Stephen C. Tweedie
2006-Sep-28 14:47 UTC
[Xen-devel] [Patch] Fix blktap oops on domain shutdown
When a domain shuts down with a blktap-backed block device open, it can easily cause a dom0 oops. The XenbusStateClosing event can occur while the tapdisk userland thread is still processing IO requests (eg. readaheads) from the domU. But the xenbus state handler calls tap_blkif_unmap(), unmapping the blkif->blk_ring.sring rin buffer, so when the tapdisk thread next calls the BLKTAP_IOCTL_KICK_FE to return the completion event to the FE via that ring buffer, it oopses. This can be fixed simply by not calling tap_blkif_unmap() in this case; the ring buffer will still be unmapped later on when the blkif is destroyed by blktap_remove(), only then it will properly wait for the blkif refcnt to reach zero before doing so. Signed-off-by: Stephen Tweedie <sct@redhat.com> diff -r bd811e94d293 -r ed51caee4fe6 linux-2.6-xen-sparse/drivers/xen/blktap/xenbus.c --- a/linux-2.6-xen-sparse/drivers/xen/blktap/xenbus.c Tue Sep 26 19:50:07 2006 +0100 +++ b/linux-2.6-xen-sparse/drivers/xen/blktap/xenbus.c Thu Sep 28 15:38:25 2006 +0100 @@ -273,7 +273,6 @@ static void tap_frontend_changed(struct kthread_stop(be->blkif->xenblkd); be->blkif->xenblkd = NULL; } - tap_blkif_unmap(be->blkif); xenbus_switch_state(dev, XenbusStateClosing); break; _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Andrew Warfield
2006-Sep-28 19:04 UTC
[Xen-devel] Re: [Patch] Fix blktap oops on domain shutdown
Applied, thank you. a. On 9/28/06, Stephen C. Tweedie <sct@redhat.com> wrote:> When a domain shuts down with a blktap-backed block device open, it can > easily cause a dom0 oops. The XenbusStateClosing event can occur while > the tapdisk userland thread is still processing IO requests (eg. > readaheads) from the domU. But the xenbus state handler calls > tap_blkif_unmap(), unmapping the blkif->blk_ring.sring rin buffer, so > when the tapdisk thread next calls the BLKTAP_IOCTL_KICK_FE to return > the completion event to the FE via that ring buffer, it oopses. > > This can be fixed simply by not calling tap_blkif_unmap() in this case; > the ring buffer will still be unmapped later on when the blkif is > destroyed by blktap_remove(), only then it will properly wait for the > blkif refcnt to reach zero before doing so. > > Signed-off-by: Stephen Tweedie <sct@redhat.com> > > diff -r bd811e94d293 -r ed51caee4fe6 linux-2.6-xen-sparse/drivers/xen/blktap/xenbus.c > --- a/linux-2.6-xen-sparse/drivers/xen/blktap/xenbus.c Tue Sep 26 19:50:07 2006 +0100 > +++ b/linux-2.6-xen-sparse/drivers/xen/blktap/xenbus.c Thu Sep 28 15:38:25 2006 +0100 > @@ -273,7 +273,6 @@ static void tap_frontend_changed(struct > kthread_stop(be->blkif->xenblkd); > be->blkif->xenblkd = NULL; > } > - tap_blkif_unmap(be->blkif); > xenbus_switch_state(dev, XenbusStateClosing); > break; > > > >_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel