Xen Project 4.10.2

We are pleased to announce the release of Xen 4.10.2. This is available immediately from its git repository 

https://xenbits.xenproject.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.10 (tag RELEASE-4.10.2) or from this download page

This release contains the following bug-fixes and improvements in the Xen Project hypervisor:

  • 0c1d5b68e2: update Xen version to 4.10.2 [Jan Beulich]
  • 4266e4c7d3: x86: assorted array_index_nospec() insertions [Jan Beulich]
  • 74a95386d4: VT-d/dmar: iommu mem leak fix [Zhenzhong Duan]
  • b75228ccc3: rangeset: make inquiry functions tolerate NULL inputs [Jan Beulich]
  • 24bc2e31b2: x86/setup: Avoid OoB E820 lookup when calculating the L1TF safe address [Andrew Cooper]
  • bd993a7b4e: x86/hvm/ioreq: MMIO range checking completely ignores direction flag [Paul Durrant]
  • e0a20e7c5c: x86/vlapic: Bugfixes and improvements to vlapic_{read,write}() [Andrew Cooper]
  • 713f3b1294: x86/vmx: Avoid hitting BUG_ON() after EPTP-related domain_crash() [Andrew Cooper]
  • 017f85220f: tools: prepend to PKG_CONFIG_PATH when configuring qemu [Stewart Hildebrand]
  • bf1b7f5b9b: libxl: start pvqemu when 9pfs is requested [Stefano Stabellini]
  • fe50b33b07: x86: write to correct variable in parse_pv_l1tf() [Jan Beulich]
  • 13e85a6dbc: xl.conf: Add global affinity masks [Wei Liu]
  • fac0731d75: x86: Make "spec-ctrl=no" a global disable of all mitigations [Jan Beulich]
  • ed933041a8: x86/spec-ctrl: Introduce an option to control L1D_FLUSH for HVM HAP guests [Andrew Cooper]
  • ef71d13e7f: x86/msr: Virtualise MSR_FLUSH_CMD for guests [Andrew Cooper]
  • 80dd3f52be: x86/spec-ctrl: CPUID/MSR definitions for L1D_FLUSH [Andrew Cooper]
  • c67a8b808a: x86/pv: Force a guest into shadow mode when it writes an L1TF-vulnerable PTE [Juergen Gross]
  • 85d133b90d: x86/mm: Plumbing to allow any PTE update to fail with -ERESTART [Andrew Cooper]
  • d46374d794: x86/shadow: Infrastructure to force a PV guest into shadow mode [Juergen Gross]
  • 614fd2558f: x86/spec-ctrl: Introduce an option to control L1TF mitigation for PV guests [Andrew Cooper]
  • 684fb8c7c4: x86/spec-ctrl: Calculate safe PTE addresses for L1TF mitigations [Andrew Cooper]
  • 56d5138060: tools/oxenstored: Make evaluation order explicit [Christian Lindig]
  • 924a5ee8c0: x86/vtx: Fix the checking for unknown/invalid MSR_DEBUGCTL bits [Andrew Cooper]
  • 5fd0bb322d: ARM: disable grant table v2 [Stefano Stabellini]
  • 9e7ee9478d: common/gnttab: Introduce command line feature controls [Andrew Cooper]
  • 0de39f36b7: VMX: fix vmx_{find,del}_msr() build [Jan Beulich]
  • 6504045842: x86/vmx: Support load-only guest MSR list entries [Andrew Cooper]
  • b4d669064f: x86/vmx: Pass an MSR value into vmx_msr_add() [Andrew Cooper]
  • 09b6924ec6: x86/vmx: Improvements to LBR MSR handling [Andrew Cooper]
  • 2450f34870: x86/vmx: Support remote access to the MSR lists [Andrew Cooper]
  • 227da39d8f: x86/vmx: Factor locate_msr_entry() out of vmx_find_msr() and vmx_add_msr() [Andrew Cooper]
  • 07a9be73c7: x86/vmx: Internal cleanup for MSR load/save infrastructure [Andrew Cooper]
  • dcca8f0234: x86/vmx: API improvements for MSR load/save infrastructure [Andrew Cooper]
  • 8af1a797de: x86/vmx: Defer vmx_vmcs_exit() as long as possible in construct_vmcs() [Andrew Cooper]
  • 93017a6b0d: x86/vmx: Fix handing of MSR_DEBUGCTL on VMExit [Andrew Cooper]
  • 6e57d28086: x86/spec-ctrl: Yet more fixes for xpti= parsing [Andrew Cooper]
  • 87c83af333: x86/spec-ctrl: Fix the parsing of xpti= on fixed Intel hardware [Andrew Cooper]
  • b07c76fece: x86/hvm: Disallow unknown MSR_EFER bits [Andrew Cooper]
  • 541a105ada: x86/xstate: Make errors in xstate calculations more obvious by crashing the domain [Andrew Cooper]
  • 6f6207fac5: x86/xstate: Use a guests CPUID policy, rather than allowing all features [Andrew Cooper]
  • 6feafd89d2: x86/vmx: Don't clobber %dr6 while debugging state is lazy [Andrew Cooper]
  • 01eb262d5e: x86: command line option to avoid use of secondary hyper-threads [Jan Beulich]
  • 512d3e7828: x86: possibly bring up all CPUs even if not all are supposed to be used [Jan Beulich]
  • 74f437f054: x86: distinguish CPU offlining from CPU removal [Jan Beulich]
  • 371149b69b: x86/AMD: distinguish compute units from hyper-threads [Jan Beulich]
  • 3607213d2c: cpupools: fix state when downing a CPU failed [Jan Beulich]
  • 714552510a: x86/svm Fixes and cleanup to svm_inject_event() [Andrew Cooper]
  • 498716e253: allow cpu_down() to be called earlier [Jan Beulich]
  • fab92fcf44: xen: oprofile/nmi_int.c: Drop unwanted sexual reference [Ian Jackson]
  • bc1289f1e7: mm/page_alloc: correct first_dirty calculations during block merging [Sergey Dyasli]
  • 4ccf3974c8: x86/spec-ctrl: command line handling adjustments [Jan Beulich]
  • 381fdae3f0: x86: correctly set nonlazy_xstate_used when loading full state [Jan Beulich]
  • d976fe5bf0: xen: Port the array_index_nospec() infrastructure from Linux [Andrew Cooper]
  • a645331a9f: x86/EFI: further correct FPU state handling around runtime calls [Jan Beulich]
  • c2202404d3: x86/HVM: attempts to emulate FPU insns need to set fpu_initialised [Jan Beulich]
  • 78a86a7c2a: x86/EFI: fix FPU state handling around runtime calls [Jan Beulich]
