x86/paging: don't unconditionally BUG() on finding SHARED_M2P_ENTRY

PV guests can fully control the values written into the P2M.

This is XSA-251.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
master commit: b4d0218cff66b7eaa9c9b8dc9bd71e7b089b016d
master date: 2017-12-12 14:30:17 +0100

diff --git a/xen/arch/x86/mm/paging.c b/xen/arch/x86/mm/paging.c
index 8d7f5cbc319cc85bc465fa145f0efcdeb095ae3a..149a59aa8de45f6026daa07d1b7a9aa08c3dde82 100644 (file)
--- a/xen/arch/x86/mm/paging.c
+++ b/xen/arch/x86/mm/paging.c
@@ -285,7 +285,7 @@ void paging_mark_dirty(struct domain *d, unsigned long guest_mfn)
     /* We /really/ mean PFN here, even for non-translated guests. */
     pfn = get_gpfn_from_mfn(mfn_x(gmfn));
     /* Shared MFNs should NEVER be marked dirty */
-    BUG_ON(SHARED_M2P(pfn));
+    BUG_ON(paging_mode_translate(d) && SHARED_M2P(pfn));
 
     /*
      * Values with the MSB set denote MFNs that aren't really part of the