[kernel/f16] Add patch to fix xen dom0 crash when using BLKDISCARD (rhbz 824641)

Josh Boyer jwboyer at fedoraproject.org
Tue Jul 10 17:27:20 UTC 2012 

commit 3c82288578a839833c02e6d5fc9efde16afda79a
Author: Josh Boyer <jwboyer at redhat.com>
Date:   Tue Jul 10 13:26:24 2012 -0400

    Add patch to fix xen dom0 crash when using BLKDISCARD (rhbz 824641)

 kernel.spec                                        |   11 ++++-
 ...ck-Copy-id-field-when-doing-BLKIF_DISCARD.patch |   54 ++++++++++++++++++++
 2 files changed, 64 insertions(+), 1 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index bde26bf..bb8e2f6 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -54,7 +54,7 @@ Summary: The Linux kernel
 # For non-released -rc kernels, this will be appended after the rcX and
 # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
 #
-%global baserelease 4
+%global baserelease 5
 %global fedora_build %{baserelease}
 
 # base_sublevel is the kernel version we're starting with and patching
@@ -810,6 +810,9 @@ Patch22048: net-qmi_wwan-fix-Gobi-device-probing.patch
 
 Patch22050: ACPI-APEI-Avoid-too-much-error-reporting.patch
 
+#rhbz 824641
+Patch22051: xen-blkback-Copy-id-field-when-doing-BLKIF_DISCARD.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1506,6 +1509,9 @@ ApplyPatch net-qmi_wwan-fix-Gobi-device-probing.patch
 
 ApplyPatch ACPI-APEI-Avoid-too-much-error-reporting.patch
 
+#rhbz 824641
+ApplyPatch xen-blkback-Copy-id-field-when-doing-BLKIF_DISCARD.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2244,6 +2250,9 @@ fi
 # and build.
 
 %changelog
+* Tue Jul 10 2012 Josh Boyer <jwboyer at redhat.com>
+- Add patch to fix xen dom0 crash when using BLKDISCARD (rhbz 824641)
+
 * Fri Jul 06 2012 Justin M. Forbes <jforbes at redhat.com>
 - ACPI, APEI, Avoid too much error reporting in runtime
 
diff --git a/xen-blkback-Copy-id-field-when-doing-BLKIF_DISCARD.patch b/xen-blkback-Copy-id-field-when-doing-BLKIF_DISCARD.patch
new file mode 100644
index 0000000..056d79b
--- /dev/null
+++ b/xen-blkback-Copy-id-field-when-doing-BLKIF_DISCARD.patch
@@ -0,0 +1,54 @@
+From 8c9ce606a60e4a0cb447bdc082ce383b96b227b4 Mon Sep 17 00:00:00 2001
+From: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
+Date: Fri, 25 May 2012 16:11:09 -0400
+Subject: [PATCH] xen/blkback: Copy id field when doing BLKIF_DISCARD.
+
+We weren't copying the id field so when we sent the response
+back to the frontend (especially with a 64-bit host and 32-bit
+guest), we ended up using a random value. This lead to the
+frontend crashing as it would try to pass to __blk_end_request_all
+a NULL 'struct request' (b/c it would use the 'id' to find the
+proper 'struct request' in its shadow array) and end up crashing:
+
+BUG: unable to handle kernel NULL pointer dereference at 000000e4
+IP: [<c0646d4c>] __blk_end_request_all+0xc/0x40
+.. snip..
+EIP is at __blk_end_request_all+0xc/0x40
+.. snip..
+ [<ed95db72>] blkif_interrupt+0x172/0x330 [xen_blkfront]
+
+This fixes the bug by passing in the proper id for the response.
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=824641
+
+CC: stable at kernel.org
+Tested-by: William Dauchy <wdauchy at gmail.com>
+Acked-by: Stefano Stabellini <stefano.stabellini at eu.citrix.com>
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
+---
+ drivers/block/xen-blkback/common.h |    2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/block/xen-blkback/common.h b/drivers/block/xen-blkback/common.h
+index 773cf27..9ad3b5e 100644
+--- a/drivers/block/xen-blkback/common.h
++++ b/drivers/block/xen-blkback/common.h
+@@ -257,6 +257,7 @@ static inline void blkif_get_x86_32_req(struct blkif_request *dst,
+ 		break;
+ 	case BLKIF_OP_DISCARD:
+ 		dst->u.discard.flag = src->u.discard.flag;
++		dst->u.discard.id = src->u.discard.id;
+ 		dst->u.discard.sector_number = src->u.discard.sector_number;
+ 		dst->u.discard.nr_sectors = src->u.discard.nr_sectors;
+ 		break;
+@@ -287,6 +288,7 @@ static inline void blkif_get_x86_64_req(struct blkif_request *dst,
+ 		break;
+ 	case BLKIF_OP_DISCARD:
+ 		dst->u.discard.flag = src->u.discard.flag;
++		dst->u.discard.id = src->u.discard.id;
+ 		dst->u.discard.sector_number = src->u.discard.sector_number;
+ 		dst->u.discard.nr_sectors = src->u.discard.nr_sectors;
+ 		break;
+-- 
+1.7.10.4
+

More information about the scm-commits mailing list