Supported Xen Project 4.8 Series


Xen Project 4.8.0

Release Information

The Xen Project 4.8 release incorporates many new features and improvements to existing features.


For Xen Project 4.8 documentation see

Contribution Acknowledgements

For a breakdown of contributions to Xen 4.8 check out the Xen Project 4.8 Acknowledgements.

Xen Project 4.8.1

We are pleased to announce the release of Xen 4.8.1. This is available immediately from its git repository;a=shortlog;h=refs/heads/stable-4.8 (tag RELEASE-4.8.1) or from this download page

This release contains the following bug-fixes and improvements in the Xen Project hypervisor:

  • 5ebb4de: update Xen version to 4.8.1 [Jan Beulich]
  • e1c62cd: oxenstored: trim history in the frequent_ops function [Thomas Sanders]
  • 336afa8: oxenstored transaction conflicts: improve logging [Thomas Sanders]
  • 3ee0d82: oxenstored: don't wake to issue no conflict-credit [Thomas Sanders]
  • 84ee808: oxenstored: do not commit read-only transactions [Thomas Sanders]
  • cb778de: oxenstored: allow self-conflicts [Thomas Sanders]
  • fa0b2b9: oxenstored: blame the connection that caused a transaction conflict [Jonathan Davies]
  • 9ea5032: oxenstored: track commit history [Jonathan Davies]
  • c682760: oxenstored: discard old commit-history on txn end [Thomas Sanders]
  • 9a2c5b4: oxenstored: only record operations with side-effects in history [Jonathan Davies]
  • 567051b: oxenstored: support commit history tracking [Jonathan Davies]
  • 4f4596a: oxenstored: add transaction info relevant to history-tracking [Jonathan Davies]
  • b795db0: oxenstored: ignore domains with no conflict-credit [Thomas Sanders]
  • 6636c70: oxenstored: handling of domain conflict-credit [Thomas Sanders]
  • f2c7ab1: oxenstored: comments explaining some variables [Thomas Sanders]
  • f3b7100: xenstored: Log when the write transaction rate limit bites [Ian Jackson]
  • 4cd02a2: xenstored: apply a write transaction rate limit [Ian Jackson]
  • e0354e6: tools/libxenctrl: fix error check after opening libxenforeignmemory [Paul Durrant]
  • a085f0c: libxl: correct xenstore entry for empty cdrom [Juergen Gross]
  • ec7f9e1: x86: use 64 bit mask when masking away mfn bits [Juergen Gross]
  • 06403aa: memory: properly check guest memory ranges in XENMEM_exchange handling [Jan Beulich]
  • f3623bd: xen: sched: don't call hooks of the wrong scheduler via VCPU2OP [Dario Faggioli]
  • c95bad9: x86/EFI: avoid Xen image when looking for module/kexec position [Jan Beulich]
  • 4ec1cb0: x86/EFI: avoid IOMMU faults on [_end,__2M_rwdata_end) [Jan Beulich]
  • 093a1f1: x86/EFI: avoid overrunning mb_modules[] [Jan Beulich]
  • 47501b6: build/clang: fix XSM dummy policy when using clang 4.0 [Roger Pau Monné]
  • 2859b25: x86: drop unneeded __packed attributes [Roger Pau Monné]
  • ca41491: arm: xen_size should be paddr_t for consistency [Stefano Stabellini]
  • 26dec7a: xen/arm: alternative: Register re-mapped Xen area as a temporary virtual region [Wei Chen]
  • eca97a4: QEMU_TAG update [Ian Jackson]
  • c75fe64: arm: read/write rank->vcpu atomically [Stefano Stabellini]
  • af18ca9: xen/arm: p2m: Perform local TLB invalidation on vCPU migration [Julien Grall]
  • 30c2dd7: xen/arm: Introduce INVALID_VCPU_ID [Julien Grall]
  • 1780ea7: xen/arm: Set nr_cpu_ids to available number of cpus [Vijaya Kumar K]
  • 42290f0: xen/arm: acpi: Relax hw domain mapping attributes to p2m_mmio_direct_c [Edgar E. Iglesias]
  • bd684c2: Revert "xen/arm: Map mmio-sram nodes as un-cached memory" [Edgar E. Iglesias]
  • 783b670: xen/arm: dt: Relax hw domain mapping attributes to p2m_mmio_direct_c [Edgar E. Iglesias]
  • 07f9ddf: xen/arm: flush icache as well when XEN_DOMCTL_cacheflush is issued [Tamas K Lengyel]
  • d31d0cd: xen/arm: fix GIC_INVALID_LR [Stefano Stabellini]
  • b2e678e: fix out of bound access to mode_strings [Stefano Stabellini]
  • 05946b5: missing vgic_unlock_rank in gic_remove_irq_from_guest [Stefano Stabellini]
  • e020ff3: xen/arm: Fix macro for ARM Jazelle CPU feature identification [Artem Mygaiev]
  • 308c646: xen/arm: traps: Emulate ICC_SRE_EL1 as RAZ/WI [Julien Grall]
  • fceae91: xen/arm: Fix misplaced parentheses for PSCI version check [Artem Mygaiev]
  • f667393: arm/irq: Reorder check when the IRQ is already used by someone [Oleksandr Tyshchenko]
  • 768b250: Don't clear HCR_VM bit when updating VTTBR. [Jun Sun]
  • 049b13d: x86/emul: Correct the decoding of mov to/from cr/dr [Andrew Cooper]
  • e26a2a0: x86emul: correct decoding of vzero{all,upper} [Jan Beulich]
  • 866f363: xen: credit2: don't miss accounting while doing a credit reset. [Dario Faggioli]
  • 354c3e4: xen: credit2: always mark a tickled pCPU as... tickled! [Dario Faggioli]
  • 8c2da8f: x86/layout: Correct Xen's idea of its own memory layout [Andrew Cooper]
  • 6289c3b: x86/vmx: Don't leak host syscall MSR state into HVM guests [Andrew Cooper]
  • 2e68fda: xen/arm: fix affected memory range by dcache clean functions [Stefano Stabellini]
  • f85fc97: xen/arm: introduce vwfi parameter [Stefano Stabellini]
  • 9967251: arm/p2m: remove the page from p2m->pages list before freeing it [Julien Grall]
  • 34305da: QEMU_TAG update [Ian Jackson]
  • 437a8e6: VMX: fix VMCS race on context-switch paths [Jan Beulich]
  • 9028ba8: xen/p2m: Fix p2m_flush_table for non-nested cases [George Dunlap]
  • 1c28394: x86/ept: allow write-combining on !mfn_valid() MMIO mappings again [David Woodhouse]
  • c246296: IOMMU: always call teardown callback [Oleksandr Tyshchenko]
  • 10baa19: x86/emulate: don't assume that addr_size == 32 implies protected mode [George Dunlap]
  • 4582c2b: xen: credit2: fix shutdown/suspend when playing with cpupools. [Dario Faggioli]
  • a20300b: xen: credit2: never consider CPUs outside of our cpupool. [Dario Faggioli]
  • 23e3303: xen: credit2: use the correct scratch cpumask. [Dario Faggioli]
  • 95f1f99: x86/hvm: do not set msr_tsc_adjust on hvm_set_guest_tsc_fixed [Joao Martins]
  • 9b0e6d3: x86emul: correct FPU stub asm() constraints [Jan Beulich]
  • b843de7: x86: segment attribute handling adjustments [Jan Beulich]
  • ba7e250: x86emul: LOCK check adjustments [Jan Beulich]
  • 6240d92: x86emul: VEX.B is ignored in compatibility mode [Jan Beulich]
  • b378b1f: x86/xstate: Fix array overrun on hardware with LWP [Andrew Cooper]
  • b29aed8: arm/p2m: Fix regression during domain shutdown with active mem_access [Tamas K Lengyel]
  • e1cefed: libxl: fix libxl_set_memory_target [Wei Liu]
  • 53c3a73: xen/arm: gic-v3: Make sure read from ICC_IAR1_EL1 is visible on the redistributor [Julien Grall]
  • daf491d: x86/cpu: Don't update this_cpu for get_cpu_vendor(, gcv_guest) [Andrew Cooper]
  • a654228: x86/emul: Correct the return value handling of VMFUNC [Andrew Cooper]
  • c581ead: x86/boot: fix build with certain older gcc versions [Jan Beulich]
  • 67e9679: x86emul: CMPXCHG16B requires an aligned operand [Jan Beulich]
  • 080a31b: VT-d: correct dma_msi_set_affinity() [Jan Beulich]
  • 1febe8d: x86emul: ignore most segment bases for 64-bit mode in is_aligned() [Jan Beulich]
  • 7713ee2: x86emul: MOVNTI does not allow REP prefixes [Jan Beulich]
  • b76a796: x86/VPMU: clear the overflow status of which counter happened to overflow [Luwei Kang]
  • e298344: x86/hvm: don't unconditionally create a default ioreq server [Paul Durrant]
  • 6933092: libelf: section index 0 is special [Jan Beulich]
  • af6534e: x86emul: CMPXCHG{8,16}B ignore prefixes [Jan Beulich]
  • 297cf3d: xen: Fix determining when domain creation is complete [Andrew Cooper]
  • 3e902dd: x86emul: correct PUSHF/POPF [Jan Beulich]
  • c5efe95: init/FreeBSD: fix incorrect usage of $rc_pids in xendriverdomain [Roger Pau Monne]
  • 63c68c7: init/FreeBSD: add rc control variables [Roger Pau Monne]
  • 3667bc0: init/FreeBSD: fix xencommons so it can only be launched by Dom0 [Roger Pau Monne]
  • 86e54be: init/FreeBSD: remove xendriverdomain_precmd [Roger Pau Monne]
  • e7ad85e: init/FreeBSD: set correct PATH for xl devd [Roger Pau Monne]
  • bdbfca0: xsm: allow relevant permission during migrate and gpu-passthrough. [Anshul Makkar]
  • 443264e: libxl: init_acpi_config should return rc in exit path, and set to 0 on success [Wei Liu]
  • d575902: x86/emul: add likely()/unlikely() to test harness [Andrew Cooper]
  • 24ccfc3: x86/HVM: add missing NULL check before using VMFUNC hook [Jan Beulich]
  • 7628c7e: x86: force EFLAGS.IF on when exiting to PV guests [Jan Beulich]
  • b996efb: x86/emul: Correct the handling of eflags with SYSCALL [Andrew Cooper]
  • 7967daf: QEMU_TAG update [Ian Jackson]
  • 1f4ea16: update Xen version to 4.8.1-pre [Jan Beulich]

