Supported Xen Project 4.9 Series

Categories

Xen Project 4.9.0

Release Information

The Xen Project 4.9 release incorporates many new features and improvements to existing features.

Documentation

For Xen Project 4.9 documentation see

Contribution Acknowledgements

For a breakdown of contributions to Xen 4.9 check out the Xen Project 4.9 Acknowledgements.

Xen Project 4.9.1

We are pleased to announce the release of Xen 4.9.1. This is available immediately from its git repository 

https://xenbits.xenproject.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.9 (tag RELEASE-4.9.1) or from this download page

This release contains the following bug-fixes and improvements in the Xen Project hypervisor:

  • ae34ab8c5d: update Xen version to 4.9.1 [Jan Beulich]
  • d6ce860bbd: x86/shadow: correct SH_LINEAR mapping detection in sh_guess_wrmap() [Andrew Cooper]
  • 2098a2d8fe: x86: don't wrongly trigger linear page table assertion [Jan Beulich]
  • ddfca40056: x86/mm: fix race condition in modify_xen_mappings() [Yu Zhang]
  • 80eeaab09a: x86/mm: fix race conditions in map_pages_to_xen() [Min He]
  • a0bc38e063: x86/hvm: do not register hpet mmio during s3 cycle [Eric Chanudet]
  • 2224080ea1: x86/mm: Make PV linear pagetables optional [George Dunlap]
  • 533b9e4fba: x86/vpmu: Remove unnecessary call to do_interrupt() [Boris Ostrovsky]
  • f8732452d2: x86: fix asm() constraint for GS selector update [Jan Beulich]
  • 6453a6a3f2: x86: don't latch wrong (stale) GS base addresses [Jan Beulich]
  • 1588e534c2: x86: also show FS/GS base addresses when dumping registers [Jan Beulich]
  • df07ad1315: x86: fix GS-base-dirty determination [Jan Beulich]
  • 71648cba26: x86/boot: fix early error output [David Esler]
  • 61b6df9d82: VMX: PLATFORM_INFO MSR is r/o [Jan Beulich]
  • e82f167c0f: x86/vvmx: Fix WRMSR interception of VMX MSRs [Andrew Cooper]
  • cfdd991ff3: x86: avoid #GP for PV guest MSR accesses [Jan Beulich]
  • 155e699a42: x86: fix do_update_va_mapping_otherdomain() wrt translated domains [Jan Beulich]
  • 8fbdbce16c: x86: request page table page-in for the correct domain [Jan Beulich]
  • a8377a3821: fuzz/x86_emulate: clear errors after each iteration [George Dunlap]
  • 0fee1b0382: fuzz/x86_emulate: actually use cpu_regs input [George Dunlap]
  • 02188ac44f: x86emul/fuzz: add rudimentary limit checking [Jan Beulich]
  • de76106618: xen/domctl: Fix Xen heap leak via XEN_DOMCTL_getvcpucontext [Andrew Cooper]
  • 0d67373c69: x86/PV: fix/generalize guest nul selector handling [Jan Beulich]
  • 36741c19da: x86/msr: Correct the definition of MSR_IA32_APICBASE_BASE [Andrew Cooper]
  • 53d01aaa64: x86/svm: Fix a livelock when trying to run shadowed unpaged guests [Andrew Cooper]
  • 5237ff8995: x86/hvm/dmop: fix EFAULT condition [Wei Liu]
  • 174a569070: gnttab: fix pin count / page reference race [Jan Beulich]
  • 2040ac14e4: tools/libxc/xc_dom_arm: add missing variable initialization [Bernd Kuhls]
  • de38e28cc2: x86/cpu: Fix IST handling during PCPU bringup [Andrew Cooper]
  • 7fe0a24528: x86/shadow: Don't create self-linear shadow mappings for 4-level translated guests [Andrew Cooper]
  • a2af47d9eb: x86: don't allow page_unlock() to drop the last type reference [Jan Beulich]
  • 61a2d31481: x86: don't store possibly stale TLB flush time stamp [Jan Beulich]
  • c2b0a92d23: x86: limit linear page table use to a single level [Jan Beulich]
  • d8426300db: x86/HVM: prefill partially used variable on emulation paths [Jan Beulich]
  • ef61bcff39: x86/ioreq server: correctly handle bogus XEN_DMOP_{,un}map_io_range_to_ioreq_server arguments [Vitaly Kuznetsov]
  • 44ceb192b5: x86/FLASK: fix unmap-domain-IRQ XSM hook [Jan Beulich]
  • ae45442964: x86/IRQ: conditionally preserve irq pirq mapping on map error paths [Jan Beulich]
  • 784afd92e9: x86/MSI: disallow redundant enabling [Jan Beulich]
  • 22032b2d7e: x86: enforce proper privilege when (un)mapping pIRQ-s [Jan Beulich]
  • 58da67fb92: x86: don't allow MSI pIRQ mapping on unowned device [Jan Beulich]
  • d1b64ccd96: xen/arm: p2m: Read *_mapped_gfn with the p2m lock taken [Julien Grall]
  • 9cde7a833d: xen/arm: Fix the issue in cmp_mmio_handler used in find_mmio_handler [Bhupinder Thakur]
  • 1cdcb36701: xen/arm: Correctly report the memory region in the dummy NUMA helpers [Julien Grall]
  • 84c039eaf7: xen/page_alloc: Cover memory unreserved after boot in first_valid_mfn [Julien Grall]
  • b244ac995c: x86/HVM: correct repeat count update in linear->phys translation [Jan Beulich]
  • 612044a809: x86: introduce and use setup_force_cpu_cap() [Jan Beulich]
  • e8fd372350: x86emul: correct VEX.L handling for VCVT{,T}S{S,D}2SI [Jan Beulich]
  • a568e25a38: x86emul: correct VEX.W handling for non-64-bit VPINSRD [Jan Beulich]
  • 8fef83e60b: x86/emul: Fix the handling of unimplemented Grp7 instructions [Andrew Cooper]
  • 478e40cd64: VT-d: use correct BDF for VF to search VT-d unit [Chao Gao]
  • 22ea7316e5: hvmloader: use base instead of pci_mem_start for find_next_rmrr() [Xiong Zhang]
  • e7703a2e86: x86/efi: don't write relocations in efi_arch_relocate_image() first pass [David Woodhouse]
  • 91ded3b748: x86: check for allocation errors in modify_xen_mappings() [Jan Beulich]
  • 2cc3d32f40: gnttab: also validate PTE permissions upon destroy/replace [Jan Beulich]
  • 79775f57d3: tools/xenstore: dont unlink connection object twice [Juergen Gross]
  • 43cb0c4ee4: grant_table: fix GNTTABOP_cache_flush handling [Andrew Cooper]
  • 4821228a73: xen/mm: make sure node is less than MAX_NUMNODES [George Dunlap]
  • d23bcc5ae7: gnttab: avoid spurious maptrack handle allocation failures [Jan Beulich]
  • 308654c765: cpufreq: only stop ondemand governor if already started [Christopher Clark]
  • 6fd84b3e2b: VT-d PI: disable VT-d PI when CPU-side PI isn't enabled [Chao Gao]
  • 89b36cc68d: VT-d: don't panic/warn on iommu=no-igfx [Rusty Bird]
  • a9ecd604b1: docs: correct paragraph indention in xen-tscmode [Olaf Hering]
  • 798f6c91b7: docs: replace xm with xl in xen-tscmode [Olaf Hering]
  • 6508278f96: x86/hvm: Fixes to hvmemul_insn_fetch() [Andrew Cooper]
  • 5587d9af0d: rombios: prevent building with PIC/PIE [Olaf Hering]
  • 527fc5c31b: stop_machine: fill fn_result only in case of error [Gregory Herrero]
  • 5ff1de3e4f: arm/mm: release grant lock on xenmem_add_to_physmap_one() error paths [Jan Beulich]
  • 692ed826af: travis: install ghostscript [Wei Liu]
  • 9bf14bbf99: gnttab: fix "don't use possibly unbounded tail calls" [Jan Beulich]
  • c57b1f959b: gnttab: fix transitive grant handling [Jan Beulich]
  • 6b147fd3de: gnttab: don't use possibly unbounded tail calls [Jan Beulich]
  • 0e186e33c0: add branch maintainership info [Jan Beulich]
  • afc5ebfb5d: gnttab: correct pin status fixup for copy [Jan Beulich]
  • 266fc0ea45: gnttab: split maptrack lock to make it fulfill its purpose again [Jan Beulich]
  • 46981065bd: x86/grant: disallow misaligned PTEs [Andrew Cooper]
  • f4f02f121f: tools/libxl: Fix a segment fault when mmio_hole is set in hvm.cfg [Xiong Zhang]
  • 0fada059a7: Merge staging-4.9 into 4.9.0 release [Ian Jackson]
  • ab4eb6ced9: xen/Makefile: Bump version to 4.9.1-pre [Ian Jackson]
  • b29ecc7f75: xen/livepatch: Don't crash on encountering STN_UNDEF relocations [Andrew Cooper]
  • a11d14bf26: xen/livepatch: Use zeroed memory allocations for arrays [Andrew Cooper]
  • 107401ece2: xen/livepatch: Clean up arch relocation handling [Andrew Cooper]
  • 1b7834a780: docs: improve ARM passthrough doc [Stefano Stabellini]

