Just like domain_soft_reset() properly zaps runstate area handles, the
secondary time area ones also need discarding to prevent guest memory
corruption once the guest is re-started.
Signed-off-by: Jan Beulich <jbeul...@suse.com>
---
To avoid another for_each_vcpu() here, domain_soft_reset() could also
be made call a new arch_vcpu_soft_reset() out of its already present
loop. Yet that would make the change less isolated.
In domain_soft_reset() I wonder whether, just like done here, the
zapping of runstate area handles and vCPU info mappings wouldn't better
be done after all operations which can fail. But perhaps for this to
matter the domain is left in too inconsistent a state anyway if the
function fails ... However, at the very least I wonder whether x86'es
restriction to HVM shouldn't leave PV guests undisturbed if a soft-reset
was attempted on them. Right now they not only have state partially
clobbered, but (if the arch function is reached) they would be crashed
unconditionally.
--- a/xen/arch/x86/domain.c
+++ b/xen/arch/x86/domain.c
@@ -951,6 +951,7 @@ int arch_domain_soft_reset(struct domain
struct page_info *page = virt_to_page(d->shared_info), *new_page;
int ret = 0;
struct domain *owner;
+ struct vcpu *v;
mfn_t mfn;
gfn_t gfn;
p2m_type_t p2mt;
@@ -1030,7 +1031,12 @@ int arch_domain_soft_reset(struct domain
"Failed to add a page to replace %pd's shared_info frame
%"PRI_gfn"\n",
d, gfn_x(gfn));
free_domheap_page(new_page);
+ goto exit_put_gfn;
}
+
+ for_each_vcpu ( d, v )
+ set_xen_guest_handle(v->arch.time_info_guest, NULL);
+
exit_put_gfn:
put_gfn(d, gfn_x(gfn));
exit_put_page:
