Broken error handling in guest_physmap_mark_populate_on_demand()

ISSUE DESCRIPTION

guest_physmap_mark_populate_on_demand(), before carrying out its actual operation, checks that the subject GFNs are not in use. If that check fails, the code prints a message and bypasses the gfn_unlock() matching the gfn_lock() carried out before entering the loop.
Further, the function is exposed to the use of guests on their own behalf. While we believe that this does not cause any further issues, we have not conducted a thorough enough review to be sure. Rather, it should be exposed only to privileged domains.

IMPACT

A malicious guest administrator can cause Xen to hang.

VULNERABLE SYSTEMS

All Xen version from 3.4 on are vulnerable.
The vulnerability is only exposed by HVM guests.