This release contains no changes to qemu-traditional.

This release also contains changes to qemu-upstream, whose changelogs we do not list here as it contains many changes that are not directly releated to the Xen Project Hypervisor and thus this release. However, you can check https://xenbits.xenproject.org/gitweb/?p=qemu-xen.git;a=shortlog (between tags qemu-xen-4.9.0 and qemu-xen-4.9.1).

This release, which includes source code for qemu-traditional and qemu-upstream, contains the following security fixes. 

XSA Xen qemu-traditional qemu-upstream 
XSA-226 Applied N/A N/A
XSA-227 Applied N/A N/A
XSA-228 Applied N/A N/A
XSA-229 N/A (Linux only)... ... ...
XSA-230 Applied N/A N/A
XSA-231 Applied N/A N/A
XSA-232 Applied N/A N/A
XSA-233 Applied N/A N/A
XSA-234 Applied N/A N/A
XSA-235 Applied N/A N/A
XSA-236 Applied N/A N/A
XSA-237 Applied N/A N/A
XSA-238 Applied N/A N/A
XSA-239 Applied N/A N/A
XSA-240 Applied N/A N/A
XSA-241 Applied N/A N/A
XSA-242 Applied N/A N/A
XSA-243 Applied N/A N/A
XSA-244 Applied N/A N/A
XSA-245 Applied N/A N/A


See https://xenbits.xenproject.org/xsa/ for details related to Xen Project security advisories.

We recommend all users of the 4.9 stable series to update to this latest point release.

Xen Project 4.9.2

We are pleased to announce the release of Xen 4.9.2. This is available immediately from its git repository 

https://xenbits.xenproject.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.9 (tag RELEASE-4.9.2) or from this download page

This release contains the following bug-fixes and improvements in the Xen Project hypervisor:

