We're generally striving to minimize behavioral differences between PV and PVH Dom0. Using (just?) is_memory_hole() in the PVH case looks quite a bit weaker to me, compared to the page ownership check done in the PV case. Extend checking accordingly.
Signed-off-by: Jan Beulich <jbeul...@suse.com> --- The addition may actually be suitable to replace the use of is_memory_hole() here. While dropping that would in particular extend coverage to E820_RESERVED regions, those are identity-mapped anyway (albeit oddly enough still by IOMMU code). --- a/xen/arch/x86/hvm/emulate.c +++ b/xen/arch/x86/hvm/emulate.c @@ -184,6 +184,22 @@ static int hwdom_fixup_p2m(paddr_t addr) !is_memory_hole(_mfn(gfn), _mfn(gfn)) ) return -EPERM; + /* + * Much like get_page_from_l1e() for PV Dom0 does, check that the page + * accessed is actually an MMIO one: Either its MFN is out of range, or + * it's owned by DOM_IO. + */ + if ( mfn_valid(_mfn(gfn)) ) + { + struct page_info *pg = mfn_to_page(_mfn(gfn)); + const struct domain *owner = page_get_owner_and_reference(pg); + + if ( owner ) + put_page(pg); + if ( owner != dom_io ) + return -EPERM; + } + mfn = get_gfn(currd, gfn, &type); if ( !mfn_eq(mfn, INVALID_MFN) || !p2m_is_hole(type) ) rc = mfn_eq(mfn, _mfn(gfn)) ? -EEXIST : -ENOTEMPTY;