x86 shadow: Avoid remove-all-shadows after shadow teardown

If dom0 alters the p2m of a domain that's being destroyed, we can end
up doing a remove-all-shadows after the shadow hash table has been
freed. Since no hash table implies no shadows, just return
immediately.

Signed-off-by: Tim Deegan <Tim.Deegan@citrix.com>

diff --git a/xen/arch/x86/mm/shadow/common.c b/xen/arch/x86/mm/shadow/common.c
index 6c49134fe0a46f035ee1d0674ba14d3a9fe454d0..36f5839c66fb78ca9a25855f3be5b1e44cfc1b5e 100644 (file)
--- a/xen/arch/x86/mm/shadow/common.c
+++ b/xen/arch/x86/mm/shadow/common.c
@@ -2173,8 +2173,13 @@ static void hash_foreach(struct vcpu *v,
     struct domain *d = v->domain;
     struct page_info *x;
 
-    /* Say we're here, to stop hash-lookups reordering the chains */
     ASSERT(shadow_locked_by_me(d));
+
+    /* Can be called via p2m code &c after shadow teardown. */
+    if ( unlikely(!d->arch.paging.shadow.hash_table) )
+        return;
+
+    /* Say we're here, to stop hash-lookups reordering the chains */
     ASSERT(d->arch.paging.shadow.hash_walking == 0);
     d->arch.paging.shadow.hash_walking = 1;