From 27062e851f0ac848d4ec5f2dc939bfad8e93082b Mon Sep 17 00:00:00 2001
From: Keir Fraser <keir.fraser@citrix.com>
Date: Thu, 24 Dec 2009 12:14:09 +0000
Subject: [PATCH] evtchn: Do not free d->poll_mask until domain is being
 deallocated.

Avoids crash on dereference of poll_mask after domain_kill().

Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
---
 xen/common/domain.c        | 5 +++++
 xen/common/event_channel.c | 5 +++++
 xen/include/xen/sched.h    | 5 +++--
 3 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/xen/common/domain.c b/xen/common/domain.c
index b961b104d1..e4a29f8842 100644
--- a/xen/common/domain.c
+++ b/xen/common/domain.c
@@ -317,7 +317,10 @@ struct domain *domain_create(
     if ( init_status & INIT_gnttab )
         grant_table_destroy(d);
     if ( init_status & INIT_evtchn )
+    {
         evtchn_destroy(d);
+        evtchn_destroy_final(d);
+    }
     if ( init_status & INIT_rangeset )
         rangeset_domain_destroy(d);
     if ( init_status & INIT_xsm )
@@ -606,6 +609,8 @@ static void complete_domain_destroy(struct rcu_head *head)
     if ( d->target != NULL )
         put_domain(d->target);
 
+    evtchn_destroy_final(d);
+
     xfree(d->pirq_mask);
     xfree(d->pirq_to_evtchn);
 
diff --git a/xen/common/event_channel.c b/xen/common/event_channel.c
index d052f15980..29c515cf0c 100644
--- a/xen/common/event_channel.c
+++ b/xen/common/event_channel.c
@@ -1052,13 +1052,18 @@ void evtchn_destroy(struct domain *d)
         d->evtchn[i] = NULL;
     }
     spin_unlock(&d->event_lock);
+}
+
 
+void evtchn_destroy_final(struct domain *d)
+{
 #if MAX_VIRT_CPUS > BITS_PER_LONG
     xfree(d->poll_mask);
     d->poll_mask = NULL;
 #endif
 }
 
+
 static void domain_dump_evtchn_info(struct domain *d)
 {
     unsigned int port;
diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h
index c637e11b69..d9180773f9 100644
--- a/xen/include/xen/sched.h
+++ b/xen/include/xen/sched.h
@@ -67,8 +67,9 @@ struct evtchn
 #endif
 };
 
-int  evtchn_init(struct domain *d);
-void evtchn_destroy(struct domain *d);
+int  evtchn_init(struct domain *d); /* from domain_create */
+void evtchn_destroy(struct domain *d); /* from domain_kill */
+void evtchn_destroy_final(struct domain *d); /* from complete_domain_destroy */
 
 struct vcpu 
 {
-- 
2.30.2