.resize_event.listen();
	// Refetch capacity from host (we're in async context here)
	let capacity = match self.fetch_capacity().await {
	Ok(c) => c,
	Err(e) => {
	tracing::error!(
	error = e.as_ref() as &dyn std::error::Error,
	"failed to refetch capacity on resize"
	);
	listen.await;
	continue;
	}
	};
	if capacity.num_sectors != sector_count {
	break capacity.num_sectors;
	}
	listen.await;
	}
	}
	}
	async fn wait_resize(&self, sector_count: u64) -> u64 {
	loop {
	let listen = self.resize_event.listen();
	let next = match self.fetch_capacity().await {
	Ok(capacity) => {
	wait_resize_next_action(sector_count, Ok(capacity.num_sectors))
	}
	Err(e) => {
	tracing::error!(
	error = e.as_ref() as &dyn std::error::Error,
	"failed to refetch capacity on resize"
	);
	wait_resize_next_action(sector_count, Err(()))
	}
	};
	match next {
	WaitResizeAction::ReturnUpdatedCapacity(num_sectors) => break num_sectors,
	WaitResizeAction::WaitForNotification => listen.await,
	}
	}
	}
	}
	#[derive(Debug, Clone, Copy, PartialEq, Eq)]
	enum WaitResizeAction {
	WaitForNotification,
	ReturnUpdatedCapacity(u64),
	}
	fn wait_resize_next_action(
	sector_count: u64,
	observed_sector_count: Result<u64, ()>,
	) -> WaitResizeAction {
	match observed_sector_count {
	Ok(observed_sector_count) if observed_sector_count != sector_count => {
	WaitResizeAction::ReturnUpdatedCapacity(observed_sector_count)
	}
	Ok(_) | Err(()) => WaitResizeAction::WaitForNotification,
	}
	}
	#[cfg(test)]
	mod tests {
	use super::WaitResizeAction;
	use super::wait_resize_next_action;
	use test_with_tracing::test;
	#[test]
	fn wait_resize_retries_after_capacity_refresh_error() {
	assert_eq!(
	wait_resize_next_action(1024, Err(())),
	WaitResizeAction::WaitForNotification
	);
	}
	#[test]
	fn wait_resize_waits_when_capacity_is_unchanged() {
	assert_eq!(
	wait_resize_next_action(1024, Ok(1024)),
	WaitResizeAction::WaitForNotification
	);
	}
	#[test]
	fn wait_resize_returns_when_capacity_changes() {
	assert_eq!(
	wait_resize_next_action(1024, Ok(2048)),
	WaitResizeAction::ReturnUpdatedCapacity(2048)
	);
	}
	}

[github-actions]

13 Petri tests failed (0 unstable)

[github-actions]

9 Petri tests failed (0 unstable)

[Copilot]

Pull request overview

Copilot reviewed 26 out of 27 changed files in this pull request and generated 6 comments.

[Copilot]

Slab::drain() yields (usize, PendingOperation) in slab 0.4.x. Iterating as for mut transaction in ...drain() will not compile (tuple has no cancel). Destructure the tuple (or use drain().for_each) so you call cancel(...) on the PendingOperation value.

Suggested change

	for mut transaction in state.inner.transactions.drain() {
	for (_, mut transaction) in state.inner.transactions.drain() {

[Copilot]

Comment typo: "Task was not running, so not state to save" should be corrected (e.g., "no state to save").

Suggested change

	// Task was not running, so not state to save
	// Task was not running, so no state to save

[Copilot]

wait_resize() always refetches capacity via READ_CAPACITY(10) (fetch_capacity_10). For disks that required READ_CAPACITY(16) initially (>=2 TiB / last LBA == 0xFFFF_FFFF), this will cap the reported size and prevent detecting large resizes correctly. Use the same capacity query strategy as construction (prefer 16 for non-optical, fall back to 10) or branch based on device_type/a cached capability flag.

[Copilot]

These lock().unwrap() calls can panic if the mutex is ever poisoned. Since this runs on an async path (disk resolution) and is potentially on a trust boundary, prefer handling PoisonError (e.g., recover via into_inner() and log) or use a non-poisoning lock implementation so a previous panic can't turn into a persistent crash.

[Copilot]

The unbind/bind steps log all errors at debug! without checking expected vs unexpected error kinds. This can make real failures (e.g., EPERM/ENOENT) easy to miss while still leading to later hard failures when opening the UIO device. Consider matching on ErrorKind/raw_os_error() (e.g., treat ENODEV/EBUSY as debug, but warn/error for others) so operational issues surface in normal logs.

[Copilot]

MemoryBlock::read_obj() uses unchecked slice indexing and will panic on out-of-bounds. Here, vpd_header.page_length and designator_header.identifier_length come from the host/device (untrusted) and can make buf_pos exceed the allocated 4K buffer, leading to a crash. Please add explicit bounds checks against data_in_size (and validate page_length/descriptor sizes) before calling read_obj, or parse using fallible methods that return an error instead of panicking.

[Copilot]

Pull request overview

Copilot reviewed 26 out of 27 changed files in this pull request and generated 12 comments.

[Copilot]

size_of is used unqualified throughout this new file but std::mem::size_of is not imported. This will fail to compile; either add use std::mem::size_of; near the imports or qualify each call as std::mem::size_of::<T>().

