From: Jan Beulich <jbeulich@suse.com>
Subject: Arm: foreign page handling in p2m_get_page_from_gfn()

I can't see what would make the 1st of the assertions safe: For example,
the P2M lock not being held, the foreign page may disappear before we
get to call page_get_owner_and_reference(), which hence may return NULL.

Even the 2nd, which appears to be safe safe, is lacking proper release
build fallbacks.

Drop the former in favor of an if(), and convert the latter to the
equivalent of what x86 uses: ASSERT_UNREACHABLE() plus putting of the
obtained page.

This is CVE-2025-58144 / part of XSA-473.

Fixes: 9486a8d07ba8 ("xen/arm: Handle remove foreign mapping")
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Julien Grall <jgrall@amazon.com>

--- a/xen/arch/arm/p2m.c
+++ b/xen/arch/arm/p2m.c
@@ -612,10 +612,16 @@ struct page_info *p2m_get_page_from_gfn(
      */
     if ( p2m_is_foreign(p2mt) )
     {
-        struct domain *fdom = page_get_owner_and_reference(page);
-        ASSERT(fdom != NULL);
-        ASSERT(fdom != d);
-        return page;
+        const struct domain *fdom = page_get_owner_and_reference(page);
+
+        if ( fdom )
+        {
+            if ( fdom != d )
+                return page;
+            ASSERT_UNREACHABLE();
+            put_page(page);
+        }
+        return NULL;
     }
 
     return get_page(page, d) ? page : NULL;