Skip to main content


Xen Project 4.10.2

We are pleased to announce the release of Xen 4.10.2. This is available immediately from its git repository;a=shortlog;h=refs/heads/stable-4.10 (tag RELEASE-4.10.2) or from this download page
This release contains the following bug-fixes and improvements in the Xen Project hypervisor:

  • 0c1d5b68e2: update Xen version to 4.10.2 [Jan Beulich]
  • 4266e4c7d3: x86: assorted array_index_nospec() insertions [Jan Beulich]
  • 74a95386d4: VT-d/dmar: iommu mem leak fix [Zhenzhong Duan]
  • b75228ccc3: rangeset: make inquiry functions tolerate NULL inputs [Jan Beulich]
  • 24bc2e31b2: x86/setup: Avoid OoB E820 lookup when calculating the L1TF safe address [Andrew Cooper]
  • bd993a7b4e: x86/hvm/ioreq: MMIO range checking completely ignores direction flag [Paul Durrant]
  • e0a20e7c5c: x86/vlapic: Bugfixes and improvements to vlapic_{read,write}() [Andrew Cooper]
  • 713f3b1294: x86/vmx: Avoid hitting BUG_ON() after EPTP-related domain_crash() [Andrew Cooper]
  • 017f85220f: tools: prepend to PKG_CONFIG_PATH when configuring qemu [Stewart Hildebrand]
  • bf1b7f5b9b: libxl: start pvqemu when 9pfs is requested [Stefano Stabellini]
  • fe50b33b07: x86: write to correct variable in parse_pv_l1tf() [Jan Beulich]
  • 13e85a6dbc: xl.conf: Add global affinity masks [Wei Liu]
  • fac0731d75: x86: Make “spec-ctrl=no” a global disable of all mitigations [Jan Beulich]
  • ed933041a8: x86/spec-ctrl: Introduce an option to control L1D_FLUSH for HVM HAP guests [Andrew Cooper]
  • ef71d13e7f: x86/msr: Virtualise MSR_FLUSH_CMD for guests [Andrew Cooper]
  • 80dd3f52be: x86/spec-ctrl: CPUID/MSR definitions for L1D_FLUSH [Andrew Cooper]
  • c67a8b808a: x86/pv: Force a guest into shadow mode when it writes an L1TF-vulnerable PTE [Juergen Gross]
  • 85d133b90d: x86/mm: Plumbing to allow any PTE update to fail with -ERESTART [Andrew Cooper]
  • d46374d794: x86/shadow: Infrastructure to force a PV guest into shadow mode [Juergen Gross]
  • 614fd2558f: x86/spec-ctrl: Introduce an option to control L1TF mitigation for PV guests [Andrew Cooper]
  • 684fb8c7c4: x86/spec-ctrl: Calculate safe PTE addresses for L1TF mitigations [Andrew Cooper]
  • 56d5138060: tools/oxenstored: Make evaluation order explicit [Christian Lindig]
  • 924a5ee8c0: x86/vtx: Fix the checking for unknown/invalid MSR_DEBUGCTL bits [Andrew Cooper]
  • 5fd0bb322d: ARM: disable grant table v2 [Stefano Stabellini]
  • 9e7ee9478d: common/gnttab: Introduce command line feature controls [Andrew Cooper]
  • 0de39f36b7: VMX: fix vmx_{find,del}_msr() build [Jan Beulich]
  • 6504045842: x86/vmx: Support load-only guest MSR list entries [Andrew Cooper]
  • b4d669064f: x86/vmx: Pass an MSR value into vmx_msr_add() [Andrew Cooper]
  • 09b6924ec6: x86/vmx: Improvements to LBR MSR handling [Andrew Cooper]
  • 2450f34870: x86/vmx: Support remote access to the MSR lists [Andrew Cooper]
  • 227da39d8f: x86/vmx: Factor locate_msr_entry() out of vmx_find_msr() and vmx_add_msr() [Andrew Cooper]
  • 07a9be73c7: x86/vmx: Internal cleanup for MSR load/save infrastructure [Andrew Cooper]
  • dcca8f0234: x86/vmx: API improvements for MSR load/save infrastructure [Andrew Cooper]
  • 8af1a797de: x86/vmx: Defer vmx_vmcs_exit() as long as possible in construct_vmcs() [Andrew Cooper]
  • 93017a6b0d: x86/vmx: Fix handing of MSR_DEBUGCTL on VMExit [Andrew Cooper]
  • 6e57d28086: x86/spec-ctrl: Yet more fixes for xpti= parsing [Andrew Cooper]
  • 87c83af333: x86/spec-ctrl: Fix the parsing of xpti= on fixed Intel hardware [Andrew Cooper]
  • b07c76fece: x86/hvm: Disallow unknown MSR_EFER bits [Andrew Cooper]
  • 541a105ada: x86/xstate: Make errors in xstate calculations more obvious by crashing the domain [Andrew Cooper]
