[xen stable-4.21] x86/hvm: be more strict with XENMAPSPACE_gmfn source types

[patchbot@xxxxxxx]

commit b579e832dea70a977d1020396215cb36d1bc1c06
Author:     Roger Pau Monné <roger.pau@xxxxxxxxxx>
AuthorDate: Tue Jan 13 15:41:57 2026 +0100
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue Jan 13 15:41:57 2026 +0100

    x86/hvm: be more strict with XENMAPSPACE_gmfn source types
    
    XENMAPSPACE_gmfn{_range} allows moving gfn around the guest p2m: the mfn
    behind the source gfn is zapped from the origin and mapped at the
    requested destination gfn.  The destination p2m entries are always created
    with type p2m_ram_rw.
    
    With the current checking done in xenmem_add_to_physmap_one() it's possible
    to use XENMAPSPACE_gmfn{_range} to change the type of a p2m entry.  The
    source gfn is only checked to be not shared, and that the underlying page
    is owned by the domain.
    
    Make the source checks more strict, by checking that the source gfn is of
    type read/write RAM or logdirty.  That prevents the operation from
    inadvertently changing the type as part of the move.
    
    Fixes: 3e50af3d8776 ("New XENMAPSPACE_gmfn parameter for 
XENMEM_add_to_physmap.")
    Signed-off-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>
    Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
    master commit: c9491ea21a433168ef69639183a01848877cea14
    master date: 2026-01-08 11:05:30 +0100
---
 xen/arch/x86/mm/p2m.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c
index ef35cd564b..86d8221b84 100644
--- a/xen/arch/x86/mm/p2m.c
+++ b/xen/arch/x86/mm/p2m.c
@@ -2010,11 +2010,17 @@ int xenmem_add_to_physmap_one(
     {
         gmfn = idx;
         mfn = get_gfn_unshare(d, gmfn, &p2mt);
-        /* If the page is still shared, exit early */
-        if ( p2m_is_shared(p2mt) )
+        /*
+         * The entry at the destination gfn will be created as type p2m_ram_rw.
+         * Only allow moving source gfns with read/write or logdirty RAM types
+         * to avoid unexpected p2m type changes as a result of the operation.
+         * Note that for logdirty source type we rely on p2m_add_page() marking
+         * the destination gfn as dirty.
+         */
+        if ( p2mt != p2m_ram_rw && p2mt != p2m_ram_logdirty )
         {
             put_gfn(d, gmfn);
-            return -ENOMEM;
+            return p2m_is_shared(p2mt) ? -ENOMEM : -EACCES;
         }
         page = get_page_from_mfn(mfn, d);
         if ( unlikely(!page) )
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.21