122 lines
4.5 KiB
Diff
122 lines
4.5 KiB
Diff
From ef0d243bfeaf1da8854c26f89536dc1b69c56602 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
|
|
<marmarek@invisiblethingslab.com>
|
|
Date: Wed, 16 Dec 2015 05:51:10 +0100
|
|
Subject: [PATCH 12/13] xen-blkfront: make local copy of response before using
|
|
it
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
Organization: Invisible Things Lab
|
|
Cc: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
|
|
|
|
Data on the shared page can be changed at any time by the backend. Make
|
|
a local copy, which is no longer controlled by the backend. And only
|
|
then access it.
|
|
|
|
This is part of XSA155.
|
|
|
|
CC: stable@vger.kernel.org
|
|
Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
|
|
---
|
|
drivers/block/xen-blkfront.c | 34 +++++++++++++++++-----------------
|
|
1 file changed, 17 insertions(+), 17 deletions(-)
|
|
|
|
diff --git a/drivers/block/xen-blkfront.c b/drivers/block/xen-blkfront.c
|
|
index 2fee2ee..5d7eb04 100644
|
|
--- a/drivers/block/xen-blkfront.c
|
|
+++ b/drivers/block/xen-blkfront.c
|
|
@@ -1296,7 +1296,7 @@ static void blkif_completion(struct blk_shadow *s, struct blkfront_info *info,
|
|
static irqreturn_t blkif_interrupt(int irq, void *dev_id)
|
|
{
|
|
struct request *req;
|
|
- struct blkif_response *bret;
|
|
+ struct blkif_response bret;
|
|
RING_IDX i, rp;
|
|
unsigned long flags;
|
|
struct blkfront_info *info = (struct blkfront_info *)dev_id;
|
|
@@ -1316,8 +1316,8 @@ static irqreturn_t blkif_interrupt(int irq, void *dev_id)
|
|
for (i = info->ring.rsp_cons; i != rp; i++) {
|
|
unsigned long id;
|
|
|
|
- bret = RING_GET_RESPONSE(&info->ring, i);
|
|
- id = bret->id;
|
|
+ RING_COPY_RESPONSE(&info->ring, i, &bret);
|
|
+ id = bret.id;
|
|
/*
|
|
* The backend has messed up and given us an id that we would
|
|
* never have given to it (we stamp it up to BLK_RING_SIZE -
|
|
@@ -1325,29 +1325,29 @@ static irqreturn_t blkif_interrupt(int irq, void *dev_id)
|
|
*/
|
|
if (id >= BLK_RING_SIZE) {
|
|
WARN(1, "%s: response to %s has incorrect id (%ld)\n",
|
|
- info->gd->disk_name, op_name(bret->operation), id);
|
|
+ info->gd->disk_name, op_name(bret.operation), id);
|
|
/* We can't safely get the 'struct request' as
|
|
* the id is busted. */
|
|
continue;
|
|
}
|
|
req = info->shadow[id].request;
|
|
|
|
- if (bret->operation != BLKIF_OP_DISCARD)
|
|
- blkif_completion(&info->shadow[id], info, bret);
|
|
+ if (bret.operation != BLKIF_OP_DISCARD)
|
|
+ blkif_completion(&info->shadow[id], info, &bret);
|
|
|
|
if (add_id_to_freelist(info, id)) {
|
|
WARN(1, "%s: response to %s (id %ld) couldn't be recycled!\n",
|
|
- info->gd->disk_name, op_name(bret->operation), id);
|
|
+ info->gd->disk_name, op_name(bret.operation), id);
|
|
continue;
|
|
}
|
|
|
|
- error = (bret->status == BLKIF_RSP_OKAY) ? 0 : -EIO;
|
|
- switch (bret->operation) {
|
|
+ error = (bret.status == BLKIF_RSP_OKAY) ? 0 : -EIO;
|
|
+ switch (bret.operation) {
|
|
case BLKIF_OP_DISCARD:
|
|
- if (unlikely(bret->status == BLKIF_RSP_EOPNOTSUPP)) {
|
|
+ if (unlikely(bret.status == BLKIF_RSP_EOPNOTSUPP)) {
|
|
struct request_queue *rq = info->rq;
|
|
printk(KERN_WARNING "blkfront: %s: %s op failed\n",
|
|
- info->gd->disk_name, op_name(bret->operation));
|
|
+ info->gd->disk_name, op_name(bret.operation));
|
|
error = -EOPNOTSUPP;
|
|
info->feature_discard = 0;
|
|
info->feature_secdiscard = 0;
|
|
@@ -1358,15 +1358,15 @@ static irqreturn_t blkif_interrupt(int irq, void *dev_id)
|
|
break;
|
|
case BLKIF_OP_FLUSH_DISKCACHE:
|
|
case BLKIF_OP_WRITE_BARRIER:
|
|
- if (unlikely(bret->status == BLKIF_RSP_EOPNOTSUPP)) {
|
|
+ if (unlikely(bret.status == BLKIF_RSP_EOPNOTSUPP)) {
|
|
printk(KERN_WARNING "blkfront: %s: %s op failed\n",
|
|
- info->gd->disk_name, op_name(bret->operation));
|
|
+ info->gd->disk_name, op_name(bret.operation));
|
|
error = -EOPNOTSUPP;
|
|
}
|
|
- if (unlikely(bret->status == BLKIF_RSP_ERROR &&
|
|
+ if (unlikely(bret.status == BLKIF_RSP_ERROR &&
|
|
info->shadow[id].req.u.rw.nr_segments == 0)) {
|
|
printk(KERN_WARNING "blkfront: %s: empty %s op failed\n",
|
|
- info->gd->disk_name, op_name(bret->operation));
|
|
+ info->gd->disk_name, op_name(bret.operation));
|
|
error = -EOPNOTSUPP;
|
|
}
|
|
if (unlikely(error)) {
|
|
@@ -1378,9 +1378,9 @@ static irqreturn_t blkif_interrupt(int irq, void *dev_id)
|
|
/* fall through */
|
|
case BLKIF_OP_READ:
|
|
case BLKIF_OP_WRITE:
|
|
- if (unlikely(bret->status != BLKIF_RSP_OKAY))
|
|
+ if (unlikely(bret.status != BLKIF_RSP_OKAY))
|
|
dev_dbg(&info->xbdev->dev, "Bad return from blkdev data "
|
|
- "request: %x\n", bret->status);
|
|
+ "request: %x\n", bret.status);
|
|
|
|
__blk_end_request_all(req, error);
|
|
break;
|
|
--
|
|
2.1.0
|
|
|