In addition, this release also contains the following fixes to qemu-traditional:

  • 3bed93d: cirrus/vnc: zap drop bitblit support from console code. [Gerd Hoffmann]
  • b77d58b: cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo [Gerd Hoffmann]
  • a1d57bb: cirrus: fix oob access issue (CVE-2017-2615) [Li Qiang]
  • 095261a: qemu: ioport_read, ioport_write: be defensive about 32-bit addresses [Ian Jackson]

This release also contains changes to qemu-upstream, whose changelogs we do not list here as it contains many changes that are not directly releated to the Xen Project Hypervisor and thus this release. However, you can check;a=shortlog (between tags qemu-xen-4.8.0 and qemu-xen-4.8.1).

This release, which includes source code for qemu-traditional and qemu-upstream, contains the following security fixes. 

XSA Xen qemu-traditional qemu-upstream 
XSA-199 N/A Applied N/A
XSA-200 N/A (Xen 4.8 not affected) ... ...
XSA-201 N/A (Applied on master before 4.8 branch was created) ... ...
XSA-202 Applied N/A N/A
XSA-203 Applied N/A N/A
XSA-204 Applied N/A N/A
XSA-205 N/A (Unassigned number) ... ...
XSA-206 Applied N/A N/A
XSA-207 Applied N/A N/A
XSA-208 N/A Applied Applied
XSA-209 N/A Applied Applied
XSA-210 Applied N/A N/A
XSA-211 N/A Applied Applied
XSA-212 Applied N/A N/A

See for details related to Xen Project security advisories.

We recommend all users of the 4.8 stable series to update to this latest point release.

Xen Project 4.8.2

We are pleased to announce the release of Xen 4.8.2. This is available immediately from its git repository;a=shortlog;h=refs/heads/stable-4.8 (tag RELEASE-4.8.2) or from this download page

This release contains the following bug-fixes and improvements in the Xen Project hypervisor:

