When the code processing grant table transfer requests finds a page with an address too large to be represented in the interface with the guest, it allocates a replacement page and copies page contents. The page as well as certain other remnants of an affected guest will be leaked due to being unfreeable upon domain cleanup.
Created xen tracking bugs for this issue: Affects: fedora-all [bug 1771350]
Upstream issue and patch: https://xenbits.xen.org/xsa/advisory-284.html