kern/152818: [panic][xen] disk driver data cannot cross a page
boundary
Colin Percival
cperciva at xps.daemonology.net
Sat Dec 4 02:20:13 UTC 2010
>Number: 152818
>Category: kern
>Synopsis: [panic][xen] disk driver data cannot cross a page boundary
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat Dec 04 02:20:12 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator: Colin Percival
>Release: FreeBSD HEAD i386/XEN
>Organization:
>Environment:
FreeBSD HEAD (@ 2010-12-02), i386/XEN.
>Description:
The Xen blkfront driver panics with "XEN disk driver data cannot cross a
page boundary" when performing I/O to a buffer which is not sector-aligned
and starts just before a page boundary.
In blkif_queue_cb in blkfront.c, I/O is handled one page at a time, and
lines 1065--1067 attempt to map addresses in memory to sectors, but don't
acknowledge the fact that the memory buffer might not be aligned.
In addition to the panic message, it seems very likely that this could
cause data corruption (due to data being read/written from/to the wrong
part of a page) but I don't understand this code well enough to say.
>How-To-Repeat:
On a system where /dev/da0 is a Xen block device:
#include <fcntl.h>
#include <stdint.h>
#include <stdlib.h>
#include <unistd.h>
int
main(int argc, char * argv[])
{
char * buf = malloc(0x3000);
char * buf2 = (char *)(((uintptr_t)buf + 0xfff) & ~0x1000);
int fd = open("/dev/da0", O_RDONLY);
read(fd, &buf2[0xf00], 0x200);
return (0);
}
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list