MMIO_DM specifically marks pages which aren't valid, much like INVALID
does. Dropping the type from the predicate
- (conceptually) corrects _sh_propagate(), where the comment says that
  "something valid" is needed (the only call path not passing in RAM_RW
  would pass in INVALID_GFN along with MMIO_DM),
- is benign to the use in sh_page_fault(), where the subsequent
  mfn_valid() check would otherwise cause the same bail-out code path to
  be taken,
- is benign to all three uses in p2m_pt_get_entry(), as MMIO_DM entries
  will only ever yield non-present entries, which are being checked for
  earlier,
- is benign to sh_unshadow_for_p2m_change(), for the same reason,
- is benign to gnttab_transfer() with EPT not in use, again because
  MMIO_DM entries will only ever yield non-present entries, and
  INVALID_MFN is returned for those anyway by p2m_pt_get_entry().
- for gnttab_transfer() with EPT in use (conceptually) corrects the
  corner case of a page first being subject to XEN_DMOP_set_mem_type
  converting a RAM type to MMIO_DM (which retains the MFN in the entry),
  and then being subject to GNTTABOP_transfer, except that steal_page()
  would later make the operation fail unconditionally anyway.

While there also drop the unused (and otherwise now redundant)
p2m_has_emt().

Signed-off-by: Jan Beulich <jbeulich@suse.com>

--- a/xen/arch/x86/include/asm/p2m.h
+++ b/xen/arch/x86/include/asm/p2m.h
@@ -168,8 +168,8 @@ typedef unsigned int p2m_query_t;
 /* Grant types are *not* considered valid, because they can be
    unmapped at any time and, unless you happen to be the shadow or p2m
    implementations, there's no way of synchronising against that. */
-#define p2m_is_valid(_t) (p2m_to_mask(_t) & (P2M_RAM_TYPES | P2M_MMIO_TYPES))
-#define p2m_has_emt(_t)  (p2m_to_mask(_t) & (P2M_RAM_TYPES | p2m_to_mask(p2m_mmio_direct)))
+#define p2m_is_valid(_t)    (p2m_to_mask(_t) & \
+                             (P2M_RAM_TYPES | p2m_to_mask(p2m_mmio_direct)))
 #define p2m_is_pageable(_t) (p2m_to_mask(_t) & P2M_PAGEABLE_TYPES)
 #define p2m_is_paging(_t)   (p2m_to_mask(_t) & P2M_PAGING_TYPES)
 #define p2m_is_paged(_t)    (p2m_to_mask(_t) & P2M_PAGED_TYPES)

On Wed, Feb 26, 2025 at 12:53:14PM +0100, Jan Beulich wrote:
> MMIO_DM specifically marks pages which aren't valid, much like INVALID
> does. Dropping the type from the predicate
> - (conceptually) corrects _sh_propagate(), where the comment says that
>   "something valid" is needed (the only call path not passing in RAM_RW
>   would pass in INVALID_GFN along with MMIO_DM),
> - is benign to the use in sh_page_fault(), where the subsequent
>   mfn_valid() check would otherwise cause the same bail-out code path to
>   be taken,
> - is benign to all three uses in p2m_pt_get_entry(), as MMIO_DM entries
>   will only ever yield non-present entries, which are being checked for
>   earlier,
> - is benign to sh_unshadow_for_p2m_change(), for the same reason,
> - is benign to gnttab_transfer() with EPT not in use, again because
>   MMIO_DM entries will only ever yield non-present entries, and
>   INVALID_MFN is returned for those anyway by p2m_pt_get_entry().
> - for gnttab_transfer() with EPT in use (conceptually) corrects the
>   corner case of a page first being subject to XEN_DMOP_set_mem_type
>   converting a RAM type to MMIO_DM (which retains the MFN in the entry),
>   and then being subject to GNTTABOP_transfer, except that steal_page()
>   would later make the operation fail unconditionally anyway.
> 
> While there also drop the unused (and otherwise now redundant)
> p2m_has_emt().
> 
> Signed-off-by: Jan Beulich <jbeulich@suse.com>

It's tightening an existing check (making it more restrictive), so as
long as current users can deal with it.

Acked-by: Roger Pau Monné <roger.pau@citrix.com>

Thanks, Roger.