  • ad4fefdd08: update Xen version to 4.9.2 [Jan Beulich]
  • 6f8eed4d93: x86/vlapic: clear TMR bit upon acceptance of edge-triggered interrupt to IRR [Liran Alon]
  • 3620279d77: cpufreq/ondemand: fix race while offlining CPU [Jan Beulich]
  • 29f68405be: x86: remove CR reads from exit-to-guest path [Jan Beulich]
  • 87b52bf4f1: x86: slightly reduce Meltdown band-aid overhead [Jan Beulich]
  • c8a56c786a: x86/xpti: don't map stack guard pages [Jan Beulich]
  • f7b80d2bcc: x86/xpti: Hide almost all of .text and all .data/.rodata/.bss mappings [Andrew Cooper]
  • 83419d4912: x86: ignore guest microcode loading attempts [Jan Beulich]
  • 6b1a2704e7: libxl/arm: Fix build on arm64 + acpi [Daniel Sabogal]
  • fb7a786c73: x86/PV: fix off-by-one in I/O bitmap limit check [Jan Beulich]
  • 88b67ff65e: x86/HVM: don't give the wrong impression of WRMSR succeeding [Jan Beulich]
  • 7bd09b1c84: grant: Release domain lock on 'map' path in cache_flush [George Dunlap]
  • 8262d30abc: x86/pv: Avoid leaking other guests' MSR_TSC_AUX values into PV context [Andrew Cooper]
  • 56d4eb8ed8: x86/nmi: start NMI watchdog on CPU0 after SMP bootstrap [Igor Druzhinin]
  • 8ea3f05c45: x86/srat: fix end calculation in nodes_cover_memory() [Jan Beulich]
  • e3905b0aeb: x86/hvm/dmop: only copy what is needed to/from the guest [Ross Lagerwall]
  • 1ab9bae78d: x86/entry: Use 32bit xors rater than 64bit xors for clearing GPRs [Andrew Cooper]
  • d4f9c4155c: x86/emul: Fix the decoding of segment overrides in 64bit mode [Andrew Cooper]
  • 072ede467c: x86/srat: fix the end pfn check in valid_numa_range() [Haozhong Zhang]
  • c2525d9c71: x86: reduce Meltdown band-aid IPI overhead [Jan Beulich]
  • 1a8c1180f0: x86/NMI: invert condition in nmi_show_execution_state() [Jan Beulich]
  • be5de7ad42: x86/emul: Fix the emulation of invlpga [Andrew Cooper]
  • ad95c29926: xen/arm: Flush TLBs before turning on the MMU to avoid stale entries [Julien Grall]
  • 0844e62c2f: xen/arm: vgic: Make sure the number of SPIs is a multiple of 32 [Julien Grall]
  • dc3efc2d2b: tools/libxc: Fix restoration of PV MSRs after migrate [Andrew Cooper]
  • 395cb3f9b4: x86/hvm: Disallow the creation of HVM domains without Local APIC emulation [Andrew Cooper]
  • e9bff96bd7: gnttab: don't blindly free status pages upon version change [Jan Beulich]
  • 8f42f0a4f9: gnttab/ARM: don't corrupt shared GFN array [Jan Beulich]
  • aafb8ac8b5: memory: don't implicitly unpin for decrease-reservation [Jan Beulich]
  • 88fbabc491: x86/PV: correctly count MSRs to migrate [Jan Beulich]
  • 3b10e123e9: xen/arm: cpuerrata: Actually check errata on non-boot CPUs [Julien Grall]
  • 7d5f8b36be: x86/idle: Clear SPEC_CTRL while idle [Andrew Cooper]
  • 59999aecda: x86/cpuid: Offer Indirect Branch Controls to guests [Andrew Cooper]
  • 79d5197952: x86/ctxt: Issue a speculation barrier between vcpu contexts [Andrew Cooper]
  • 68c76d71e0: x86/boot: Calculate the most appropriate BTI mitigation to use [Andrew Cooper]
  • bda328363f: x86/entry: Avoid using alternatives in NMI/#MC paths [Andrew Cooper]
  • a24b7553f9: x86/entry: Organise the clobbering of the RSB/RAS on entry to Xen [Andrew Cooper]
  • 13a30ba54c: x86/entry: Organise the use of MSR_SPEC_CTRL at each entry/exit point [Andrew Cooper]
  • 0177bf5d25: x86/hvm: Permit guests direct access to MSR_{SPEC_CTRL,PRED_CMD} [Andrew Cooper]
  • 2fdee60ec1: x86/migrate: Move MSR_SPEC_CTRL on migrate [Andrew Cooper]
  • 186c3c6e94: x86: Avoid corruption on migrate for vcpus using CPUID Faulting [Andrew Cooper]
  • e57d4d043b: x86/msr: Emulation of MSR_{SPEC_CTRL,PRED_CMD} for guests [Andrew Cooper]
