Do not allow HVM save/restore of a dying domain.

It's not a sensible thing to do, and it is easier than auditing all
state save/restore functions for safety (most importantly, racing
against domain_relinquish_resources).

Also place a spin_barrier on domain_lock after asserting d->is_dying,
allowing critical regions under the domain_lock to safely check
is_dying and avoid races with domain_relinquish_resources().

Signed-off-by: Keir Fraser <keir.fraser@citrix.com>

diff --git a/xen/common/domain.c b/xen/common/domain.c
index c5779ca0ffe6ad32b9eb0effe131e5e602b0f250..43191cd641a38c24967d8f749800b345cfcc69e6 100644 (file)
--- a/xen/common/domain.c
+++ b/xen/common/domain.c
@@ -341,6 +341,7 @@ int domain_kill(struct domain *d)
     case DOMDYING_alive:
         domain_pause(d);
         d->is_dying = DOMDYING_dying;
+        spin_barrier(&d->domain_lock);
         evtchn_destroy(d);
         gnttab_release_mappings(d);
         /* fallthrough */

diff --git a/xen/common/hvm/save.c b/xen/common/hvm/save.c
index 3079363676a96494e3d08358030b22e93602ef02..cb3cf6688567d4e50899fcdcc458db33567282f8 100644 (file)
--- a/xen/common/hvm/save.c
+++ b/xen/common/hvm/save.c
@@ -84,6 +84,9 @@ int hvm_save(struct domain *d, hvm_domain_context_t *h)
     hvm_save_handler handler;
     uint16_t i;
 
+    if ( d->is_dying )
+        return -EINVAL;
+
     hdr.magic = HVM_FILE_MAGIC;
     hdr.version = HVM_FILE_VERSION;
 
@@ -140,6 +143,9 @@ int hvm_load(struct domain *d, hvm_domain_context_t *h)
     hvm_load_handler handler;
     struct vcpu *v;
     
+    if ( d->is_dying )
+        return -EINVAL;
+
     /* Read the save header, which must be first */
     if ( hvm_load_entry(HEADER, h, &hdr) != 0 ) 
         return -1;