* Grant table status pages are incorrectly free'd during a grant table
version downgrade

Up/downgrading a grant table's version involves allocating/freeing its
status pages. gnttab_populate_status_frames calls
gnttab_create_status_page, which in turn calls
share_xen_page_with_guest, which sets the status page's owner to the
relevant domain and adds it to that domain's xenpage_list.
gnttab_unpopulate_status_frames sets the status page's owner back to
the hypervisor, but does not remove it from the domain's xenpage_list.
This means that once it is added to the free page list it is 'in' two
lists at once, corrupting the domain's xenpage_list. This is at least
a denial-of-service (crash), but I am unsure of the outcomes a
corrupted linked list can lead to in Xen.

Downgrading the grant table's version is only doable when it is not in
use, hence this bug is best seen using minios. The attached POC
exploit, to be used as an appmain function for minios, shows how
xenpage_list gets corrupted eventually by switching back and forward
between grant table versions 1 and 2.

I tried to use this bug to create a use-after-free situation (create
domain Attacker1, populate status pages, unpopulate status pages,
create (or let be created) domain Target1 (which uses a page
previously used as the status page for its domain info), end domain
Attacker1 (freeing that page again), create domain Attacker2, populate
status pages, hopefully getting that same page back for use again to
modify. However, only the owning domain can free a page in its
xenpage_list.

This bug is present in (at least) 4.1.2 and unstable.