diff options
| author | Tim Deegan <tim.deegan@xensource.com> | 2006-10-09 16:43:09 +0100 |
|---|---|---|
| committer | Tim Deegan <tim.deegan@xensource.com> | 2006-10-09 16:43:09 +0100 |
| commit | f6d48164732a1a69cd114facfabf9ca594566f46 (patch) | |
| tree | 2a2922301bb0981f6fbde2f6cdaf952c64634fab | |
| parent | 5000a6a1e0b9c42c17345817e589e61175bad3d0 (diff) | |
| download | xen-f6d48164732a1a69cd114facfabf9ca594566f46.tar.gz xen-f6d48164732a1a69cd114facfabf9ca594566f46.tar.bz2 xen-f6d48164732a1a69cd114facfabf9ca594566f46.zip | |
[XEN] Zero PAE shadow l3es when destroying subshadows.
Normally, we can leave the contents of shadows in place when we destroy
them, but this is not the case for l3 subshadows, since they do not get
zeroed on reallocation unless the entire l3 page is unshadowed.
This fixes several crashes seen with SMP PAE HVM RHEL4.2 guests.
Signed-off-by: Tim Deegan <Tim.Deegan@xensource.com>
| -rw-r--r-- | xen/arch/x86/mm/shadow/multi.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/xen/arch/x86/mm/shadow/multi.c b/xen/arch/x86/mm/shadow/multi.c index 3c55062643..49f9fc2f61 100644 --- a/xen/arch/x86/mm/shadow/multi.c +++ b/xen/arch/x86/mm/shadow/multi.c @@ -2324,11 +2324,11 @@ static void sh_destroy_l3_subshadow(struct vcpu *v, /* Tear down just a single 4-entry l3 on a 2-page l3 shadow. */ { int i; + mfn_t sl3mfn = _mfn(maddr_from_mapped_domain_page(sl3e) >> PAGE_SHIFT); ASSERT((unsigned long)sl3e % (4 * sizeof (shadow_l3e_t)) == 0); for ( i = 0; i < GUEST_L3_PAGETABLE_ENTRIES; i++ ) if ( shadow_l3e_get_flags(sl3e[i]) & _PAGE_PRESENT ) - sh_put_ref(v, shadow_l3e_get_mfn(sl3e[i]), - maddr_from_mapped_domain_page(sl3e)); + shadow_set_l3e(v, &sl3e[i], shadow_l3e_empty(), sl3mfn); } #endif |