  • 1dcfd39519: x86/cpuid: Handling of IBRS/IBPB, STIBP and IBRS for guests [Andrew Cooper]
  • f11cf29f27: x86: fix GET_STACK_END [Wei Liu]
  • bd53bc8506: x86/acpi: process softirqs while printing CPU ACPI data [Roger Pau Monné]
  • 764804938c: x86/cmdline: Introduce a command line option to disable IBRS/IBPB, STIBP and IBPB [Andrew Cooper]
  • 602633eb73: x86/feature: Definitions for Indirect Branch Controls [Andrew Cooper]
  • 6fef46d6fb: x86: Introduce alternative indirect thunks [Andrew Cooper]
  • 30b99299d6: x86/amd: Try to set lfence as being Dispatch Serialising [Andrew Cooper]
  • 447dce891f: x86/boot: Report details of speculative mitigations [Andrew Cooper]
  • 29df8a5c4d: x86: Support indirect thunks from assembly code [Andrew Cooper]
  • 6403b5048d: x86: Support compiling with indirect branch thunks [Andrew Cooper]
  • 628b6af24f: common/wait: Clarifications to wait infrastructure [Andrew Cooper]
  • 237a58b1d0: x86/entry: Erase guest GPR state on entry to Xen [Andrew Cooper]
  • f0f7ce5e82: x86/hvm: Use SAVE_ALL to construct the cpu_user_regs frame after VMExit [Andrew Cooper]
  • d6e972508e: x86/entry: Rearrange RESTORE_ALL to restore register in stack order [Andrew Cooper]
  • 9aaa208886: x86: Introduce a common cpuid_policy_updated() [Andrew Cooper]
  • 40f9ae9d05: x86/hvm: Rename update_guest_vendor() callback to cpuid_policy_changed() [Andrew Cooper]
  • ade9554f87: x86/alt: Introduce ALTERNATIVE{,_2} macros [Andrew Cooper]
  • a0ed0349ff: x86/alt: Break out alternative-asm into a separate header file [Andrew Cooper]
  • 4d01dbc713: xen/arm32: entry: Document the purpose of r11 in the traps handler [Julien Grall]
  • 22379b6adc: xen/arm32: Invalidate icache on guest exist for Cortex-A15 [Julien Grall]
  • 6e13ad777d: xen/arm32: Invalidate BTB on guest exit for Cortex A17 and 12 [Julien Grall]
  • 0d32237d5f: xen/arm32: Add skeleton to harden branch predictor aliasing attacks [Julien Grall]
  • 4ba59bdc26: xen/arm32: entry: Add missing trap_reset entry [Julien Grall]
  • 2997c5e628: xen/arm32: Add missing MIDR values for Cortex-A17 and A12 [Julien Grall]
  • 751c8791d0: xen/arm32: entry: Consolidate DEFINE_TRAP_ENTRY_* macros [Julien Grall]
  • a2567d6b54: xen/arm: cpuerrata: Remove percpu.h include [Julien Grall]
  • 9f79e8d846: xen/arm64: Implement branch predictor hardening for affected Cortex-A CPUs [Julien Grall]
  • fba48eff18: xen/arm64: Add skeleton to harden the branch predictor aliasing attacks [Julien Grall]
  • 3790833ef1: xen/arm: cpuerrata: Add MIDR_ALL_VERSIONS [Julien Grall]
  • 50450c1f33: xen/arm64: Add missing MIDR values for Cortex-A72, A73 and A75 [Julien Grall]
  • 2ec7ccbffc: xen/arm: Introduce enable callback to enable a capabilities on each online CPU [Julien Grall]
  • dc7d46580d: x86: allow Meltdown band-aid to be disabled [Jan Beulich]
  • 1e0974638d: x86: Meltdown band-aid against malicious 64-bit PV guests [Jan Beulich]
  • 87ea781624: x86/mm: Always set _PAGE_ACCESSED on L4e updates [Andrew Cooper]
  • 96990e27b0: x86: Don't use potentially incorrect CPUID values for topology information [Jan H. Schönherr]
  • 2213ffe1a2: x86/entry: Remove support for partial cpu_user_regs frames [Andrew Cooper]
  • c3774d13ee: x86/upcall: inject a spurious event after setting upcall vector [Roger Pau Monné]
  • f559d506f3: x86/E820: don't overrun array [Jan Beulich]
  • f877aab480: x86/IRQ: conditionally preserve access permission on map error paths [Jan Beulich]
  • 0c3d524100: xen/arm: vgic: Check for vgic handler to be initialized before dereferencing it [Oleksandr Tyshchenko]
  • 4d190d79b4: xen/arm: p2m: Check for p2m->domain to be initialized before releasing resources [Oleksandr Tyshchenko]