  • 5e4598106e: update Xen version to 4.8.2 [Jan Beulich]
  • ffb73c1406: gnttab: avoid spurious maptrack handle allocation failures [Jan Beulich]
  • 300529d6b5: cpufreq: only stop ondemand governor if already started [Christopher Clark]
  • c1751e204a: VT-d PI: disable VT-d PI when CPU-side PI isn't enabled [Chao Gao]
  • f914884320: VT-d: don't panic/warn on iommu=no-igfx [Rusty Bird]
  • ed6e5d5bab: docs: replace xm with xl in xen-tscmode [Olaf Hering]
  • 7818599594: x86/hvm: Fixes to hvmemul_insn_fetch() [Andrew Cooper]
  • ecb701f38c: rombios: prevent building with PIC/PIE [Olaf Hering]
  • 3ef997c8be: xen/livepatch: Don't crash on encountering STN_UNDEF relocations [Andrew Cooper]
  • 68c4ef23e9: xen/livepatch: Use zeroed memory allocations for arrays [Andrew Cooper]
  • df8c4fa0e0: arm/mm: release grant lock on xenmem_add_to_physmap_one() error paths [Jan Beulich]
  • c3c2df8d32: travis: install ghostscript [Wei Liu]
  • 236263f459: gnttab: fix "don't use possibly unbounded tail calls" [Jan Beulich]
  • 5c10e0e4b0: gnttab: fix transitive grant handling [Jan Beulich]
  • 5afb94cac0: gnttab: don't use possibly unbounded tail calls [Jan Beulich]
  • f5211ce758: gnttab: correct pin status fixup for copy [Jan Beulich]
  • 877591cc28: gnttab: split maptrack lock to make it fulfill its purpose again [Jan Beulich]
  • 460cd3b117: x86/grant: disallow misaligned PTEs [Andrew Cooper]
  • 1e6c88fafc: arm: p2m: Prevent redundant icache flushes [Punit Agrawal]
  • 55cf609c40: Allow control of icache invalidations when calling flush_page_to_ram() [Punit Agrawal]
  • 079550e0a0: xen/arm: Properly map the FDT in the boot page table [Julien Grall]
  • f6f543fee9: xen/arm: Check if the FDT passed by the bootloader is valid [Julien Grall]
  • a332ac1f5b: xen/arm: Move the code to map FDT in the boot tables from assembly to C [Julien Grall]
  • 1a147b5359: xen/arm: mm: Move create_mappings function earlier in the file [Julien Grall]
  • 86529087ab: memory: don't suppress P2M update in populate_physmap() [Jan Beulich]
  • 1e40f87dbb: livepatch: Wrong usage of spinlock on debug console. [Konrad Rzeszutek Wilk]
  • 7dd85eb372: Revert "x86/hvm: disable pkeys for guests in non-paging mode" [Andrew Cooper]
  • 24809e04e7: x86/pv: Fix the handling of `int $x` for vectors which alias exceptions [Andrew Cooper]
  • 8d3dafb43f: xen/test/Makefile: Fix clean target, broken by pattern rule [Ian Jackson]
  • aedaa82c2f: x86: avoid leaking PKRU and BND* between vCPU-s [Jan Beulich]
  • a75d7ad053: xen/arm: vgic: Sanitize target mask used to send SGI [Julien Grall]
  • 125a3a9d6a: gnttab: __gnttab_unmap_common_complete() is all-or-nothing [Jan Beulich]
  • b859653b7c: gnttab: correct logic to get page references during map requests [George Dunlap]
  • 429ad0d3f2: gnttab: never create host mapping unless asked to [Jan Beulich]
  • 1959b49f35: gnttab: fix handling of dev_bus_addr during unmap [George Dunlap]
  • 670bb9dd9e: arm: vgic: Don't update the LR when the IRQ is not enabled [Julien Grall]
  • 270b9f8f64: guest_physmap_remove_page() needs its return value checked [Jan Beulich]
  • 50ee10e22c: memory: fix return value handing of guest_remove_page() [Andrew Cooper]
  • e5da3ccafd: evtchn: avoid NULL derefs [Jan Beulich]
  • 982d477b56: x86/shadow: hold references for the duration of emulated writes [Andrew Cooper]
  • ca71eb31d6: gnttab: correct maptrack table accesses [Jan Beulich]
  • c7dab25933: gnttab: Avoid potential double-put of maptrack entry [George Dunlap]
  • ca974091c8: gnttab: fix unmap pin accounting race [Jan Beulich]
  • a4bca7c309: x86/mm: disallow page stealing from HVM domains [Jan Beulich]
  • fe5bbfda64: Makefile: Provide way to ship livepatch test files [Ian Jackson]
  • cb99078ef9: xen/test/livepatch: Add xen_nop.livepatch to .gitignore [Ian Jackson]
  • e1bcfb12d7: xen/test/livepatch: Regularise Makefiles [Ian Jackson]
  • 2d37e90cc7: xen/test/livepatch/Makefile: Install in DESTDIR/usr/lib/debug/xen-livepatch [Ian Jackson]
  • c427a81dee: xen/arm: p2m: Fix incorrect mapping of superpages [Julien Grall]
  • 125e4d4a8d: vgic: refuse irq migration when one is already in progress [Stefano Stabellini]
  • 9e6b2ddf33: arm: remove irq from inflight, then change physical affinity [Stefano Stabellini]
  • 52d83809fa: xen/arm: Survive unknown traps from guests [Julien Grall]
  • 5026eb5ed0: xen/arm: do_trap_hypervisor: Separate hypervisor and guest traps [Julien Grall]
  • e5ec23efcf: xen/arm: Save ESR_EL2 to avoid using mismatched value in syndrome check [Wei Chen]
  • 79d2d5c343: stop_machine: fill fn_result only in case of error [Gregory Herrero]
  • b7d2c0f2f5: hvmloader: avoid tests when they would clobber used memory [Jan Beulich]
  • d5841446b9: arm: fix build with gcc 7 [Jan Beulich]
  • d721af1f6e: x86: fix build with gcc 7 [Jan Beulich]
  • 72808a8717: x86/mm: fix incorrect unmapping of 2MB and 1GB pages [Igor Druzhinin]
  • 173eb93195: x86/pv: Align %rsp before pushing the failsafe stack frame [Andrew Cooper]
  • d29cb493e0: x86/pv: Fix bugs with the handling of int80_bounce [Andrew Cooper]
  • 98cefccaee: x86/vpmu_intel: fix hypervisor crash by masking PC bit in MSR_P6_EVNTSEL [Mohit Gambhir]
  • e91a24cf64: hvm: fix hypervisor crash in hvm_save_one() [Jan Beulich]
  • de1318bb00: x86/32on64: properly honor add-to-physmap-batch's size [Jan Beulich]
  • 4057c6ea80: tools: ocaml: In configure, check for ocamlopt [Ian Jackson]
  • 834ea870c5: tools/libxc: Tolerate specific zero-content records in migration v2 streams [Andrew Cooper]
  • efd2ff999d: libxc: fix segfault on uninitialized xch->fmem [Seraphime Kirkovski]
  • 19ad7c08a8: x86/mce: always re-initialize 'severity_cpu' in mcheck_cmn_handler() [Haozhong Zhang]
  • 1780c265f7: x86/mce: make 'severity_cpu' private to its users [Haozhong Zhang]
  • 8f6d1f9abf: memory: don't hand MFN info to translated guests [Jan Beulich]
  • 957dc0e249: memory: exit early from memory_exchange() upon write-back error [Jan Beulich]
  • 12b1425fdc: kexec: clear kexec_image slot when unloading kexec image [Bhavesh Davda]
  • a782d9d421: update Xen version to 4.8.2-pre [Jan Beulich]
  • 16ed8dd289: x86: discard type information when stealing pages [Jan Beulich]
  • 17051bdb86: multicall: deal with early exit conditions [Jan Beulich]
  • 98e05a3abc: Merge branch 'staging-4.8' of into staging-4.8 [Jan Beulich]
  • c2a541500d: setup vwfi correctly on cpu0 [Stefano Stabellini]

