kern/44964: cgd seems to panic on unaligned writes instead of giving EINVAL

[Taylor R Campbell <campbell+netbsd%mumble.net@localhost>]

>Number:         44964
>Category:       kern
>Synopsis:       cgd seems to panic on unaligned writes instead of giving EINVAL
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri May 13 17:10:01 +0000 2011
>Originator:     Taylor R Campbell <campbell+netbsd%mumble.net@localhost>
>Release:        NetBSD 5.99.51
>Organization:
>Environment:
System: NetBSD oberon.local 5.99.51 NetBSD 5.99.51 (RIAMONODEBUG) #143: Sun May 
8 19:13:30 UTC 2011 
root@smalltalk.local:/home/riastradh/netbsd/current/obj/sys/arch/i386/compile/RIAMONODEBUG
 i386
Architecture: i386
Machine: i386
>Description:

        I was trying to take a snapshot of my old machine's disk and
        store it in a cgd partition on my new machine, transmitting the
        bits over the network.  On the new machine, I ran something
        like this:

                socat tcp4-listen:12345,bind=10.0.1.2,reuseaddr stdout \
                | dd if=/dev/stdin of=/dev/rcgd2d bs=1m

        On the old laptop, I ran something like this:

                dd if=/dev/rwd0d of=/dev/stdout bs=1m \
                | socat stdin tcp4:10.0.1.2:12345

        Whatever block size I specified on the new machine, it panicked
        -- very soon for large block sizes, and after a couple hours
        for bs=512 (the transfer was, uh, very slow with bs=512).  I
        suspect that this is because the blocks got cut up into
        randomly sized chunks in transit over the network, and dd
        happily relayed randomly sized chunks straight to cgd, which
        should have given EINVAL instead of panicking.

        The next morning I learned that `bs=N' is not, in fact, the
        same as `ibs=N obs=N'.  Thanks, POSIX.  WTF?

        Here's a gdb stack trace from a fault in rijndael_blockEncrypt.
        I belive the faulting address was 0xcc501000, which gdb
        helpfully reports is out of bounds.  Note the unusual value
        len=2896 in cgd_cipher.  I have the core dump, so if you want
        to see the values of any of the data structures (e.g., the
        struct buf in question), let me know.

#7  0xc010d13f in calltrap ()
#8  0xc06c9924 in rijndael_blockEncrypt (cipher=0xcf4226ac, key=0xc3465000,
    input=0xcc501000 <Address 0xcc501000 out of bounds>, inputLen=4096,
    outBuffer=<value optimized out>)
    at 
/home/riastradh/netbsd/current/src/sys/crypto/rijndael/rijndael-api-fst.c:136  
#9  0xc023f298 in aes_cbc_enc_int (privdata=0xcf422738, dst=0xc34ea000,
    src=0xcc501000, len=512)
    at /home/riastradh/netbsd/current/src/sys/dev/cgd_crypto.c:209
#10 0xc023ec90 in cgd_cipher_uio_cbc (privdata=0xcf422738,
    cipher=0xc023f260 <aes_cbc_enc_int>, dstuio=0xcf4227d0, srcuio=0xcf4227b4)
    at /home/riastradh/netbsd/current/src/sys/dev/cgd_crypto.c:115
#11 0xc023eee6 in cgd_cipher_aes_cbc (privdata=0xc3465000, dstuio=0xcf4227d0,
    srcuio=0xcf4227b4, iv=0xcf42281c, dir=-867168256)
    at /home/riastradh/netbsd/current/src/sys/dev/cgd_crypto.c:235
#12 0xc023db25 in cgd_cipher (cs=0xcf39ef04, dstv=0xc34e9000, srcv=0xcc500000,
    len=2896, blkno=<value optimized out>, secsize=512, dir=2)
    at /home/riastradh/netbsd/current/src/sys/dev/cgd.c:904
#13 0xc023de9a in cgdstart (dksc=0xcf39ef08, bp=0xc322e790)
    at /home/riastradh/netbsd/current/src/sys/dev/cgd.c:392
#14 0xc028882d in dk_start (di=0xc0bd8a58, dksc=0xcf39ef08)
    at /home/riastradh/netbsd/current/src/sys/dev/dksubr.c:239
#15 0xc0288ab6 in dk_strategy (di=0xc0bd8a58, dksc=0xcf39ef08, bp=0xc322e790)
    at /home/riastradh/netbsd/current/src/sys/dev/dksubr.c:225
#16 0xc023e1d1 in cgdstrategy (bp=0xc322e790)
    at /home/riastradh/netbsd/current/src/sys/dev/cgd.c:297
#17 0xc051315c in physio (strategy=0xc023e190 <cgdstrategy>, obp=0x0,
    dev=23827, flags=0, min_phys=0xc0512e60 <minphys>, uio=0xcf422c7c)
    at /home/riastradh/netbsd/current/src/sys/kern/kern_physio.c:352
#18 0xc023d7b7 in cgdwrite (dev=23827, uio=0xcf422c7c, flags=592)
    at /home/riastradh/netbsd/current/src/sys/dev/cgd.c:496
#19 0xc0753627 in cdev_write (dev=23827, uio=0xcf422c7c, flag=592)
    at /home/riastradh/netbsd/current/src/sys/kern/subr_devsw.c:860
#20 0xc073ed07 in spec_write (v=0xcf422bf4)
    at /home/riastradh/netbsd/current/src/sys/miscfs/specfs/spec_vnops.c:666
#21 0xc089285d in VOP_WRITE (vp=0xcf0388c4, uio=0xcf422c7c, ioflag=592,
    cred=0xcf372480)
    at /home/riastradh/netbsd/current/src/sys/kern/vnode_if.c:431
#22 0xc0877f7f in vn_write (fp=0xcf371ac0, offset=0xcf371ac0, uio=0xcf422c7c,
    cred=0xcf372480, flags=1)
    at /home/riastradh/netbsd/current/src/sys/kern/vfs_vnops.c:566
#23 0xc0777413 in dofilewrite (fd=4, fp=0x0, buf=0xbb600000, nbyte=2896,
    offset=0xcf371ac0, flags=1, retval=0xcf422d28)
    at /home/riastradh/netbsd/current/src/sys/kern/sys_generic.c:357
#24 0xc0777540 in sys_write (l=0xcf3c02a0, uap=0xcf422d00, retval=0xcf422d28)
    at /home/riastradh/netbsd/current/src/sys/kern/sys_generic.c:325
#25 0xc0783079 in syscall (frame=0xcf422d48)
    at /home/riastradh/netbsd/current/src/sys/sys/syscallvar.h:61
#26 0xc01005d6 in syscall1 ()

