xen/blkback: don't fail empty barrier requests

The sector number on empty barrier requests may (will?) be -1, which,
given that it's being treated as unsigned 64-bit quantity, will almost
always exceed the actual (virtual) disk's size.

Inspired by Konrad's "When writting barriers set the sector number to
zero...".

While at it also add overflow checking to the math in vbd_translate().

Signed-off-by: Jan Beulich <jbeulich@novell.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>

1 files changed, 8 insertions, 7 deletions

diff --git a/drivers/block/xen-blkback/blkback.c b/drivers/block/xen-blkback/blkback.c
index dba55e3a4a86..c73910cc28c9 100644
--- a/drivers/block/xen-blkback/blkback.c
+++ b/drivers/block/xen-blkback/blkback.c
@@ -175,8 +175,14 @@ static int xen_vbd_translate(struct phys_req *req, struct xen_blkif *blkif,
         if ((operation != READ) && vbd->readonly)
                 goto out;
 
-        if (unlikely((req->sector_number + req->nr_sects) > vbd_sz(vbd)))
-                goto out;
+        if (likely(req->nr_sects)) {
+                blkif_sector_t end = req->sector_number + req->nr_sects;
+
+                if (unlikely(end < req->sector_number))
+                        goto out;
+                if (unlikely(end > vbd_sz(vbd)))
+                        goto out;
+        }
 
         req->dev  = vbd->pdevice;
         req->bdev = vbd->bdev;
@@ -538,11 +544,6 @@ static int dispatch_rw_block_io(struct xen_blkif *blkif,
         case BLKIF_OP_FLUSH_DISKCACHE:
                 blkif->st_f_req++;
                 operation = WRITE_FLUSH;
-                /*
-                 * The frontend likes to set this to -1, which xen_vbd_translate
-                 * is alergic too.
-                 */
-                req->u.rw.sector_number = 0;
                 break;
         case BLKIF_OP_WRITE_BARRIER:
         default: