On Tue, Oct 19, 2010 at 3:32 PM, Ryan Harper <ry...@us.ibm.com> wrote: > Block hot unplug is racy since the guest is required to acknowlege the ACPI > unplug event; this may not happen synchronously with the device removal > command > > This series aims to close a gap where by mgmt applications that assume the > block resource has been removed without confirming that the guest has > acknowledged the removal may re-assign the underlying device to a second guest > leading to data leakage. > > This series introduces a new montor command to decouple asynchornous device > removal from restricting guest access to a block device. We do this by > creating > a new monitor command drive_unplug which maps to a bdrv_unplug() command which > does a qemu_aio_flush; bdrv_flush() and bdrv_close(). Once complete, > subsequent > IO is rejected from the device and the guest will get IO errors but continue > to > function. > > A subsequent device removal command can be issued to remove the device, to > which > the guest may or maynot respond, but as long as the unplugged bit is set, no > IO > will be sumbitted. > > Changes since v1: > - Added qemu_aio_flush() before bdrv_flush() to wait on pending io > > Signed-off-by: Ryan Harper <ry...@us.ibm.com> > --- > block.c | 7 +++++++ > block.h | 1 + > blockdev.c | 26 ++++++++++++++++++++++++++ > blockdev.h | 1 + > hmp-commands.hx | 15 +++++++++++++++ > 5 files changed, 50 insertions(+), 0 deletions(-)
Looks good to me. Stefan