        gdb stack trace from another panic.

#9  0xc07622e5 in panic (fmt=0xc0b19830 "cgd_cipher: len %% blocksize != 0")
    at /home/riastradh/netbsd/current/src/sys/kern/subr_prf.c:298
#10 0xc023dc75 in cgd_cipher (cs=0xcf2d8e0c, dstv=0xc36b0000, srcv=0xcc500000, 
    len=9608, blkno=<value optimized out>, secsize=512, dir=2)
    at /home/riastradh/netbsd/current/src/sys/dev/cgd.c:862
#11 0xc023de9a in cgdstart (dksc=0xcf2d8e10, bp=0xc33c3794)
    at /home/riastradh/netbsd/current/src/sys/dev/cgd.c:392
#12 0xc028882d in dk_start (di=0xc0bd8a58, dksc=0xcf2d8e10)
    at /home/riastradh/netbsd/current/src/sys/dev/dksubr.c:239
#13 0xc0288ab6 in dk_strategy (di=0xc0bd8a58, dksc=0xcf2d8e10, bp=0xc33c3794)
    at /home/riastradh/netbsd/current/src/sys/dev/dksubr.c:225
#14 0xc023e1d1 in cgdstrategy (bp=0xc33c3794)
    at /home/riastradh/netbsd/current/src/sys/dev/cgd.c:297
#15 0xc051315c in physio (strategy=0xc023e190 <cgdstrategy>, obp=0x0, 
    dev=23827, flags=0, min_phys=0xc0512e60 <minphys>, uio=0xcf86bc7c)
    at /home/riastradh/netbsd/current/src/sys/kern/kern_physio.c:352
#16 0xc023d7b7 in cgdwrite (dev=23827, uio=0xcf86bc7c, flags=592)
    at /home/riastradh/netbsd/current/src/sys/dev/cgd.c:496
#17 0xc0753627 in cdev_write (dev=23827, uio=0xcf86bc7c, flag=592)
    at /home/riastradh/netbsd/current/src/sys/kern/subr_devsw.c:860
#18 0xc073ed07 in spec_write (v=0xcf86bbf4)
    at /home/riastradh/netbsd/current/src/sys/miscfs/specfs/spec_vnops.c:666
#19 0xc089285d in VOP_WRITE (vp=0xd0016638, uio=0xcf86bc7c, ioflag=592, 
    cred=0xcf360300)
    at /home/riastradh/netbsd/current/src/sys/kern/vnode_if.c:431
#20 0xc0877f7f in vn_write (fp=0xcf361c00, offset=0xcf361c00, uio=0xcf86bc7c,
    cred=0xcf360300, flags=1)
    at /home/riastradh/netbsd/current/src/sys/kern/vfs_vnops.c:566
#21 0xc0777413 in dofilewrite (fd=4, fp=0x6, buf=0xbb800000, nbyte=9608,
    offset=0xcf361c00, flags=1, retval=0xcf86bd28)
    at /home/riastradh/netbsd/current/src/sys/kern/sys_generic.c:357
#22 0xc0777540 in sys_write (l=0xd8325800, uap=0xcf86bd00, retval=0xcf86bd28)
    at /home/riastradh/netbsd/current/src/sys/kern/sys_generic.c:325
#23 0xc0783079 in syscall (frame=0xcf86bd48)
    at /home/riastradh/netbsd/current/src/sys/sys/syscallvar.h:61
#24 0xc01005d6 in syscall1 ()

>How-To-Repeat:

        Write unaligned blocks to a cgd.  Hope you didn't have any
        important session state on your machine.

>Fix:

        Yes, please!