x86 shadow: fix the check for having killed the guest in the fault handler.

We care only about when we have called domain_crash() (and therefore
shadow invariants may not hold) and shouldn't spuriously inject
pagefaults into guests that are shutting down for other reasons.

Signed-off-by: Tim Deegan <Tim.Deegan@citrix.com>

diff --git a/xen/arch/x86/mm/shadow/multi.c b/xen/arch/x86/mm/shadow/multi.c
index bc7b4327baee35c8f44230c37134643d4ed2bcde..46c5f1cf480defe8eb32bd3a66c0d7fb8552f9c4 100644 (file)
--- a/xen/arch/x86/mm/shadow/multi.c
+++ b/xen/arch/x86/mm/shadow/multi.c
@@ -3111,7 +3111,7 @@ static int sh_page_fault(struct vcpu *v,
      * already used for some special purpose (ioreq pages, or granted pages).
      * If that happens we'll have killed the guest already but it's still not 
      * safe to propagate entries out of the guest PT so get out now. */
-    if ( unlikely(d->is_shutting_down) )
+    if ( unlikely(d->is_shutting_down && d->shutdown_code == SHUTDOWN_crash) )
     {
         SHADOW_PRINTK("guest is shutting down\n");
         goto propagate;
@@ -3212,7 +3212,7 @@ static int sh_page_fault(struct vcpu *v,
          && ft == ft_demand_write )
         sh_unsync(v, gmfn);
 
-    if ( unlikely(d->is_shutting_down) )
+    if ( unlikely(d->is_shutting_down && d->shutdown_code == SHUTDOWN_crash) )
     {
         /* We might end up with a crashed domain here if
          * sh_remove_shadows() in a previous sh_resync() call has