  • 6f6207fac5: x86/xstate: Use a guests CPUID policy, rather than allowing all features [Andrew Cooper]
  • 6feafd89d2: x86/vmx: Don’t clobber %dr6 while debugging state is lazy [Andrew Cooper]
  • 01eb262d5e: x86: command line option to avoid use of secondary hyper-threads [Jan Beulich]
  • 512d3e7828: x86: possibly bring up all CPUs even if not all are supposed to be used [Jan Beulich]
  • 74f437f054: x86: distinguish CPU offlining from CPU removal [Jan Beulich]
  • 371149b69b: x86/AMD: distinguish compute units from hyper-threads [Jan Beulich]
  • 3607213d2c: cpupools: fix state when downing a CPU failed [Jan Beulich]
  • 714552510a: x86/svm Fixes and cleanup to svm_inject_event() [Andrew Cooper]
  • 498716e253: allow cpu_down() to be called earlier [Jan Beulich]
  • fab92fcf44: xen: oprofile/nmi_int.c: Drop unwanted sexual reference [Ian Jackson]
  • bc1289f1e7: mm/page_alloc: correct first_dirty calculations during block merging [Sergey Dyasli]
  • 4ccf3974c8: x86/spec-ctrl: command line handling adjustments [Jan Beulich]
  • 381fdae3f0: x86: correctly set nonlazy_xstate_used when loading full state [Jan Beulich]
  • d976fe5bf0: xen: Port the array_index_nospec() infrastructure from Linux [Andrew Cooper]
  • a645331a9f: x86/EFI: further correct FPU state handling around runtime calls [Jan Beulich]
  • c2202404d3: x86/HVM: attempts to emulate FPU insns need to set fpu_initialised [Jan Beulich]
  • 78a86a7c2a: x86/EFI: fix FPU state handling around runtime calls [Jan Beulich]
  • 6e0e45a963: x86/VT-x: Fix printing of EFER in vmcs_dump_vcpu() [Andrew Cooper]
  • b81a8bf199: x86/traps: Fix error handling of the pv %dr7 shadow state [Andrew Cooper]
  • de578bc4c3: x86/CPUID: don’t override tool stack decision to hide STIBP [Jan Beulich]
  • 3bd7966eba: x86: correct default_xen_spec_ctrl calculation [Jan Beulich]
  • dd07d3e25c: libxc/x86/PV: don’t hand through CPUID leaf 0x80000008 as is [Jan Beulich]
  • b5e9f1e674: x86: guard against #NM [Jan Beulich]
  • e0da0d9170: x86/HVM: don’t cause #NM to be raised in Xen [Jan Beulich]
  • 23081587da: libxl: restore passing “readonly=” to qemu for SCSI disks [Ian Jackson]
  • b2444d2f81: libxl: qemu_disk_scsi_drive_string: Break out common parts of disk config [Ian Jackson]
  • 42219af0df: x86: Refine checks in #DB handler for faulting conditions [Andrew Cooper]
  • 1d5a9ecce1: x86/mm: don’t bypass preemption checks [Jan Beulich]
  • eeb15764ad: x86/HVM: account for fully eager FPU mode in emulation [Jan Beulich]
  • 4b9dc6d0e6: x86/spec-ctrl: Mitigations for LazyFPU [Andrew Cooper]
  • 52447b36f1: x86: Support fully eager FPU context switching [Andrew Cooper]
  • 7b35e7807c: xen/x86: use PCID feature [Juergen Gross]
  • 8d48204c6d: xen/x86: add some cr3 helpers [Juergen Gross]
  • b3a7f2f2fe: xen/x86: convert pv_guest_cr4_to_real_cr4() to a function [Juergen Gross]
  • fb781023a4: xen/x86: use flag byte for decision whether xen_cr3 is valid [Juergen Gross]
  • 245eaee519: xen/x86: disable global pages for domains with XPTI active [Juergen Gross]
  • 18833a8830: xen/x86: use invpcid for flushing the TLB [Juergen Gross]
  • 72e5b163a2: xen/x86: support per-domain flag for xpti [Juergen Gross]
  • 27a4161bf0: xen/x86: add a function for modifying cr3 [Juergen Gross]
  • 23114db6ff: x86/xpti: avoid copying L4 page table contents when possible [Juergen Gross]
  • 6300cdd7c2: x86: invpcid support [Wei Liu]
  • 2a0913ede5: x86: move invocations of hvm_flush_guest_tlbs() [Jan Beulich]
  • daaf3dd430: x86/XPTI: fix S3 resume (and CPU offlining in general) [Jan Beulich]
  • c2b84e7cc4: x86/msr: Virtualise MSR_SPEC_CTRL.SSBD for guests to use [Andrew Cooper]
