add IO requrest 'req_buf' check before reference

This address maybe invalid if a hostile address was set
in hypercall 'HC_SET_IOREQ_BUFFER'.it should be validated
before using.

Update:
  -- save HVA to guest OS's request buffer in hyperviosr
  -- change type of 'req_buf' from 'uint64_t' to 'void *'
  -- remove HPA to HVA translation code when using this addr.
  -- use error number instead of -1 when return error cases.

Signed-off-by: Yonghua Huang <yonghua.huang@intel.com>

hypervisor/arch/x86/ept.c

@@ -344,8 +344,9 @@ int dm_emulate_mmio_post(struct vcpu *vcpu)
 {
 	int ret = 0;
 	int cur = vcpu->vcpu_id;
-	struct vhm_request_buffer *req_buf =
-		(void *)HPA2HVA(vcpu->vm->sw.req_buf);
+	struct vhm_request_buffer *req_buf;
+
+	req_buf = (struct vhm_request_buffer *)(vcpu->vm->sw.req_buf);
 
 	vcpu->req.reqs.mmio_request.value =
 		req_buf->req_queue[cur].reqs.mmio_request.value;

hypervisor/arch/x86/guest/vm.c

@@ -170,7 +170,7 @@ int create_vm(struct vm_description *vm_desc, struct vm **rtn_vm)
 
 			/* Populate return VM handle */
 			*rtn_vm = vm;
-			vm->sw.req_buf = 0;
+			vm->sw.req_buf = NULL;
 
 			status = set_vcpuid_entries(vm);
 			if (status)

hypervisor/arch/x86/io.c

@@ -39,12 +39,13 @@ int dm_emulate_pio_post(struct vcpu *vcpu)
 {
 	int cur = vcpu->vcpu_id;
 	int cur_context = vcpu->arch_vcpu.cur_context;
-	struct vhm_request_buffer *req_buf =
-		(void *)HPA2HVA(vcpu->vm->sw.req_buf);
+	struct vhm_request_buffer *req_buf = NULL;
 	uint32_t mask =
 		0xFFFFFFFFul >> (32 - 8 * vcpu->req.reqs.pio_request.size);
 	uint64_t *rax;
 
+	req_buf = (struct vhm_request_buffer *)(vcpu->vm->sw.req_buf);
+
 	rax = &vcpu->arch_vcpu.contexts[cur_context].guest_cpu_regs.regs.rax;
 	vcpu->req.reqs.pio_request.value =
 		req_buf->req_queue[cur].reqs.pio_request.value;