[BLOCK] blkback: Copy shared data before verification

As it is blkback verifies the metadata from the frontend in place.
This means we run the risk of the frontend changing the data after
we've verified it.  This patch copies the data onto the stack before
verifying and using it to ensure we see a consistent snapshot.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

diff --git a/linux-2.6-xen-sparse/drivers/xen/blkback/blkback.c b/linux-2.6-xen-sparse/drivers/xen/blkback/blkback.c
index 1941d61b0dfa7f3cb46b28344b25dbc679462801..106b4bf99ddb52fc4e3540f21ac8a2a907ad224c 100644 (file)
--- a/linux-2.6-xen-sparse/drivers/xen/blkback/blkback.c
+++ b/linux-2.6-xen-sparse/drivers/xen/blkback/blkback.c
@@ -293,7 +293,7 @@ irqreturn_t blkif_be_int(int irq, void *dev_id, struct pt_regs *regs)
 static int do_block_io_op(blkif_t *blkif)
 {
        blkif_back_ring_t *blk_ring = &blkif->blk_ring;
-       blkif_request_t *req;
+       blkif_request_t req;
        pending_req_t *pending_req;
        RING_IDX rc, rp;
        int more_to_do = 0;
@@ -311,22 +311,22 @@ static int do_block_io_op(blkif_t *blkif)
                        break;
                }
 
-               req = RING_GET_REQUEST(blk_ring, rc);
+               memcpy(&req, RING_GET_REQUEST(blk_ring, rc), sizeof(req));
                blk_ring->req_cons = ++rc; /* before make_response() */
 
-               switch (req->operation) {
+               switch (req.operation) {
                case BLKIF_OP_READ:
                        blkif->st_rd_req++;
-                       dispatch_rw_block_io(blkif, req, pending_req);
+                       dispatch_rw_block_io(blkif, &req, pending_req);
                        break;
                case BLKIF_OP_WRITE:
                        blkif->st_wr_req++;
-                       dispatch_rw_block_io(blkif, req, pending_req);
+                       dispatch_rw_block_io(blkif, &req, pending_req);
                        break;
                default:
                        DPRINTK("error: unknown block io operation [%d]\n",
-                               req->operation);
-                       make_response(blkif, req->id, req->operation,
+                               req.operation);
+                       make_response(blkif, req.id, req.operation,
                                      BLKIF_RSP_ERROR);
                        free_req(pending_req);
                        break;