ia64/xen-unstable

changeset 17950:3a40a6997cc0

Do not allow HVM save/restore of a dying domain.

It's not a sensible thing to do, and it is easier than auditing all
state save/restore functions for safety (most importantly, racing
against domain_relinquish_resources).

Also place a spin_barrier on domain_lock after asserting d->is_dying,
allowing critical regions under the domain_lock to safely check
is_dying and avoid races with domain_relinquish_resources().

Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
author Keir Fraser <keir.fraser@citrix.com>
date Wed Jul 02 17:10:52 2008 +0100 (2008-07-02)
parents b3d827e63a09
children f2148e532c81
files xen/common/domain.c xen/common/hvm/save.c
line diff
     1.1 --- a/xen/common/domain.c	Wed Jul 02 13:54:20 2008 +0100
     1.2 +++ b/xen/common/domain.c	Wed Jul 02 17:10:52 2008 +0100
     1.3 @@ -341,6 +341,7 @@ int domain_kill(struct domain *d)
     1.4      case DOMDYING_alive:
     1.5          domain_pause(d);
     1.6          d->is_dying = DOMDYING_dying;
     1.7 +        spin_barrier(&d->domain_lock);
     1.8          evtchn_destroy(d);
     1.9          gnttab_release_mappings(d);
    1.10          /* fallthrough */
     2.1 --- a/xen/common/hvm/save.c	Wed Jul 02 13:54:20 2008 +0100
     2.2 +++ b/xen/common/hvm/save.c	Wed Jul 02 17:10:52 2008 +0100
     2.3 @@ -84,6 +84,9 @@ int hvm_save(struct domain *d, hvm_domai
     2.4      hvm_save_handler handler;
     2.5      uint16_t i;
     2.6  
     2.7 +    if ( d->is_dying )
     2.8 +        return -EINVAL;
     2.9 +
    2.10      hdr.magic = HVM_FILE_MAGIC;
    2.11      hdr.version = HVM_FILE_VERSION;
    2.12  
    2.13 @@ -140,6 +143,9 @@ int hvm_load(struct domain *d, hvm_domai
    2.14      hvm_load_handler handler;
    2.15      struct vcpu *v;
    2.16      
    2.17 +    if ( d->is_dying )
    2.18 +        return -EINVAL;
    2.19 +
    2.20      /* Read the save header, which must be first */
    2.21      if ( hvm_load_entry(HEADER, h, &hdr) != 0 ) 
    2.22          return -1;