  • a4a4abf8e8: arm: configure interrupts to be in non-secure group1 [Stefano Stabellini]
  • 432f715f22: xen/arm: bootfdt: Use proper default for #address-cells and #size-cells [Julien Grall]
  • 389df4fcf9: xen/arm: gic-v3: Bail out if gicv3_cpu_init fail [Julien Grall]
  • d6fe186028: x86/vmx: Don't use hvm_inject_hw_exception() in long_mode_do_msr_write() [Andrew Cooper]
  • 6a39a56030: xen/efi: Fix build with clang-5.0 [Andrew Cooper]
  • d9ade82b79: x86/microcode: Add support for fam17h microcode loading [Tom Lendacky]
  • c09e166b68: x86/mm: drop bogus paging mode assertion [Jan Beulich]
  • df6db6c7c2: x86/mb2: avoid Xen image when looking for module/crashkernel position [Daniel Kiper]
  • 986fcb8513: gnttab: improve GNTTABOP_cache_flush locking [Jan Beulich]
  • da8c866e20: gnttab: correct GNTTABOP_cache_flush empty batch handling [Jan Beulich]
  • 47a7e3b86e: x86/vvmx: don't enable vmcs shadowing for nested guests [Sergey Dyasli]
  • 57205c489d: xen/pv: Construct d0v0's GDT properly [Andrew Cooper]
  • 09d7c30f03: x86/hvm: fix interaction between internal and external emulation [Paul Durrant]
  • 8edff60551: improve XENMEM_add_to_physmap_batch address checking [Jan Beulich]
  • fe1147d056: x86: check paging mode earlier in xenmem_add_to_physmap_one() [Jan Beulich]
  • 78c61ba506: x86: replace bad ASSERT() in xenmem_add_to_physmap_one() [Jan Beulich]
  • c9afe26e5d: sync CPU state upon final domain destruction [Jan Beulich]
  • 4bd630607d: x86/hvm: Don't corrupt the HVM context stream when writing the MSR record [Andrew Cooper]
  • a20f83846e: x86/hvm: Fix altp2m_vcpu_enable_notify error handling [Adrian Pop]
  • 984bb18c4a: common/gnttab: Correct error handling for gnttab_setup_table() [Andrew Cooper]
  • 1b0029cf6d: x86/vmx: Fix vmentry failure because of invalid LER on Broadwell [Ross Lagerwall]
  • 32e364c4e7: x86/paging: don't unconditionally BUG() on finding SHARED_M2P_ENTRY [Jan Beulich]
  • d3db9e36f3: x86/shadow: fix ref-counting error handling [Jan Beulich]
  • c553285d2d: x86/shadow: fix refcount overflow check [Jan Beulich]
  • 6260c4724d: x86/mm: don't wrongly set page ownership [Jan Beulich]
  • d1cca0780b: x86: don't wrongly trigger linear page table assertion (2) [Jan Beulich]
  • 0a0dcdcd20: p2m: Check return value of p2m_set_entry() when decreasing reservation [George Dunlap]
  • fb51cab5b1: p2m: Always check to see if removing a p2m entry actually worked [George Dunlap]
  • 61c13eddc6: x86/pod: prevent infinite loop when shattering large pages [Julien Grall]
  • 52ad6515a2: update Xen version to 4.9.2-pre [Jan Beulich]

This release contains no fixes to qemu-traditional.

This release also contains changes to qemu-upstream, whose changelogs we do not list here as it contains many changes that are not directly releated to the Xen Project Hypervisor and thus this release. However, you can check https://xenbits.xenproject.org/gitweb/?p=qemu-xen.git;a=shortlog (between tags qemu-xen-4.9.1 and qemu-xen-4.9.2).

This release, which includes source code for qemu-traditional and qemu-upstream, contains the following security fixes. 

XSA Xen qemu-traditional qemu-upstream 
XSA-246 Applied N/A N/A
XSA-247 Applied N/A N/A
XSA-248 Applied N/A N/A
XSA-249 Applied N/A N/A
XSA-250 Applied N/A N/A
XSA-251 Applied N/A N/A
XSA-252 Applied N/A N/A
XSA-253 N/A (Xen 4.9 is not affected) ... ...
XSA-254 Applied (XPTI for Variant 3) N/A N/A
XSA-255 Applied N/A N/A
XSA-256 Applied N/A N/A


See https://xenbits.xenproject.org/xsa/ for details related to Xen Project security advisories.

We recommend all users of the 4.9 stable series to update to this latest point release.