This release contains no fixes to qemu-traditional.

This release also contains changes to qemu-upstream, whose changelogs we do not list here as it contains many changes that are not directly releated to the Xen Project Hypervisor and thus this release. However, you can check;a=shortlog (between tags qemu-xen-4.8.1 and qemu-xen-4.8.2).

This release, which includes source code for qemu-traditional and qemu-upstream, contains the following security fixes. 

XSA Xen qemu-traditional qemu-upstream 
XSA-213 Applied N/A N/A
XSA-214 Applied N/A N/A
XSA-215 N/A (Xen 4.8 not affected) ... ...
XSA-216 N/A N/A Applied
XSA-217 Applied N/A N/A
XSA-218 Applied N/A N/A
XSA-219 Applied N/A N/A
XSA-220 Applied N/A N/A
XSA-221 Applied N/A N/A
XSA-222 Applied N/A N/A
XSA-223 Applied N/A N/A
XSA-224 Applied N/A N/A
XSA-225 Applied N/A N/A
XSA-226 Applied (fix, not work-around, via xsa226-4.9/*.patch) N/A N/A
XSA-227 Applied N/A N/A
XSA-228 Applied N/A N/A
XSA-229 N/A (Linux only) ... ...
XSA-230 Applied N/A N/A
XSA-231 N/A (Pre-released, but embargoed, at the time of this release) ... ...
XSA-232 N/A (Pre-released, but embargoed, at the time of this release) ... ...
XSA-233 N/A (Pre-released, but embargoed, at the time of this release) ... ...
XSA-234 N/A (Pre-released, but embargoed, at the time of this release) ... ...
XSA-235 Applied N/A N/A

See for details related to Xen Project security advisories.

We recommend all users of the 4.8 stable series to update to this latest point release.

Xen Project 4.8.3

We are pleased to announce the release of Xen 4.8.3. This is available immediately from its git repository;a=shortlog;h=refs/heads/stable-4.8 (tag RELEASE-4.8.3) or from this download page

This release contains the following bug-fixes and improvements in the Xen Project hypervisor:

  • 4507bb6ae2: update Xen version to 4.8.3 [Jan Beulich]
  • 31d38d633a: x86: allow Meltdown band-aid to be disabled [Jan Beulich]
  • 1ba477bde7: x86: Meltdown band-aid against malicious 64-bit PV guests [Jan Beulich]
  • 049e2f45bf: x86/mm: Always set _PAGE_ACCESSED on L4e updates [Andrew Cooper]
  • 49a44f089c: x86: Don't use potentially incorrect CPUID values for topology information [Jan H. Schönherr]
  • a7cf0a3b81: x86/entry: Remove support for partial cpu_user_regs frames [Andrew Cooper]
  • 40c02dd27a: x86/upcall: inject a spurious event after setting upcall vector [Roger Pau Monné]
  • 8631e6af5a: x86/E820: don't overrun array [Jan Beulich]
  • eb77163343: x86/IRQ: conditionally preserve access permission on map error paths [Jan Beulich]
  • 9c6993b7b9: xen/arm: fix smpboot barriers [Stefano Stabellini]
  • ee24b2f7f0: xen/arm: vgic: Check for vgic handler to be initialized before dereferencing it [Oleksandr Tyshchenko]
  • 579c927c2d: xen/arm: p2m: Check for p2m->domain to be initialized before releasing resources [Oleksandr Tyshchenko]
  • f709287d35: arm: configure interrupts to be in non-secure group1 [Stefano Stabellini]
  • 6ee114f034: xen/arm: bootfdt: Use proper default for #address-cells and #size-cells [Julien Grall]
  • 15e40427d0: xen/arm: gic-v3: Bail out if gicv3_cpu_init fail [Julien Grall]
  • 8ab43f785a: xen/efi: Fix build with clang-5.0 [Andrew Cooper]
  • 24e2cfc0a9: x86/microcode: Add support for fam17h microcode loading [Tom Lendacky]
  • ed7765ae03: gnttab: improve GNTTABOP_cache_flush locking [Jan Beulich]
  • ba28eac093: gnttab: correct GNTTABOP_cache_flush empty batch handling [Jan Beulich]
  • 3f94881ceb: x86/vvmx: don't enable vmcs shadowing for nested guests [Sergey Dyasli]
  • adc494bff2: xen/pv: Construct d0v0's GDT properly [Andrew Cooper]
  • 97546b5e5c: x86/hvm: fix interaction between internal and external emulation [Paul Durrant]
  • ae3aac94ff: improve XENMEM_add_to_physmap_batch address checking [Jan Beulich]
  • e9558bee74: x86: check paging mode earlier in xenmem_add_to_physmap_one() [Jan Beulich]
  • 3effd96e4a: x86: replace bad ASSERT() in xenmem_add_to_physmap_one() [Jan Beulich]
  • 472d596042: sync CPU state upon final domain destruction [Jan Beulich]
  • 1eae46441b: x86/hvm: Don't corrupt the HVM context stream when writing the MSR record [Andrew Cooper]
  • 7ae2229e3c: x86/hvm: Fix altp2m_vcpu_enable_notify error handling [Adrian Pop]
  • 6353c349a5: common/gnttab: Correct error handling for gnttab_setup_table() [Andrew Cooper]
  • 6fc1f55e7d: x86/paging: don't unconditionally BUG() on finding SHARED_M2P_ENTRY [Jan Beulich]
  • 68db69443f: x86/shadow: fix ref-counting error handling [Jan Beulich]
  • 5069fdde82: x86/shadow: fix refcount overflow check [Jan Beulich]
  • a66b8147e9: x86/mm: don't wrongly set page ownership [Jan Beulich]
  • d60d469671: x86: don't wrongly trigger linear page table assertion (2) [Jan Beulich]
  • e54bc7e99b: p2m: Check return value of p2m_set_entry() when decreasing reservation [George Dunlap]
  • fcc60bc5ad: p2m: Always check to see if removing a p2m entry actually worked [George Dunlap]
  • 60e86f35f9: x86/pod: prevent infinite loop when shattering large pages [Julien Grall]
  • 9ba6783e47: x86/shadow: correct SH_LINEAR mapping detection in sh_guess_wrmap() [Andrew Cooper]
  • bc244b70fe: x86: don't wrongly trigger linear page table assertion [Jan Beulich]
  • 13eb73f0f0: x86/mm: fix race condition in modify_xen_mappings() [Yu Zhang]
  • 6183d537ce: x86/mm: fix race conditions in map_pages_to_xen() [Min He]
  • 1ac3ab78cf: x86/hvm: do not register hpet mmio during s3 cycle [Eric Chanudet]
  • e1fa1c6ee1: x86/mm: Make PV linear pagetables optional [George Dunlap]
