We are pleased to announce the release of Xen 4.9.1. This is available immediately from its git repository
https://xenbits.xenproject.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.9 (tag RELEASE-4.9.1) or from this download page

This release contains the following bug-fixes and improvements in the Xen Project hypervisor:

• ae34ab8c5d: update Xen version to 4.9.1 [Jan Beulich]
• d6ce860bbd: x86/shadow: correct SH_LINEAR mapping detection in sh_guess_wrmap() [Andrew Cooper]
• 2098a2d8fe: x86: don’t wrongly trigger linear page table assertion [Jan Beulich]
• ddfca40056: x86/mm: fix race condition in modify_xen_mappings() [Yu Zhang]
• 80eeaab09a: x86/mm: fix race conditions in map_pages_to_xen() [Min He]
• a0bc38e063: x86/hvm: do not register hpet mmio during s3 cycle [Eric Chanudet]
• 2224080ea1: x86/mm: Make PV linear pagetables optional [George Dunlap]
• 533b9e4fba: x86/vpmu: Remove unnecessary call to do_interrupt() [Boris Ostrovsky]
• f8732452d2: x86: fix asm() constraint for GS selector update [Jan Beulich]
• 6453a6a3f2: x86: don’t latch wrong (stale) GS base addresses [Jan Beulich]
• 1588e534c2: x86: also show FS/GS base addresses when dumping registers [Jan Beulich]
• df07ad1315: x86: fix GS-base-dirty determination [Jan Beulich]
• 71648cba26: x86/boot: fix early error output [David Esler]
• 61b6df9d82: VMX: PLATFORM_INFO MSR is r/o [Jan Beulich]
• e82f167c0f: x86/vvmx: Fix WRMSR interception of VMX MSRs [Andrew Cooper]
• cfdd991ff3: x86: avoid #GP for PV guest MSR accesses [Jan Beulich]
• 155e699a42: x86: fix do_update_va_mapping_otherdomain() wrt translated domains [Jan Beulich]
• 8fbdbce16c: x86: request page table page-in for the correct domain [Jan Beulich]
• a8377a3821: fuzz/x86_emulate: clear errors after each iteration [George Dunlap]
• 0fee1b0382: fuzz/x86_emulate: actually use cpu_regs input [George Dunlap]
• 02188ac44f: x86emul/fuzz: add rudimentary limit checking [Jan Beulich]
• de76106618: xen/domctl: Fix Xen heap leak via XEN_DOMCTL_getvcpucontext [Andrew Cooper]
• 0d67373c69: x86/PV: fix/generalize guest nul selector handling [Jan Beulich]
• 36741c19da: x86/msr: Correct the definition of MSR_IA32_APICBASE_BASE [Andrew Cooper]
• 53d01aaa64: x86/svm: Fix a livelock when trying to run shadowed unpaged guests [Andrew Cooper]
• 5237ff8995: x86/hvm/dmop: fix EFAULT condition [Wei Liu]
• 174a569070: gnttab: fix pin count / page reference race [Jan Beulich]
• 2040ac14e4: tools/libxc/xc_dom_arm: add missing variable initialization [Bernd Kuhls]
• de38e28cc2: x86/cpu: Fix IST handling during PCPU bringup [Andrew Cooper]
• 7fe0a24528: x86/shadow: Don’t create self-linear shadow mappings for 4-level translated guests [Andrew Cooper]
• a2af47d9eb: x86: don’t allow page_unlock() to drop the last type reference [Jan Beulich]
• 61a2d31481: x86: don’t store possibly stale TLB flush time stamp [Jan Beulich]
• c2b0a92d23: x86: limit linear page table use to a single level [Jan Beulich]
• d8426300db: x86/HVM: prefill partially used variable on emulation paths [Jan Beulich]
• ef61bcff39: x86/ioreq server: correctly handle bogus XEN_DMOP_{,un}map_io_range_to_ioreq_server arguments [Vitaly Kuznetsov]
• 44ceb192b5: x86/FLASK: fix unmap-domain-IRQ XSM hook [Jan Beulich]
• ae45442964: x86/IRQ: conditionally preserve irq pirq mapping on map error paths [Jan Beulich]
• 784afd92e9: x86/MSI: disallow redundant enabling [Jan Beulich]
• 22032b2d7e: x86: enforce proper privilege when (un)mapping pIRQ-s [Jan Beulich]
• 58da67fb92: x86: don’t allow MSI pIRQ mapping on unowned device [Jan Beulich]
• d1b64ccd96: xen/arm: p2m: Read *_mapped_gfn with the p2m lock taken [Julien Grall]
• 9cde7a833d: xen/arm: Fix the issue in cmp_mmio_handler used in find_mmio_handler [Bhupinder Thakur]
• 1cdcb36701: xen/arm: Correctly report the memory region in the dummy NUMA helpers [Julien Grall]
