commit 4d052ed2cb95dc69f45da6772b805f8e5beb654b
Author: Dario Faggioli <dfaggioli@xxxxxxxx>
Date:   Wed Apr 11 09:03:19 2018 +0200

    xen: sched: fix race between context switch and setting affinity
    
    vcpu_set_affinity() may set the VPF_migrating flag on
    the vcpu that is being context switched out, without
    having the chance to also call vcpu_sleep_nosync() on
    it, before that context switching code (in context_saved())
    calls vcpu_migrate().
    
    This, eventually, results in vcpu_move_locked() being
    called on a runnable vcpu, which causes various issues
    in sched_credit.c, sched_credit2.c, etc.
    
    For instance, when using Credit, it leads to this crash:
    
    https://lists.xenproject.org/archives/html/xen-devel/2018-04/msg00664.html
    
    Signed-off-by: Dario Faggioli <dfaggioli@xxxxxxxx>
    ---
    Cc: George Dunlap <george.dunlap@xxxxxxxxxx>
    Cc: Olaf Hering <olaf@xxxxxxxxx>
    Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

diff --git a/xen/common/schedule.c b/xen/common/schedule.c
index 343ab6306e..2a60301849 100644
--- a/xen/common/schedule.c
+++ b/xen/common/schedule.c
@@ -1554,7 +1554,17 @@ void context_saved(struct vcpu *prev)
     SCHED_OP(vcpu_scheduler(prev), context_saved, prev);
 
     if ( unlikely(prev->pause_flags & VPF_migrating) )
+    {
+        /*
+         * If someone (e.g., vcpu_set_affinity()) has set VPF_migrating
+         * on prev in between when schedule() releases the scheduler
+         * lock and here, we need to make sure we properly mark the
+         * vcpu as not runnable (and all it comes with that), with
+         * vcpu_sleep_nosync(), before calling vcpu_migrate().
+         */
+        vcpu_sleep_nosync(prev);
         vcpu_migrate(prev);
+    }
 }
 
 /* The scheduler timer: force a run through the scheduler */