[Copilot]

Changing the signature of the public channel() function is a breaking API change for downstream crates. Consider re-introducing the previous channel(driver, file) as a wrapper that calls the new function with None, None (and optionally deprecate the old signature) to preserve compatibility while still enabling configurable ring sizes.

Suggested change

	file: File,
	file: File,
	) -> Result<RawAsyncChannel<MappedRingMem>, Error> {
	channel_with_ring_sizes(driver, file, None, None)
	}
	/// Opens a channel with a file from [`open_uio_device`] and optional ring sizes.
	pub fn channel_with_ring_sizes(
	driver: &(impl Driver + ?Sized),
	file: File,

[Copilot]

fetch_optimal_unmap_sectors() treats any non-GOOD SCSI status as “not supported” and silently disables unmap. That can mask real device/transport errors. Prefer checking for the specific expected failure (e.g., CHECK_CONDITION + ILLEGAL REQUEST / relevant sense data) and return an error for other statuses so callers can surface genuine failures.

[Copilot]

The struct comment says capacity is “refetched on resize via wait_resize()”, but wait_resize() currently only returns the updated sector count and never updates the cached self.sector_count/self.sector_size. If DiskIo consumers expect sector_count() to reflect the new size after wait_resize() completes, this will remain stale. Consider using interior mutability (e.g., atomics or a mutex) to update cached capacity when a resize is detected, or adjust the comment/contract so callers know they must use the return value and not the cached getter.

Suggested change

	// sync DiskIo methods. Capacity is refetched on resize via wait_resize().
	// sync DiskIo methods. These cached values are not updated by wait_resize();
	// callers must use the value returned by wait_resize() after a resize.

[Copilot]

The struct comment says capacity is “refetched on resize via wait_resize()”, but wait_resize() currently only returns the updated sector count and never updates the cached self.sector_count/self.sector_size. If DiskIo consumers expect sector_count() to reflect the new size after wait_resize() completes, this will remain stale. Consider using interior mutability (e.g., atomics or a mutex) to update cached capacity when a resize is detected, or adjust the comment/contract so callers know they must use the return value and not the cached getter.

Suggested change

	async fn wait_resize(&self, sector_count: u64) -> u64 {
	loop {
	let listen = self.resize_event.listen();
	// Refetch capacity from host (we're in async context here)
	//
	// This method refetches capacity from the host until it changes from the
	// caller-provided `sector_count`, then returns the updated sector count.
	// It does not update any cached capacity fields on `self`; callers must
	// use the returned value rather than assuming cached getters changed.
	async fn wait_resize(&self, sector_count: u64) -> u64 {
	loop {
	let listen = self.resize_event.listen();
	// Refetch capacity from the host (we're in async context here) and
	// compare it against the caller's current sector count.

[Copilot]

The bounce-buffer path allocates a fresh DMA buffer and an intermediate Vec<u8> on every read, which can add significant overhead for I/O-heavy workloads. Consider introducing a reusable buffer pool (or per-disk scratch buffers sized to max request) so reads/writes avoid repeated heap allocations and copies where possible.

[Copilot]

The bounce-buffer path allocates a fresh DMA buffer and an intermediate Vec<u8> on every read, which can add significant overhead for I/O-heavy workloads. Consider introducing a reusable buffer pool (or per-disk scratch buffers sized to max request) so reads/writes avoid repeated heap allocations and copies where possible.

[Copilot]

The retry loop for CancelledRetry has no backoff/yield and can immediately re-issue requests repeatedly. If the underlying condition persists briefly (e.g., during servicing churn), this can create a tight loop and log/CPU pressure. Consider adding a small async delay or at least an executor yield between retries (and include retry count in logs) to make retry behavior more stable.

[Copilot]

The retry loop for CancelledRetry has no backoff/yield and can immediately re-issue requests repeatedly. If the underlying condition persists briefly (e.g., during servicing churn), this can create a tight loop and log/CPU pressure. Consider adding a small async delay or at least an executor yield between retries (and include retry count in logs) to make retry behavior more stable.

Suggested change

	if num_tries < MAX_RETRIES {
	if num_tries < MAX_RETRIES {
	tracelimit::error_ratelimited!(
	error = &err as &dyn std::error::Error,
	retry = num_tries + 1,
	max_retries = MAX_RETRIES,
	"SCSI request cancelled; yielding before retry"
	);
	tokio::task::yield_now().await;

[Copilot]

This silently drops the bounce-disk configuration if sub_device_path doesn’t fit in u8 (.ok()), which makes failures harder to diagnose. Since the non-bounce storvsc path already treats out-of-range LUNs as an error, it would be more consistent to propagate an error here too (or reuse the already-validated LUN) so IDE direct-path routing can’t silently fall back to the unsafe/non-bounce behavior.

Suggested change

	let lun = u8::try_from(device.sub_device_path).ok();
	lun.map(|lun| {
	Resource::new(StorvscDiskBounceConfig {
	instance_guid: device.vmbus_instance_id,
	lun,
	})
	})
	let lun = u8::try_from(device.sub_device_path).context(
	"VScsi IDE direct-path routing requires sub_device_path to fit in u8",
	)?;
	Some(Resource::new(StorvscDiskBounceConfig {
	instance_guid: device.vmbus_instance_id,
	lun,
	}))

[github-actions]

10 Petri tests failed (0 unstable)