  • 96e76d8b66: x86: fix asm() constraint for GS selector update [Jan Beulich]
  • 651d839afa: x86: don't latch wrong (stale) GS base addresses [Jan Beulich]
  • 14826e327b: x86: also show FS/GS base addresses when dumping registers [Jan Beulich]
  • 814e065d66: x86: fix GS-base-dirty determination [Jan Beulich]
  • 03af24c35e: x86emul: handle address wrapping [Jan Beulich]
  • 4a3c5e119a: VMX: PLATFORM_INFO MSR is r/o [Jan Beulich]
  • 2956a3fdd9: x86: avoid #GP for PV guest MSR accesses [Jan Beulich]
  • 3cd9d8440b: x86/vvmx: Fix WRMSR interception of VMX MSRs [Andrew Cooper]
  • ffb294731d: x86: fix do_update_va_mapping_otherdomain() wrt translated domains [Jan Beulich]
  • f457a229bc: x86: request page table page-in for the correct domain [Jan Beulich]
  • 011a612fa2: xen/domctl: Fix Xen heap leak via XEN_DOMCTL_getvcpucontext [Andrew Cooper]
  • 5b37b5cf0a: x86/PV: fix/generalize guest nul selector handling [Jan Beulich]
  • 379213ca25: x86/msr: Correct the definition of MSR_IA32_APICBASE_BASE [Andrew Cooper]
  • f3b2080a55: x86/svm: Fix a livelock when trying to run shadowed unpaged guests [Andrew Cooper]
  • fcbbd0faee: gnttab: fix pin count / page reference race [Jan Beulich]
  • 0c647de4db: tools/libxc/xc_dom_arm: add missing variable initialization [Bernd Kuhls]
  • bdc2ae68e2: x86/cpu: Fix IST handling during PCPU bringup [Andrew Cooper]
  • 96e6364b5f: x86/shadow: Don't create self-linear shadow mappings for 4-level translated guests [Andrew Cooper]
  • 1a8ad09dd1: x86: don't allow page_unlock() to drop the last type reference [Jan Beulich]
  • df8919786f: x86: don't store possibly stale TLB flush time stamp [Jan Beulich]
  • c4f969d254: x86: limit linear page table use to a single level [Jan Beulich]
  • b1f3f1dde1: x86/HVM: prefill partially used variable on emulation paths [Jan Beulich]
  • 7251c06540: x86/ioreq server: correctly handle bogus XEN_DMOP_{,un}map_io_range_to_ioreq_server arguments [Vitaly Kuznetsov]
  • 1960ca8220: x86/FLASK: fix unmap-domain-IRQ XSM hook [Jan Beulich]
  • 866cfa1575: x86/IRQ: conditionally preserve irq pirq mapping on map error paths [Jan Beulich]
  • ddd6e415b1: x86/MSI: disallow redundant enabling [Jan Beulich]
  • 370cc9aa49: x86: enforce proper privilege when (un)mapping pIRQ-s [Jan Beulich]
  • 39e3024360: x86: don't allow MSI pIRQ mapping on unowned device [Jan Beulich]
  • 9f092f57d2: xen/arm: p2m: Read *_mapped_gfn with the p2m lock taken [Julien Grall]
  • 667f70e658: xen/arm: Fix the issue in cmp_mmio_handler used in find_mmio_handler [Bhupinder Thakur]
  • 2116fec45d: xen/arm: Correctly report the memory region in the dummy NUMA helpers [Julien Grall]
  • 1a535c3614: xen/page_alloc: Cover memory unreserved after boot in first_valid_mfn [Julien Grall]
  • ee3fc24177: x86: introduce and use setup_force_cpu_cap() [Jan Beulich]
  • d623d820c8: x86/emul: Fix the handling of unimplemented Grp7 instructions [Andrew Cooper]
  • dda458cbd4: VT-d: use correct BDF for VF to search VT-d unit [Chao Gao]
  • c642b12321: hvmloader: use base instead of pci_mem_start for find_next_rmrr() [Xiong Zhang]
  • 80d7ef34e9: x86/efi: don't write relocations in efi_arch_relocate_image() first pass [David Woodhouse]
  • ff4f60a5c5: x86: check for allocation errors in modify_xen_mappings() [Jan Beulich]
  • 36898eb125: gnttab: also validate PTE permissions upon destroy/replace [Jan Beulich]
  • 4d7ccae751: tools/xenstore: dont unlink connection object twice [Juergen Gross]
  • e574046987: grant_table: fix GNTTABOP_cache_flush handling [Andrew Cooper]
  • 90dafa46ea: xen/mm: make sure node is less than MAX_NUMNODES [George Dunlap]
  • c020cf2ec0: update Xen version to 4.8.3-pre [Jan Beulich]