• 84c039eaf7: xen/page_alloc: Cover memory unreserved after boot in first_valid_mfn [Julien Grall]
• b244ac995c: x86/HVM: correct repeat count update in linear->phys translation [Jan Beulich]
• 612044a809: x86: introduce and use setup_force_cpu_cap() [Jan Beulich]
• e8fd372350: x86emul: correct VEX.L handling for VCVT{,T}S{S,D}2SI [Jan Beulich]
• a568e25a38: x86emul: correct VEX.W handling for non-64-bit VPINSRD [Jan Beulich]
• 8fef83e60b: x86/emul: Fix the handling of unimplemented Grp7 instructions [Andrew Cooper]
• 478e40cd64: VT-d: use correct BDF for VF to search VT-d unit [Chao Gao]
• 22ea7316e5: hvmloader: use base instead of pci_mem_start for find_next_rmrr() [Xiong Zhang]
• e7703a2e86: x86/efi: don’t write relocations in efi_arch_relocate_image() first pass [David Woodhouse]
• 91ded3b748: x86: check for allocation errors in modify_xen_mappings() [Jan Beulich]
• 2cc3d32f40: gnttab: also validate PTE permissions upon destroy/replace [Jan Beulich]
• 79775f57d3: tools/xenstore: dont unlink connection object twice [Juergen Gross]
• 43cb0c4ee4: grant_table: fix GNTTABOP_cache_flush handling [Andrew Cooper]
• 4821228a73: xen/mm: make sure node is less than MAX_NUMNODES [George Dunlap]
• d23bcc5ae7: gnttab: avoid spurious maptrack handle allocation failures [Jan Beulich]
• 308654c765: cpufreq: only stop ondemand governor if already started [Christopher Clark]
• 6fd84b3e2b: VT-d PI: disable VT-d PI when CPU-side PI isn’t enabled [Chao Gao]
• 89b36cc68d: VT-d: don’t panic/warn on iommu=no-igfx [Rusty Bird]
• a9ecd604b1: docs: correct paragraph indention in xen-tscmode [Olaf Hering]
• 798f6c91b7: docs: replace xm with xl in xen-tscmode [Olaf Hering]
• 6508278f96: x86/hvm: Fixes to hvmemul_insn_fetch() [Andrew Cooper]
• 5587d9af0d: rombios: prevent building with PIC/PIE [Olaf Hering]
• 527fc5c31b: stop_machine: fill fn_result only in case of error [Gregory Herrero]
• 5ff1de3e4f: arm/mm: release grant lock on xenmem_add_to_physmap_one() error paths [Jan Beulich]
• 692ed826af: travis: install ghostscript [Wei Liu]
• 9bf14bbf99: gnttab: fix “don’t use possibly unbounded tail calls” [Jan Beulich]
• c57b1f959b: gnttab: fix transitive grant handling [Jan Beulich]
• 6b147fd3de: gnttab: don’t use possibly unbounded tail calls [Jan Beulich]
• 0e186e33c0: add branch maintainership info [Jan Beulich]
• afc5ebfb5d: gnttab: correct pin status fixup for copy [Jan Beulich]
• 266fc0ea45: gnttab: split maptrack lock to make it fulfill its purpose again [Jan Beulich]
• 46981065bd: x86/grant: disallow misaligned PTEs [Andrew Cooper]
• f4f02f121f: tools/libxl: Fix a segment fault when mmio_hole is set in hvm.cfg [Xiong Zhang]
• 0fada059a7: Merge staging-4.9 into 4.9.0 release [Ian Jackson]
• ab4eb6ced9: xen/Makefile: Bump version to 4.9.1-pre [Ian Jackson]
• b29ecc7f75: xen/livepatch: Don’t crash on encountering STN_UNDEF relocations [Andrew Cooper]
• a11d14bf26: xen/livepatch: Use zeroed memory allocations for arrays [Andrew Cooper]
• 107401ece2: xen/livepatch: Clean up arch relocation handling [Andrew Cooper]
• 1b7834a780: docs: improve ARM passthrough doc [Stefano Stabellini]

This release contains no changes to qemu-traditional.

This release also contains changes to qemu-upstream, whose changelogs we do not list here as it contains many changes that are not directly releated to the Xen Project Hypervisor and thus this release. However, you can check https://xenbits.xenproject.org/gitweb/?p=qemu-xen.git;a=shortlog (between tags qemu-xen-4.9.0 and qemu-xen-4.9.1).

This release, which includes source code for qemu-traditional and qemu-upstream, contains the following security fixes.

See https://xenbits.xenproject.org/xsa/ for details related to Xen Project security advisories.

We recommend all users of the 4.9 stable series to update to this latest point release.