  • 908ddbbe5d: x86/Intel: Mitigations for GPZ SP4 – Speculative Store Bypass [Andrew Cooper]
  • c75bbf1d87: x86/AMD: Mitigations for GPZ SP4 – Speculative Store Bypass [Andrew Cooper]
  • e9dc0a6654: x86/spec_ctrl: Introduce a new `spec-ctrl=` command line argument to replace `bti=` [Andrew Cooper]
  • 470daefec2: x86/cpuid: Improvements to guest policies for speculative sidechannel features [Andrew Cooper]
  • c9fdfbb478: x86/spec_ctrl: Explicitly set Xen’s default MSR_SPEC_CTRL value [Andrew Cooper]
  • 49aebf4728: x86/spec_ctrl: Split X86_FEATURE_SC_MSR into PV and HVM variants [Andrew Cooper]
  • 48ad1ab669: x86/spec_ctrl: Elide MSR_SPEC_CTRL handling in idle context when possible [Andrew Cooper]
  • 98a285cb51: x86/spec_ctrl: Rename bits of infrastructure to avoid NATIVE and VMEXIT [Andrew Cooper]
  • cb2a83ff0d: x86/spec_ctrl: Fold the XEN_IBRS_{SET,CLEAR} ALTERNATIVES together [Andrew Cooper]
  • 51b7b5d631: x86/spec_ctrl: Merge bti_ist_info and use_shadow_spec_ctrl into spec_ctrl_flags [Andrew Cooper]
  • 840d6833fc: x86/spec_ctrl: Express Xen’s choice of MSR_SPEC_CTRL value as a variable [Andrew Cooper]
  • ec50d21cbf: x86/spec_ctrl: Read MSR_ARCH_CAPABILITIES only once [Andrew Cooper]
  • a0355180b6: viridian: fix cpuid leaf 0x40000003 [Paul Durrant]
  • 8342e3f30a: libacpi: fixes for iasl >= 20180427 [Roger Pau Monné]
  • aaf66de7c5: x86/pv: Hide more EFER bits from PV guests [Andrew Cooper]
  • 7e21b75a21: x86: fix return value checks of set_guest_{machinecheck,nmi}_trapbounce [Jan Beulich]
  • f155f55356: xen/schedule: Fix races in vcpu migration [George Dunlap]
  • 3a903b354c: xen: Introduce vcpu_sleep_nosync_locked() [George Dunlap]
  • 2e2f337085: x86/SVM: Fix intercepted {RD,WR}MSR for the SYS{CALL,ENTER} MSRs [Andrew Cooper]
  • 850e5adf4b: xpti: fix bug in double fault handling [Juergen Gross]
  • 13fa2a464f: x86/HVM: never retain emulated insn cache when exiting back to guest [Jan Beulich]
  • ade8f98917: x86/HPET: fix race triggering ASSERT(cpu < nr_cpu_ids) [David Wang]
  • a7f8880adc: x86/spec_ctrl: Updates to retpoline-safety decision making [Andrew Cooper]
  • 3bb756be2b: x86/pv: Introduce and use x86emul_write_dr() [Andrew Cooper]
  • 1aa630599d: x86/pv: Introduce and use x86emul_read_dr() [Andrew Cooper]
  • d93ae631a4: x86: suppress BTI mitigations around S3 suspend/resume [Jan Beulich]
  • 6b8d820bbe: x86: correct ordering of operations during S3 resume [Jan Beulich]
  • f253feb3fe: update Xen version to 4.10.2-pre [Jan Beulich]
  • 25e0657ed4: x86/HVM: guard against emulator driving ioreq state in weird ways [Jan Beulich]
  • 31c78e9ca3: x86/vpt: add support for IO-APIC routed interrupts [Xen Project Security Team]
  • 07b6f42623: x86/traps: Fix handling of #DB exceptions in hypervisor context [Andrew Cooper]
  • 373d49693a: x86/traps: Use an Interrupt Stack Table for #DB [Andrew Cooper]
  • 9abae6f7a8: x86/pv: Move exception injection into {,compat_}test_all_events() [Andrew Cooper]
  • abe5fb9218: x86/traps: Fix %dr6 handing in #DB handler [Andrew Cooper]

This release also contains changes to qemu-upstream, whose changelogs we do not list here as it contains many changes that are not directly releated to the Xen Project Hypervisor and thus this release. However, you can check;a=shortlog (between tags qemu-xen-4.10.1 and qemu-xen-4.10.2). This release does not contain fixes to qemu-traditional.

This release, which includes source code for qemu-traditional and qemu-upstream, contains the following security fixes.


XSA-270N/A (Linux only)......
XSA-271N/A (XAPI only)......
XSA-274N/A (Linux only)......

See for details related to Xen Project security advisories.

We recommend all users of the 4.10 stable series to update to this latest point release.