x86: Race condition in Xen mapping code

ISSUE DESCRIPTION

The Xen code handling the updating of the hypervisor’s own pagetables tries to use 2MiB and 1GiB superpages as much as possible to maximize TLB efficiency. Some of the operations for checking and coalescing superpages take non-negligible amount of time; to avoid potential lock contention, this code also tries to avoid holding locks for the entire operation.
Unfortunately, several potential race conditions were not considered; precisely-timed guest actions could potentially lead to the code writing to a page which has been freed (and thus potentially already reused).

IMPACT

A malicious guest can cause a host denial-of-service. Data corruption or privilege escalation cannot be ruled out.

VULNERABLE SYSTEMS

Versions of Xen from at least 3.2 onward are affected.
Only x86 systems are vulnerable. ARM systems are not vulnerable.
Guests can only exercise the vulnerability if they have passed through hardware devices. Guests without passthrough configured cannot exploit the vulnerability.
Furthermore, HVM and PVH guests can only exercise the vulnerability if they are running in shadow mode, and only when running on VT-x capable hardware (as opposed to SVM). This is believed to be Intel, Centaur and Shanghai CPUs.