From: Keir Fraser <keir.fraser@citrix.com>
Date: Wed, 2 Jul 2008 16:10:52 +0000 (+0100)
Subject: Do not allow HVM save/restore of a dying domain.
X-Git-Tag: archive/raspbian/4.8.0-1+rpi1~1^2~14188^2~129
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=b4d58083caad3c6317877a8404262a28dd437e88;p=xen.git

Do not allow HVM save/restore of a dying domain.

It's not a sensible thing to do, and it is easier than auditing all
state save/restore functions for safety (most importantly, racing
against domain_relinquish_resources).

Also place a spin_barrier on domain_lock after asserting d->is_dying,
allowing critical regions under the domain_lock to safely check
is_dying and avoid races with domain_relinquish_resources().

Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
---

diff --git a/xen/common/domain.c b/xen/common/domain.c
index c5779ca0ff..43191cd641 100644
--- a/xen/common/domain.c
+++ b/xen/common/domain.c
@@ -341,6 +341,7 @@ int domain_kill(struct domain *d)
     case DOMDYING_alive:
         domain_pause(d);
         d->is_dying = DOMDYING_dying;
+        spin_barrier(&d->domain_lock);
         evtchn_destroy(d);
         gnttab_release_mappings(d);
         /* fallthrough */
diff --git a/xen/common/hvm/save.c b/xen/common/hvm/save.c
index 3079363676..cb3cf66885 100644
--- a/xen/common/hvm/save.c
+++ b/xen/common/hvm/save.c
@@ -84,6 +84,9 @@ int hvm_save(struct domain *d, hvm_domain_context_t *h)
     hvm_save_handler handler;
     uint16_t i;
 
+    if ( d->is_dying )
+        return -EINVAL;
+
     hdr.magic = HVM_FILE_MAGIC;
     hdr.version = HVM_FILE_VERSION;
 
@@ -140,6 +143,9 @@ int hvm_load(struct domain *d, hvm_domain_context_t *h)
     hvm_load_handler handler;
     struct vcpu *v;
     
+    if ( d->is_dying )
+        return -EINVAL;
+
     /* Read the save header, which must be first */
     if ( hvm_load_entry(HEADER, h, &hdr) != 0 ) 
         return -1;