x86/paging: don't unconditionally BUG() on finding SHARED_M2P_ENTRY

PV guests can fully control the values written into the P2M.

This is XSA-251.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
master commit: b4d0218cff66b7eaa9c9b8dc9bd71e7b089b016d
master date: 2017-12-12 14:30:17 +0100

diff --git a/xen/arch/x86/mm/paging.c b/xen/arch/x86/mm/paging.c
index 945bb61d94927164c0b064b2bc247bc6451bde43..009c9bf14163cb7b8398f455be4a162a58aa66ca 100644 (file)
--- a/xen/arch/x86/mm/paging.c
+++ b/xen/arch/x86/mm/paging.c
@@ -277,7 +277,7 @@ void paging_mark_gfn_dirty(struct domain *d, unsigned long pfn)
         return;
 
     /* Shared MFNs should NEVER be marked dirty */
-    BUG_ON(SHARED_M2P(pfn));
+    BUG_ON(paging_mode_translate(d) && SHARED_M2P(pfn));
 
     /*
      * Values with the MSB set denote MFNs that aren't really part of the