  • 6e0e45a963: x86/VT-x: Fix printing of EFER in vmcs_dump_vcpu() [Andrew Cooper]
  • b81a8bf199: x86/traps: Fix error handling of the pv %dr7 shadow state [Andrew Cooper]
  • de578bc4c3: x86/CPUID: don't override tool stack decision to hide STIBP [Jan Beulich]
  • 3bd7966eba: x86: correct default_xen_spec_ctrl calculation [Jan Beulich]
  • dd07d3e25c: libxc/x86/PV: don't hand through CPUID leaf 0x80000008 as is [Jan Beulich]
  • b5e9f1e674: x86: guard against #NM [Jan Beulich]
  • e0da0d9170: x86/HVM: don't cause #NM to be raised in Xen [Jan Beulich]
  • 23081587da: libxl: restore passing "readonly=" to qemu for SCSI disks [Ian Jackson]
  • b2444d2f81: libxl: qemu_disk_scsi_drive_string: Break out common parts of disk config [Ian Jackson]
  • 42219af0df: x86: Refine checks in #DB handler for faulting conditions [Andrew Cooper]
  • 1d5a9ecce1: x86/mm: don't bypass preemption checks [Jan Beulich]
  • eeb15764ad: x86/HVM: account for fully eager FPU mode in emulation [Jan Beulich]
  • 4b9dc6d0e6: x86/spec-ctrl: Mitigations for LazyFPU [Andrew Cooper]
  • 52447b36f1: x86: Support fully eager FPU context switching [Andrew Cooper]
  • 7b35e7807c: xen/x86: use PCID feature [Juergen Gross]
  • 8d48204c6d: xen/x86: add some cr3 helpers [Juergen Gross]
  • b3a7f2f2fe: xen/x86: convert pv_guest_cr4_to_real_cr4() to a function [Juergen Gross]
  • fb781023a4: xen/x86: use flag byte for decision whether xen_cr3 is valid [Juergen Gross]
  • 245eaee519: xen/x86: disable global pages for domains with XPTI active [Juergen Gross]
  • 18833a8830: xen/x86: use invpcid for flushing the TLB [Juergen Gross]
  • 72e5b163a2: xen/x86: support per-domain flag for xpti [Juergen Gross]
  • 27a4161bf0: xen/x86: add a function for modifying cr3 [Juergen Gross]
  • 23114db6ff: x86/xpti: avoid copying L4 page table contents when possible [Juergen Gross]
  • 6300cdd7c2: x86: invpcid support [Wei Liu]
  • 2a0913ede5: x86: move invocations of hvm_flush_guest_tlbs() [Jan Beulich]
  • daaf3dd430: x86/XPTI: fix S3 resume (and CPU offlining in general) [Jan Beulich]
  • c2b84e7cc4: x86/msr: Virtualise MSR_SPEC_CTRL.SSBD for guests to use [Andrew Cooper]
  • 908ddbbe5d: x86/Intel: Mitigations for GPZ SP4 - Speculative Store Bypass [Andrew Cooper]
  • c75bbf1d87: x86/AMD: Mitigations for GPZ SP4 - Speculative Store Bypass [Andrew Cooper]
  • e9dc0a6654: x86/spec_ctrl: Introduce a new `spec-ctrl=` command line argument to replace `bti=` [Andrew Cooper]
  • 470daefec2: x86/cpuid: Improvements to guest policies for speculative sidechannel features [Andrew Cooper]
  • c9fdfbb478: x86/spec_ctrl: Explicitly set Xen's default MSR_SPEC_CTRL value [Andrew Cooper]
  • 49aebf4728: x86/spec_ctrl: Split X86_FEATURE_SC_MSR into PV and HVM variants [Andrew Cooper]
  • 48ad1ab669: x86/spec_ctrl: Elide MSR_SPEC_CTRL handling in idle context when possible [Andrew Cooper]
  • 98a285cb51: x86/spec_ctrl: Rename bits of infrastructure to avoid NATIVE and VMEXIT [Andrew Cooper]
  • cb2a83ff0d: x86/spec_ctrl: Fold the XEN_IBRS_{SET,CLEAR} ALTERNATIVES together [Andrew Cooper]
  • 51b7b5d631: x86/spec_ctrl: Merge bti_ist_info and use_shadow_spec_ctrl into spec_ctrl_flags [Andrew Cooper]
  • 840d6833fc: x86/spec_ctrl: Express Xen's choice of MSR_SPEC_CTRL value as a variable [Andrew Cooper]
  • ec50d21cbf: x86/spec_ctrl: Read MSR_ARCH_CAPABILITIES only once [Andrew Cooper]
  • a0355180b6: viridian: fix cpuid leaf 0x40000003 [Paul Durrant]
  • 8342e3f30a: libacpi: fixes for iasl >= 20180427 [Roger Pau Monné]
  • aaf66de7c5: x86/pv: Hide more EFER bits from PV guests [Andrew Cooper]
  • 7e21b75a21: x86: fix return value checks of set_guest_{machinecheck,nmi}_trapbounce [Jan Beulich]
  • f155f55356: xen/schedule: Fix races in vcpu migration [George Dunlap]
  • 3a903b354c: xen: Introduce vcpu_sleep_nosync_locked() [George Dunlap]
  • 2e2f337085: x86/SVM: Fix intercepted {RD,WR}MSR for the SYS{CALL,ENTER} MSRs [Andrew Cooper]
  • 850e5adf4b: xpti: fix bug in double fault handling [Juergen Gross]
  • 13fa2a464f: x86/HVM: never retain emulated insn cache when exiting back to guest [Jan Beulich]
  • ade8f98917: x86/HPET: fix race triggering ASSERT(cpu < nr_cpu_ids) [David Wang]
  • a7f8880adc: x86/spec_ctrl: Updates to retpoline-safety decision making [Andrew Cooper]
  • 3bb756be2b: x86/pv: Introduce and use x86emul_write_dr() [Andrew Cooper]
  • 1aa630599d: x86/pv: Introduce and use x86emul_read_dr() [Andrew Cooper]
  • d93ae631a4: x86: suppress BTI mitigations around S3 suspend/resume [Jan Beulich]
  • 6b8d820bbe: x86: correct ordering of operations during S3 resume [Jan Beulich]
  • f253feb3fe: update Xen version to 4.10.2-pre [Jan Beulich]
  • 25e0657ed4: x86/HVM: guard against emulator driving ioreq state in weird ways [Jan Beulich]
  • 31c78e9ca3: x86/vpt: add support for IO-APIC routed interrupts [Xen Project Security Team]
  • 07b6f42623: x86/traps: Fix handling of #DB exceptions in hypervisor context [Andrew Cooper]
  • 373d49693a: x86/traps: Use an Interrupt Stack Table for #DB [Andrew Cooper]
  • 9abae6f7a8: x86/pv: Move exception injection into {,compat_}test_all_events() [Andrew Cooper]
  • abe5fb9218: x86/traps: Fix %dr6 handing in #DB handler [Andrew Cooper]

