1 From 0e367ae46503cfe7791460c8ba8434a5d60b2bd5 Mon Sep 17 00:00:00 2001
2 From: David Vrabel <david.vrabel@citrix.com>
3 Date: Thu, 7 Mar 2013 17:32:01 +0000
4 Subject: xen/blkback: correctly respond to unknown, non-native requests
6 From: David Vrabel <david.vrabel@citrix.com>
8 commit 0e367ae46503cfe7791460c8ba8434a5d60b2bd5 upstream.
10 If the frontend is using a non-native protocol (e.g., a 64-bit
11 frontend with a 32-bit backend) and it sent an unrecognized request,
12 the request was not translated and the response would have the
13 incorrect ID. This may cause the frontend driver to behave
16 Since the ID field in the request is always in the same place,
17 regardless of the request type we can get the correct ID and make a
18 valid response (which will report BLKIF_RSP_EOPNOTSUPP).
20 This bug affected 64-bit SLES 11 guests when using a 32-bit backend.
21 This guest does a BLKIF_OP_RESERVED_1 (BLKIF_OP_PACKET in the SLES
22 source) and would crash in blkif_int() as the ID in the response would
25 Signed-off-by: David Vrabel <david.vrabel@citrix.com>
26 Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
27 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
30 drivers/block/xen-blkback/blkback.c | 31 +++++++++++++++++++++++++++----
31 drivers/block/xen-blkback/common.h | 25 +++++++++++++++++++++++++
32 include/xen/interface/io/blkif.h | 10 ++++++++++
33 3 files changed, 62 insertions(+), 4 deletions(-)
35 --- a/drivers/block/xen-blkback/blkback.c
36 +++ b/drivers/block/xen-blkback/blkback.c
37 @@ -422,6 +422,16 @@ static int dispatch_discard_io(struct xe
41 +static int dispatch_other_io(struct xen_blkif *blkif,
42 + struct blkif_request *req,
43 + struct pending_req *pending_req)
45 + free_req(pending_req);
46 + make_response(blkif, req->u.other.id, req->operation,
47 + BLKIF_RSP_EOPNOTSUPP);
51 static void xen_blk_drain_io(struct xen_blkif *blkif)
53 atomic_set(&blkif->drain, 1);
54 @@ -543,17 +553,30 @@ __do_block_io_op(struct xen_blkif *blkif
56 /* Apply all sanity checks to /private copy/ of request. */
58 - if (unlikely(req.operation == BLKIF_OP_DISCARD)) {
60 + switch (req.operation) {
62 + case BLKIF_OP_WRITE:
63 + case BLKIF_OP_WRITE_BARRIER:
64 + case BLKIF_OP_FLUSH_DISKCACHE:
65 + if (dispatch_rw_block_io(blkif, &req, pending_req))
68 + case BLKIF_OP_DISCARD:
69 free_req(pending_req);
70 if (dispatch_discard_io(blkif, &req))
72 - } else if (dispatch_rw_block_io(blkif, &req, pending_req))
76 + if (dispatch_other_io(blkif, &req, pending_req))
81 /* Yield point for this unbounded loop. */
89 --- a/drivers/block/xen-blkback/common.h
90 +++ b/drivers/block/xen-blkback/common.h
91 @@ -76,11 +76,18 @@ struct blkif_x86_32_request_discard {
93 } __attribute__((__packed__));
95 +struct blkif_x86_32_request_other {
98 + uint64_t id; /* private guest value, echoed in resp */
99 +} __attribute__((__packed__));
101 struct blkif_x86_32_request {
102 uint8_t operation; /* BLKIF_OP_??? */
104 struct blkif_x86_32_request_rw rw;
105 struct blkif_x86_32_request_discard discard;
106 + struct blkif_x86_32_request_other other;
108 } __attribute__((__packed__));
110 @@ -112,11 +119,19 @@ struct blkif_x86_64_request_discard {
112 } __attribute__((__packed__));
114 +struct blkif_x86_64_request_other {
116 + blkif_vdev_t _pad2;
117 + uint32_t _pad3; /* offsetof(blkif_..,u.discard.id)==8 */
118 + uint64_t id; /* private guest value, echoed in resp */
119 +} __attribute__((__packed__));
121 struct blkif_x86_64_request {
122 uint8_t operation; /* BLKIF_OP_??? */
124 struct blkif_x86_64_request_rw rw;
125 struct blkif_x86_64_request_discard discard;
126 + struct blkif_x86_64_request_other other;
128 } __attribute__((__packed__));
130 @@ -262,6 +277,11 @@ static inline void blkif_get_x86_32_req(
131 dst->u.discard.nr_sectors = src->u.discard.nr_sectors;
135 + * Don't know how to translate this op. Only get the
136 + * ID so failure can be reported to the frontend.
138 + dst->u.other.id = src->u.other.id;
142 @@ -293,6 +313,11 @@ static inline void blkif_get_x86_64_req(
143 dst->u.discard.nr_sectors = src->u.discard.nr_sectors;
147 + * Don't know how to translate this op. Only get the
148 + * ID so failure can be reported to the frontend.
150 + dst->u.other.id = src->u.other.id;
154 --- a/include/xen/interface/io/blkif.h
155 +++ b/include/xen/interface/io/blkif.h
156 @@ -138,11 +138,21 @@ struct blkif_request_discard {
158 } __attribute__((__packed__));
160 +struct blkif_request_other {
162 + blkif_vdev_t _pad2; /* only for read/write requests */
163 +#ifdef CONFIG_X86_64
164 + uint32_t _pad3; /* offsetof(blkif_req..,u.other.id)==8*/
166 + uint64_t id; /* private guest value, echoed in resp */
167 +} __attribute__((__packed__));
169 struct blkif_request {
170 uint8_t operation; /* BLKIF_OP_??? */
172 struct blkif_request_rw rw;
173 struct blkif_request_discard discard;
174 + struct blkif_request_other other;
176 } __attribute__((__packed__));