[XEN] Zero PAE shadow l3es when destroying subshadows.

Normally, we can leave the contents of shadows in place when we destroy
them, but this is not the case for l3 subshadows, since they do not get
zeroed on reallocation unless the entire l3 page is unshadowed.
This fixes several crashes seen with SMP PAE HVM RHEL4.2 guests.
Signed-off-by: Tim Deegan <Tim.Deegan@xensource.com>

diff --git a/xen/arch/x86/mm/shadow/multi.c b/xen/arch/x86/mm/shadow/multi.c
index 3c55062643df64cb095dd4442204a3e3ad572f12..49f9fc2f61f6331c4911c1018f7037c1502ce5a3 100644 (file)
--- a/xen/arch/x86/mm/shadow/multi.c
+++ b/xen/arch/x86/mm/shadow/multi.c
@@ -2324,11 +2324,11 @@ static void sh_destroy_l3_subshadow(struct vcpu *v,
 /* Tear down just a single 4-entry l3 on a 2-page l3 shadow. */
 {
     int i;
+    mfn_t sl3mfn = _mfn(maddr_from_mapped_domain_page(sl3e) >> PAGE_SHIFT);
     ASSERT((unsigned long)sl3e % (4 * sizeof (shadow_l3e_t)) == 0); 
     for ( i = 0; i < GUEST_L3_PAGETABLE_ENTRIES; i++ ) 
         if ( shadow_l3e_get_flags(sl3e[i]) & _PAGE_PRESENT ) 
-            sh_put_ref(v, shadow_l3e_get_mfn(sl3e[i]),
-                        maddr_from_mapped_domain_page(sl3e));
+            shadow_set_l3e(v, &sl3e[i], shadow_l3e_empty(), sl3mfn);
 }
 #endif