From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Jan Beulich" <JBeulich@novell.com>
Subject: [PATCH] linux/blktap: fix cleanup after unclean
	application exit
Date: Mon, 19 Apr 2010 14:15:50 +0100
Message-ID: <4BCC73A6020000780003AD97@vpn.id2.novell.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="=__Part2E04A496.0__="
Return-path: <xen-devel-bounces@lists.xensource.com>
List-Unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xensource.com>
List-Help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-Subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
Sender: xen-devel-bounces@lists.xensource.com
Errors-To: xen-devel-bounces@lists.xensource.com
To: xen-devel@lists.xensource.com
List-Id: xen-devel@lists.xenproject.org

This is a MIME message. If you are reading this text, you may want to 
consider changing to a mail reader or gateway that understands how to 
properly handle MIME multipart messages.

--=__Part2E04A496.0__=
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

When an application using blktap devices doesn't close the file handle
(or mmap-s) of /dev/xen/blktapN, we cannot defer the mmput() on the
stored mm until blktap_release(), as that will never be called without
the mm's reference count dropping to zero.

Written and tested on 2.6.32.11 and made apply to the 2.6.18 tree
without further testing.

Signed-off-by: Jan Beulich <jbeulich@novell.com>

--- sle11sp1-2010-04-12.orig/drivers/xen/blktap/blktap.c	2010-01-04 =
13:22:46.000000000 +0100
+++ sle11sp1-2010-04-12/drivers/xen/blktap/blktap.c	2010-04-19 =
09:24:00.000000000 +0200
@@ -638,6 +638,7 @@ static int blktap_open(struct inode *ino
 static int blktap_release(struct inode *inode, struct file *filp)
 {
 	tap_blkif_t *info =3D filp->private_data;
+	struct mm_struct *mm;
 =09
 	/* check for control device */
 	if (!info)
@@ -646,7 +647,9 @@ static int blktap_release(struct inode *
 	info->ring_ok =3D 0;
 	smp_wmb();
=20
-	mmput(info->mm);
+	mm =3D xchg(&info->mm, NULL);
+	if (mm)
+		mmput(mm);
 	info->mm =3D NULL;
 	kfree(info->foreign_map.map);
 	info->foreign_map.map =3D NULL;
@@ -1089,7 +1092,7 @@ static void fast_flush_area(pending_req_
 				INVALID_P2M_ENTRY);
 		}
=20
-		if (khandle->user !=3D INVALID_GRANT_HANDLE) {
+		if (mm !=3D NULL && khandle->user !=3D INVALID_GRANT_HANDLE=
) {
 			BUG_ON(xen_feature(XENFEAT_auto_translated_physmap)=
);
 			if (!locked++)
 				down_write(&mm->mmap_sem);
@@ -1147,6 +1150,7 @@ static void print_stats(blkif_t *blkif)
 int tap_blkif_schedule(void *arg)
 {
 	blkif_t *blkif =3D arg;
+	tap_blkif_t *info;
=20
 	blkif_get(blkif);
=20
@@ -1180,8 +1184,16 @@ int tap_blkif_schedule(void *arg)
 		printk(KERN_DEBUG "%s: exiting\n", current->comm);
=20
 	blkif->xenblkd =3D NULL;
+	info =3D tapfds[blkif->dev_num];
 	blkif_put(blkif);
=20
+	if (info) {
+		struct mm_struct *mm =3D xchg(&info->mm, NULL);
+
+		if (mm)
+			mmput(mm);
+	}
+
 	return 0;
 }
=20




--=__Part2E04A496.0__=
Content-Type: text/plain; name="xen-blktap-teardown.patch"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment; filename="xen-blktap-teardown.patch"

Subject: blktap: fix cleanup after unclean application exit=0A=0AWhen an =
application using blktap devices doesn't close the file handle=0A(or =
mmap-s) of /dev/xen/blktapN, we cannot defer the mmput() on the=0Astored =
mm until blktap_release(), as that will never be called without=0Athe mm's =
reference count dropping to zero.=0A=0AWritten and tested on 2.6.32.11 and =
made apply to the 2.6.18 tree=0Awithout further testing.=0A=0ASigned-off-by=
: Jan Beulich <jbeulich@novell.com>=0A=0A--- sle11sp1-2010-04-12.orig/drive=
rs/xen/blktap/blktap.c	2010-01-04 13:22:46.000000000 +0100=0A+++ =
sle11sp1-2010-04-12/drivers/xen/blktap/blktap.c	2010-04-19 09:24:00.0000000=
00 +0200=0A@@ -638,6 +638,7 @@ static int blktap_open(struct inode *ino=0A =
static int blktap_release(struct inode *inode, struct file *filp)=0A {=0A 	=
tap_blkif_t *info =3D filp->private_data;=0A+	struct mm_struct *mm;=0A 	=
=0A 	/* check for control device */=0A 	if (!info)=0A@@ -646,7 =
+647,9 @@ static int blktap_release(struct inode *=0A 	info->ring_ok =3D =
0;=0A 	smp_wmb();=0A =0A-	mmput(info->mm);=0A+	mm =3D xchg(&info->=
mm, NULL);=0A+	if (mm)=0A+		mmput(mm);=0A 	info->mm =3D =
NULL;=0A 	kfree(info->foreign_map.map);=0A 	info->foreign_map.m=
ap =3D NULL;=0A@@ -1089,7 +1092,7 @@ static void fast_flush_area(pending_re=
q_=0A 				INVALID_P2M_ENTRY);=0A 		}=0A =0A-	=
	if (khandle->user !=3D INVALID_GRANT_HANDLE) {=0A+		if =
(mm !=3D NULL && khandle->user !=3D INVALID_GRANT_HANDLE) {=0A 			=
BUG_ON(xen_feature(XENFEAT_auto_translated_physmap));=0A 			=
if (!locked++)=0A 				down_write(&mm->mmap_sem);=
=0A@@ -1147,6 +1150,7 @@ static void print_stats(blkif_t *blkif)=0A int =
tap_blkif_schedule(void *arg)=0A {=0A 	blkif_t *blkif =3D arg;=0A+	=
tap_blkif_t *info;=0A =0A 	blkif_get(blkif);=0A =0A@@ -1180,8 =
+1184,16 @@ int tap_blkif_schedule(void *arg)=0A 		printk(KERN=
_DEBUG "%s: exiting\n", current->comm);=0A =0A 	blkif->xenblkd =3D =
NULL;=0A+	info =3D tapfds[blkif->dev_num];=0A 	blkif_put(blkif);=
=0A =0A+	if (info) {=0A+		struct mm_struct *mm =3D xchg(&info=
->mm, NULL);=0A+=0A+		if (mm)=0A+			mmput(mm);=
=0A+	}=0A+=0A 	return 0;=0A }=0A =0A
--=__Part2E04A496.0__=
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

--=__Part2E04A496.0__=--