On Fri, Dec 05, 2025 at 10:31:51AM +0100, Roger Pau Monne wrote:
> XENMAPSPACE_gmfn{_range} allows moving gfn around the guest p2m: the mfn
> behind the source gfn is zapped from the origin and mapped at the
> requested destination gfn. The destination p2m entries are always created
> with type p2m_ram_rw.
>
> With the current checking done in xenmem_add_to_physmap_one() it's possible
> to use XENMAPSPACE_gmfn{_range} to change the type of a p2m entry. The
> source gfn is only checked to be not shared, and that the underlying page
> is owned by the domain.
>
> Make the source checks more strict, by checking that the source gfn is of
> type p2m_ram_rw. That prevents the operation from inadvertently changing
> the type as part of the move.
This is missing:
Fixes: 3e50af3d8776 ('New XENMAPSPACE_gmfn parameter for
XENMEM_add_to_physmap.')
The hypercall was missing any p2m type checks since introduction.
It's possible the get_page() seemed enough, but it was dangerous to
not account for new incompatible p2m types being added down the road.
Thanks, Roger.
