x86/shadow: Don't create self-linear shadow mappings for 4-level translated guests

x86/shadow: Don't create self-linear shadow mappings for 4-level translated guests

When initially creating a monitor table for 4-level translated guests, don't
install a shadow-linear mapping.  This mapping is actually self-linear, and
trips up the writeable heuristic logic into following Xen's mappings, not the
guests' shadows it was expecting to follow.

A consequence of this is that sh_guess_wrmap() needs to cope with there being
no shadow-linear mapping present, which in practice occurs once each time a
vcpu switches to 4-level paging from a different paging mode.

An appropriate shadow-linear slot will be inserted into the monitor table
either while constructing lower level monitor tables, or by sh_update_cr3().

While fixing this, clarify the safety of the other mappings.  Despite
appearing unsafe, it is correct to create a guest-linear mapping for
translated domains; this is self-linear and doesn't point into the translated
domain.  Drop a dead clause for translate != external guests.

This is XSA-243.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Tim Deegan <tim@xen.org>