This release contains no fixes to qemu-traditional:

This release also contains changes to qemu-upstream, whose changelogs we do not list here as it contains many changes that are not directly releated to the Xen Project Hypervisor and thus this release. However, you can check;a=shortlog (between tags qemu-xen-4.8.2 and qemu-xen-4.8.3).

This release, which includes source code for qemu-traditional and qemu-upstream, contains the following security fixes. 

XSA Xen qemu-traditional qemu-upstream 
XSA-231 Applied N/A N/A
XSA-232 Applied N/A N/A
XSA-233 Applied N/A N/A
XSA-234 Applied N/A N/A
XSA-235 Fixed in 4.8.2 ... ...
XSA-236 Applied N/A N/A
XSA-237 Applied N/A N/A
XSA-238 Applied N/A N/A
XSA-239 Applied N/A N/A
XSA-240 Applied N/A N/A
XSA-241 Applied N/A N/A
XSA-242 Applied N/A N/A
XSA-243 Applied N/A N/A
XSA-244 Applied N/A N/A
XSA-245 Applied N/A N/A
XSA-246 Applied N/A N/A
XSA-247 Applied N/A N/A
XSA-248 Applied N/A N/A
XSA-249 Applied N/A N/A
XSA-250 Applied N/A N/A
XSA-251 Applied N/A N/A
XSA-252 Reserved Number ... ...
XSA-253 Xen 4.8 not affected ... ...
XSA-254 Partly fixed, see [1] N/A N/A

[1] Notes on Meltdown and Spectre:

  • Xen  4.8.3 contains the XPTI "stage 1" substantial mitigation for Meltdown, and is enabled by default on Intel hardware. This does come with performance/scalability differences which are workload dependent. Explicit choice to enable or disable XPTI can be expressed via `xpti=` on the hypervisor command line. Other earlier Meltdown mitigations are available from specific temporary branches. 
  • Note that Xen 4.8.3 does not yet contain migitations for the Spectre CPU bug variant 2. These are still under review and in any case depend on microcode updates which are not presently available.
  • For more detailed information see XSA-254 or our Spectre/Meltdown FAQ.

See for details related to Xen Project security advisories.

We recommend all users of the 4.8 stable series to update to this latest point release. Users who need Spectre Variant 2 mitigation and prefer to reduce update frequency should consider deferring the deployment of 4.8.3 until a Spectre Variant 2 mitigation is available.