We're generally striving to minimize behavioral differences between PV
and PVH Dom0. Using (just?) is_memory_hole() in the PVH case looks quite
a bit weaker to me, compared to the page ownership check done in the PV
case. Extend checking accordingly.
Signed-off-by: Jan Beulich <jbeul...@suse.com>
---
The addition may actually be suitable to replace the use of
is_memory_hole() here. While dropping that would in particular extend
coverage to E820_RESERVED regions, those are identity-mapped anyway
(albeit oddly enough still by IOMMU code).
--- a/xen/arch/x86/hvm/emulate.c
+++ b/xen/arch/x86/hvm/emulate.c
@@ -184,6 +184,22 @@ static int hwdom_fixup_p2m(paddr_t addr)
!is_memory_hole(_mfn(gfn), _mfn(gfn)) )
return -EPERM;
+ /*
+ * Much like get_page_from_l1e() for PV Dom0 does, check that the page
+ * accessed is actually an MMIO one: Either its MFN is out of range, or
+ * it's owned by DOM_IO.
+ */
+ if ( mfn_valid(_mfn(gfn)) )
+ {
+ struct page_info *pg = mfn_to_page(_mfn(gfn));
+ const struct domain *owner = page_get_owner_and_reference(pg);
+
+ if ( owner )
+ put_page(pg);
+ if ( owner != dom_io )
+ return -EPERM;
+ }
+
mfn = get_gfn(currd, gfn, &type);
if ( !mfn_eq(mfn, INVALID_MFN) || !p2m_is_hole(type) )
rc = mfn_eq(mfn, _mfn(gfn)) ? -EEXIST : -ENOTEMPTY;
