x86: Disable IRQs and do WBINVD first in play_dead().

When we advertise we are dead via cpu_exit_clear(), it is no longer
safe to handle interrupts as our per-cpu vars can go away.

In future, we may want to think about NMI handling in this scenario
too.

Signed-off-by: Keir Fraser <keir@xen.org>

1 files changed, 5 insertions, 4 deletions

diff --git a/xen/arch/x86/domain.c b/xen/arch/x86/domain.c
index b91adfb5a4..09da6221af 100644
--- a/xen/arch/x86/domain.c
+++ b/xen/arch/x86/domain.c
@@ -99,19 +99,20 @@ static void default_dead_idle(void)
 
 static void play_dead(void)
 {
+    local_irq_disable();
+    wbinvd();
+
     /*
      * NOTE: After cpu_exit_clear, per-cpu variables are no longer accessible,
      * as they may be freed at any time. In this case, heap corruption or
      * #PF can occur (when heap debugging is enabled). For example, even
      * printk() can involve tasklet scheduling, which touches per-cpu vars.
      * 
-     * Consider very carefully when adding code to this path. Most hypervisor
+     * Consider very carefully when adding code to *dead_idle. Most hypervisor
      * subsystems are unsafe to call.
      */
     cpu_exit_clear(smp_processor_id());
-    mb();
-    local_irq_disable();
-    wbinvd();
+
     (*dead_idle)();
 }