This release also contains changes to qemu-upstream, whose changelogs we do not list here as it contains many changes that are not directly releated to the Xen Project Hypervisor and thus this release. However, you can check https://xenbits.xenproject.org/gitweb/?p=qemu-xen.git;a=shortlog (between tags qemu-xen-4.10.1 and qemu-xen-4.10.2). This release does not contain fixes to qemu-traditional.

This release, which includes source code for qemu-traditional and qemu-upstream, contains the following security fixes. 

XSA Xen qemu-traditional qemu-upstream 
XSA-260 Applied N/A N/A
XSA-261 Applied N/A N/A
XSA-262 Applied N/A N/A
XSA-263 Applied N/A N/A
XSA-264 Applied N/A N/A
XSA-265 Applied N/A N/A
XSA-266 Applied N/A N/A
XSA-267 Applied N/A N/A
XSA-268 Applied N/A N/A
XSA-269 Applied N/A N/A
XSA-270 N/A (Linux only) ... ...
XSA-271 N/A (XAPI only) ... ...
XSA-272 Applied N/A N/A
XSA-273 Applied N/A N/A
XSA-274 N/A (Linux only) ... ...

See https://xenbits.xenproject.org/xsa/ for details related to Xen Project security advisories.

We recommend all users of the 4.10 stable series to update to this latest point release.


Created Date Tuesday, 25 September 2018
Modified Date Tuesday, 25 September 2018

Xen Project 4.10.2

Created Date Tuesday, 25 September 2018
Modified Date Tuesday, 25 September 2018

Xen Project 4.10.2 Signature