x86, shadow: Fix OOS on domain crash.

I couldn't reproduce the Nevada crash on my testbox, but this should
fix the first Xen crash that was seen in the Nevada HVM (bugzilla
#1322).

What I think most probably happened there is that the set_l2e call in
shadow_get_and_create_l1e() has tried to resync a page, but somehow we
weren't unable to remove the shadow (the real bug we should actually
look after). sh_resync() then removes the page from the OOS hash and
later in the page fault path we find the gw.l1mfn to be still OOS, so
we try to update the snapshot and the bug happens.

This should fix this and other unlikely (like sh_unsync() failing to
remove for hash collision the current gw.l1mfn) cases.

Signed-off-by: Gianluca Guida <gianluca.guida@eu.citrix.com>

1 files changed, 10 insertions, 0 deletions

diff --git a/xen/arch/x86/mm/shadow/multi.c b/xen/arch/x86/mm/shadow/multi.c
index 7736775501..26e2a3cb84 100644
--- a/xen/arch/x86/mm/shadow/multi.c
+++ b/xen/arch/x86/mm/shadow/multi.c
@@ -3290,6 +3290,16 @@ static int sh_page_fault(struct vcpu *v,
     if ( sh_mfn_is_a_page_table(gmfn)
          && ft == ft_demand_write )
         sh_unsync(v, gmfn);
+
+    if ( unlikely(d->is_shutting_down) )
+    {
+        /* We might end up with a crashed domain here if
+         * sh_remove_shadows() in a previous sh_resync() call has
+         * failed. We cannot safely continue since some page is still
+         * OOS but not in the hash table anymore. */
+        shadow_unlock(d);
+        return 0;
+    }
 #endif /* OOS */
 
     /* Calculate the shadow entry and write it */