# HG changeset patch # User yamahata@xxxxxxxxxxxxx # Date 1162386794 -32400 # Node ID db676284c05accf621e6635cd2f93f890ecf25ae # Parent f9d0ee0d7de12861b809af224220e247a3ea9c66 [BLKTAP] avoid race between tapdisk and xvd daemon with ufe_ring. - tapdisk updates rsp_cons by ioctl(). on the other hand xvd daemon reads rsp_cons in do_block_io_op() with RING_FULL(). copy request and memory barrier before updating rsp_cons. - tapdisk access req_prod_pvt with select(). on the other hand xvd daemon updates it in do_block_io_op(). - add NULL check to blktap_release() PATCHNAME: blktap_mb_fix Signed-off-by: Isaku Yamahata diff -r f9d0ee0d7de1 -r db676284c05a linux-2.6-xen-sparse/drivers/xen/blktap/blktap.c --- a/linux-2.6-xen-sparse/drivers/xen/blktap/blktap.c Thu Nov 02 12:04:57 2006 +0900 +++ b/linux-2.6-xen-sparse/drivers/xen/blktap/blktap.c Wed Nov 01 22:13:14 2006 +0900 @@ -538,8 +538,10 @@ static int blktap_release(struct inode * } if ( (info->status != CLEANSHUTDOWN) && (info->blkif != NULL) ) { - kthread_stop(info->blkif->xenblkd); - info->blkif->xenblkd = NULL; + if (info->blkif->xenblkd != NULL) { + kthread_stop(info->blkif->xenblkd); + info->blkif->xenblkd = NULL; + } info->status = CLEANSHUTDOWN; } return 0; @@ -1005,11 +1007,14 @@ static int blktap_read_ufe_ring(tap_blki rmb(); for (i = info->ufe_ring.rsp_cons; i != rp; i++) { + blkif_response_t res; resp = RING_GET_RESPONSE(&info->ufe_ring, i); + memcpy(&res, resp, sizeof(res)); + mb(); ++info->ufe_ring.rsp_cons; /*retrieve [usr_idx] to [mmap_idx,pending_idx] mapping*/ - usr_idx = (int)resp->id; + usr_idx = (int)res.id; pending_idx = MASK_PEND_IDX(ID_TO_IDX(info->idx_map[usr_idx])); mmap_idx = ID_TO_MIDX(info->idx_map[usr_idx]); @@ -1042,8 +1047,8 @@ static int blktap_read_ufe_ring(tap_blki map[offset] = NULL; } fast_flush_area(pending_req, pending_idx, usr_idx, info->minor); - make_response(blkif, pending_req->id, resp->operation, - resp->status); + make_response(blkif, pending_req->id, res.operation, + res.status); info->idx_map[usr_idx] = INVALID_REQ; blkif_put(pending_req->blkif); free_req(pending_req); @@ -1132,6 +1137,7 @@ static int do_block_io_op(blkif_t *blkif } memcpy(&req, RING_GET_REQUEST(blk_ring, rc), sizeof(req)); + mb(); /* make_response() reads req_cons asynchronously */ blk_ring->req_cons = ++rc; /* before make_response() */ switch (req.operation) { @@ -1328,6 +1334,7 @@ static void dispatch_rw_block_io(blkif_t info->ufe_ring.req_prod_pvt); memcpy(target, req, sizeof(*req)); target->id = usr_idx; + wmb(); /* blktap_poll() reads req_prod_pvt asynchronously */ info->ufe_ring.req_prod_pvt++; return;