Date: 4 Dec 2010 02:20:04 -0000 From: Colin Percival <cperciva@xps.daemonology.net> To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/152818: [panic][xen] disk driver data cannot cross a page boundary Message-ID: <20101204022004.1047.qmail@xps.daemonology.net> Resent-Message-ID: <201012040220.oB42KCRn019159@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 152818
>Category: kern
>Synopsis: [panic][xen] disk driver data cannot cross a page boundary
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat Dec 04 02:20:12 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator: Colin Percival
>Release: FreeBSD HEAD i386/XEN
>Organization:
>Environment:
FreeBSD HEAD (@ 2010-12-02), i386/XEN.
>Description:
The Xen blkfront driver panics with "XEN disk driver data cannot cross a
page boundary" when performing I/O to a buffer which is not sector-aligned
and starts just before a page boundary.
In blkif_queue_cb in blkfront.c, I/O is handled one page at a time, and
lines 1065--1067 attempt to map addresses in memory to sectors, but don't
acknowledge the fact that the memory buffer might not be aligned.
In addition to the panic message, it seems very likely that this could
cause data corruption (due to data being read/written from/to the wrong
part of a page) but I don't understand this code well enough to say.
>How-To-Repeat:
On a system where /dev/da0 is a Xen block device:
#include <fcntl.h>
#include <stdint.h>
#include <stdlib.h>
#include <unistd.h>
int
main(int argc, char * argv[])
{
char * buf = malloc(0x3000);
char * buf2 = (char *)(((uintptr_t)buf + 0xfff) & ~0x1000);
int fd = open("/dev/da0", O_RDONLY);
read(fd, &buf2[0xf00], 0x200);
return (0);
}
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20101204022004.1047.qmail>