ia64/xen-unstable

changeset 19542:cbaae05c2902

minios: fix a memory corruption in blkfront

The corruption happens every time we pass a sector aligned buffer
(instead of a page aligned buffer) to blkfront_aio. To trigger the COW
we have to write at least a byte to each page of the buffer, but we
must be careful not to overwrite useful content.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
author Keir Fraser <keir.fraser@citrix.com>
date Tue Apr 14 11:21:45 2009 +0100 (2009-04-14)
parents 0108af6efdae
children 81d6b5762c40
files extras/mini-os/blkfront.c
line diff
     1.1 --- a/extras/mini-os/blkfront.c	Tue Apr 14 11:20:55 2009 +0100
     1.2 +++ b/extras/mini-os/blkfront.c	Tue Apr 14 11:21:45 2009 +0100
     1.3 @@ -317,19 +317,21 @@ void blkfront_aio(struct blkfront_aiocb 
     1.4      req->sector_number = aiocbp->aio_offset / dev->info.sector_size;
     1.5  
     1.6      for (j = 0; j < n; j++) {
     1.7 +        req->seg[j].first_sect = 0;
     1.8 +        req->seg[j].last_sect = PAGE_SIZE / dev->info.sector_size - 1;
     1.9 +    }
    1.10 +    req->seg[0].first_sect = ((uintptr_t)aiocbp->aio_buf & ~PAGE_MASK) / dev->info.sector_size;
    1.11 +    req->seg[n-1].last_sect = (((uintptr_t)aiocbp->aio_buf + aiocbp->aio_nbytes - 1) & ~PAGE_MASK) / dev->info.sector_size;
    1.12 +    for (j = 0; j < n; j++) {
    1.13  	uintptr_t data = start + j * PAGE_SIZE;
    1.14          if (!write) {
    1.15              /* Trigger CoW if needed */
    1.16 -            *(char*)data = 0;
    1.17 +            *(char*)(data + (req->seg[j].first_sect << 9)) = 0;
    1.18              barrier();
    1.19          }
    1.20  	aiocbp->gref[j] = req->seg[j].gref =
    1.21              gnttab_grant_access(dev->dom, virtual_to_mfn(data), write);
    1.22 -	req->seg[j].first_sect = 0;
    1.23 -	req->seg[j].last_sect = PAGE_SIZE / dev->info.sector_size - 1;
    1.24      }
    1.25 -    req->seg[0].first_sect = ((uintptr_t)aiocbp->aio_buf & ~PAGE_MASK) / dev->info.sector_size;
    1.26 -    req->seg[n-1].last_sect = (((uintptr_t)aiocbp->aio_buf + aiocbp->aio_nbytes - 1) & ~PAGE_MASK) / dev->info.sector_size;
    1.27  
    1.28      dev->ring.req_prod_pvt = i + 1;
    1.29