[BLKTAP] Fix blktap oops on domain shutdown

When a domain shuts down with a blktap-backed block device open, it can
easily cause a dom0 oops.  The XenbusStateClosing event can occur while
the tapdisk userland thread is still processing IO requests (eg.
readaheads) from the domU.  But the xenbus state handler calls
tap_blkif_unmap(), unmapping the blkif->blk_ring.sring rin buffer, so
when the tapdisk thread next calls the BLKTAP_IOCTL_KICK_FE to return
the completion event to the FE via that ring buffer, it oopses.

This can be fixed simply by not calling tap_blkif_unmap() in this case;
the ring buffer will still be unmapped later on when the blkif is
destroyed by blktap_remove(), only then it will properly wait for the
blkif refcnt to reach zero before doing so.

Signed-off-by: Stephen Tweedie <sct@redhat.com>

diff --git a/linux-2.6-xen-sparse/drivers/xen/blktap/xenbus.c b/linux-2.6-xen-sparse/drivers/xen/blktap/xenbus.c
index 6c16a2e60bfcfba376dbea0dbfefaa4631a1d6fa..b08e1dcc1db4c29b565d9679826fb4b19bd48858 100644 (file)
--- a/linux-2.6-xen-sparse/drivers/xen/blktap/xenbus.c
+++ b/linux-2.6-xen-sparse/drivers/xen/blktap/xenbus.c
@@ -273,7 +273,6 @@ static void tap_frontend_changed(struct xenbus_device *dev,
                        kthread_stop(be->blkif->xenblkd);
                        be->blkif->xenblkd = NULL;
                }
-               tap_blkif_unmap(be->blkif);
                xenbus_switch_state(dev, XenbusStateClosing);
                break;