From owner-freebsd-bugs@FreeBSD.ORG Sat Dec 4 02:20:13 2010 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 40E571065673 for ; Sat, 4 Dec 2010 02:20:13 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 06A168FC15 for ; Sat, 4 Dec 2010 02:20:13 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id oB42KCLN019161 for ; Sat, 4 Dec 2010 02:20:12 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id oB42KCRn019159; Sat, 4 Dec 2010 02:20:12 GMT (envelope-from gnats) Resent-Date: Sat, 4 Dec 2010 02:20:12 GMT Resent-Message-Id: <201012040220.oB42KCRn019159@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Colin Percival Received: from mx2.freebsd.org (mx2.freebsd.org [IPv6:2001:4f8:fff6::35]) by hub.freebsd.org (Postfix) with ESMTP id DF735106566C for ; Sat, 4 Dec 2010 02:20:05 +0000 (UTC) (envelope-from cperciva@xps.daemonology.net) Received: from xps.daemonology.net (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx2.freebsd.org (Postfix) with SMTP id D10B114DB58 for ; Sat, 4 Dec 2010 02:20:04 +0000 (UTC) Received: (qmail 1048 invoked by uid 1001); 4 Dec 2010 02:20:04 -0000 Message-Id: <20101204022004.1047.qmail@xps.daemonology.net> Date: 4 Dec 2010 02:20:04 -0000 From: Colin Percival To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: kern/152818: [panic][xen] disk driver data cannot cross a page boundary X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Colin Percival List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Dec 2010 02:20:13 -0000 >Number: 152818 >Category: kern >Synopsis: [panic][xen] disk driver data cannot cross a page boundary >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Dec 04 02:20:12 UTC 2010 >Closed-Date: >Last-Modified: >Originator: Colin Percival >Release: FreeBSD HEAD i386/XEN >Organization: >Environment: FreeBSD HEAD (@ 2010-12-02), i386/XEN. >Description: The Xen blkfront driver panics with "XEN disk driver data cannot cross a page boundary" when performing I/O to a buffer which is not sector-aligned and starts just before a page boundary. In blkif_queue_cb in blkfront.c, I/O is handled one page at a time, and lines 1065--1067 attempt to map addresses in memory to sectors, but don't acknowledge the fact that the memory buffer might not be aligned. In addition to the panic message, it seems very likely that this could cause data corruption (due to data being read/written from/to the wrong part of a page) but I don't understand this code well enough to say. >How-To-Repeat: On a system where /dev/da0 is a Xen block device: #include #include #include #include int main(int argc, char * argv[]) { char * buf = malloc(0x3000); char * buf2 = (char *)(((uintptr_t)buf + 0xfff) & ~0x1000); int fd = open("/dev/da0", O_RDONLY); read(fd, &buf2[0xf00], 0x200); return (0); } >Fix: >Release-Note: >Audit-Trail: >Unformatted: