We are pleased to announce the release of Xen 4.11.3. This is available immediately from its git repository

https://xenbits.xenproject.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.11 (tag RELEASE-4.11.3) or from this download page

This release contains the following bug-fixes and improvements in the Xen Project hypervisor:

• f137d4c8df: update Xen version to 4.11.3 [Jan Beulich]
• 1d6777df45: IOMMU: default to always quarantining PCI devices [Jan Beulich]
• 0eb99bf90b: x86/mm: Adjust linear uses / entries when a page loses validation [George Dunlap]
• 9474622f02: x86/vvmx: Fix livelock with XSA-304 fix [Andrew Cooper]
• f9ea10dece: x86/livepatch: Prevent patching with active waitqueues [Andrew Cooper]
• 48a2e5d91f: x86/vlapic: allow setting APIC_SPIV_FOCUS_DISABLED in x2APIC mode [Roger Pau Monné]
• 68c8a75889: xen: Add missing va_end() in hypercall_create_continuation() [Julien Grall]
• b697438fe1: x86: fix race to build arch/x86/efi/relocs-dummy.o [Anthony PERARD]
• 71523995b1: x86emul: 16-bit XBEGIN does not truncate rIP [Jan Beulich]
• 75de893687: AMD/IOMMU: don’t needlessly trigger errors/crashes when unmapping a page [Jan Beulich]
• fd405712c7: x86/ioapic: fix clear_IO_APIC_pin write of raw entries [Roger Pau Monné]
• 0a79df7330: x86/shim: copy back the result of EVTCHNOP_status [Roger Pau Monné]
• b12609b76c: x86/vtx: Fixes to Haswell/Broadwell LBR TSX errata [Andrew Cooper]
• a08fdb832f: x86/vtx: Corrections to BDF93 errata workaround [Andrew Cooper]
• 0b1e97d77f: x86: fix off-by-one in is_xen_fixed_mfn() [Jan Beulich]
• 41d85cbeaf: x86/tsc: update vcpu time info on guest TSC adjustments [Roger Pau Monné]
• 64d6137c17: x86/vvmx: Fix the use of RDTSCP when it is intercepted at L0 [Andrew Cooper]
• 74507046db: x86/spec-ctrl: Mitigate the TSX Asynchronous Abort sidechannel [Andrew Cooper]
• 56590acd7f: x86/tsx: Introduce tsx= to use MSR_TSX_CTRL when available [Andrew Cooper]
• cc06f60b96: x86/vtx: Allow runtime modification of the exec-sp setting [Andrew Cooper]
• eb60ebb1f0: x86/vtx: Disable executable EPT superpages to work around CVE-2018-12207 [Andrew Cooper]
• 0db606d73f: x86/vtd: Hide superpage support for SandyBridge IOMMUs [Andrew Cooper]
• 006b204124: xen/arm64: Don’t blindly unmask interrupts on trap without a change of level [Julien Grall]
• a187099e85: xen/arm32: Don’t blindly unmask interrupts on trap without a change of level [Julien Grall]
• 3697e2ac3f: xen/arm32: entry: Fold the macro SAVE_ALL in the macro vector [Julien Grall]
• c0f9d1e59d: xen/arm32: entry: Split __DEFINE_ENTRY_TRAP in two [Julien Grall]
• 7cb2f1dd73: passthrough: quarantine PCI devices [Paul Durrant]
• 56767b7c4d: xen/arm: p2m: Don’t check the return of p2m_get_root_pointer() with BUG_ON() [Julien Grall]
• 952f362d4a: xen/arm: p2m: Avoid off-by-one check on p2m->max_mapped_gfn [Julien Grall]
• 7c3c7d8bdb: xen/arm: p2m: Avoid aliasing guest physical frame [Julien Grall]
• ee78046df3: x86/mm: Don’t drop a type ref unless you held a ref to begin with [George Dunlap]
• 05c14f6e49: x86/mm: Fix nested de-validation on error [George Dunlap]
• 6fed54c86a: x86/mm: Properly handle linear pagetable promotion failures [George Dunlap]
• 766edd733e: x86/mm: Collapse PTF_partial_set and PTF_partial_general_ref into one [George Dunlap]
• 657dc2d1d1: x86/mm: Always retain a general ref on partial [George Dunlap]
• be89e9866c: x86/mm: Have alloc_l[23]_table clear partial_flags when preempting [George Dunlap]
• 273cf03fd8: x86/mm: Rework get_page_and_type_from_mfn conditional [George Dunlap]
• d78a96731f: x86/mm: Use flags for _put_page_type rather than a boolean [George Dunlap]
• c20ab0caef: x86/mm: Separate out partial_pte tristate into individual flags [George Dunlap]
• 535051419e: x86/mm: Don’t re-set PGT_pinned on a partially de-validated page [George Dunlap]
• 19bb4f51f9: x86/mm: L1TF checks don’t leave a partial entry [George Dunlap]
• ca185ab0a7: x86/PV: check GDT/LDT limits during emulation [Jan Beulich]
• 00474079f2: xen/hypercall: Don’t use BUG() for parameter checking in hypercall_create_continuation() [Andrew Cooper]
• aebe0554e9: xen/arm: mm: Flush the TLBs even if a mapping failed in create_xen_entries [Julien Grall]
• d6d52bc5ab: xen/arm: fix nr_pdxs calculation [Stefano Stabellini]
• 317de0a12f: xen/arm64: Correctly compute the virtual address in maddr_to_virt() [Julien Grall]
• 1b1609327d: xen/arm: vsmc: The function identifier is always 32-bit [Julien Grall]
• ce7b549d23: xen/arm: p2m: Free the p2m entry after flushing the IOMMU TLBs [Julien Grall]
• 621b2d0154: xen/arm: Don’t use _end in is_xen_fixed_mfn() [Julien Grall]
• 8502a2cdcc: xen/arm: setup: Calculate correctly the size of Xen [Julien Grall]
• 7f5f48dff3: xen/arm: traps: Avoid using BUG_ON() to check guest state in advance_pc() [Julien Grall]
• 7824b9fc7e: arm: gic-v3: deactivate interrupts during initialization [Peng Fan]
• b52bcda6f5: xen/arm: gic-v2: deactivate interrupts during initialization [Stefano Stabellini]
• 27ff738792: xen/arm: irq: End cleanly spurious interrupt [Julien Grall]
• 6d367347bc: xen/arm: gic: Make sure the number of interrupt lines is valid before using it [Julien Grall]
• e2e653f692: passthrough/vtd: Don’t DMA to the stack in queue_invalidate_wait() [Andrew Cooper]
• 9eac9324c7: x86/crash: fix kexec transition breakage [Igor Druzhinin]
• d4fe232a0f: AMD/IOMMU: process softirqs while dumping IRTs [Jan Beulich]
• ba287c75ba: AMD/IOMMU: free more memory when cleaning up after error [Jan Beulich]
• e33ce327e8: x86/svm: Fix svm_vmcb_dump() when used in current context [Andrew Cooper]
• 28ed7a571f: x86/boot: Don’t leak the module_map allocation in __start_xen() [Andrew Cooper]
• 527e324dbb: x86/hvm: Fix altp2m_op hypercall continuations [Andrew Cooper]
• 91836ce37b: x86/msr: Fix handling of MSR_AMD_PATCHLEVEL/MSR_IA32_UCODE_REV [Andrew Cooper]
• 6eb3f76784: xen/arm: SCTLR_EL1 is a 64-bit register on Arm64 [Julien Grall]
• cb86f3d039: xen/arm: traps: Avoid using BUG_ON() in _show_registers() [Julien Grall]
• 8bfcd2e5fd: x86/efi: properly handle 0 in pixel reserved bitmask [Igor Druzhinin]
• fb1db30460: pci: clear {host/guest}_maskall field on assign [Roger Pau Monné]
• b5433e7ed0: efi/boot: make sure graphics mode is set while booting through MB2 [Igor Druzhinin]
• b6ef69de69: efi/boot: add missing pointer dereference in set_color [Igor Druzhinin]
• d27973cd29: IOMMU: add missing HVM check [Jan Beulich]
• ba6f5bea6d: x86/crash: force unlock console before printing on kexec crash [Igor Druzhinin]
• 4c6142e099: x86/shim: fix ballooning down the guest [Sergey Dyasli]
• 6e63afef94: sched: don’t let XEN_RUNSTATE_UPDATE leak into vcpu_runstate_get() [Juergen Gross]
• 5fcaaaed7b: ACPI/cpuidle: bump maximum number of power states we support [Jan Beulich]
• b0d4cecf5f: sched: fix freeing per-vcpu data in sched_move_domain() [Juergen Gross]
• c76e47d584: libxc/x86: avoid certain overflows in CPUID APIC ID adjustments [Jan Beulich]
• a43eb8a1dc: vpci: honor read-only devices [Roger Pau Monné]
• 3342ee9318: x86/boot: silence MADT table entry logging [Jan Beulich]
• b2220461a3: ioreq: fix hvm_all_ioreq_servers_add_vcpu fail path cleanup [Roger Pau Monné]
• 37ccdfd545: x86/cpuid: Fix handling of the CPUID.7[0].eax levelling MSR [Andrew Cooper]
• 8bbb3e900b: x86/shadow: don’t enable shadow mode with too small a shadow allocation (part 2) [Jan Beulich]
• ff5ddf0e42: x86: properly gate clearing of PKU feature [Jan Beulich]
• 802f9940fe: p2m/ept: pass correct level to atomic_write_ept_entry in ept_invalidate_emt [Roger Pau Monné]
• 10582ea1f9: x86/mm: correctly initialise M2P entries on boot [Igor Druzhinin]
• 4e95d85b99: x86: Restore IA32_MISC_ENABLE on wakeup [Michał Kowalczyk]
• da235ee4e7: x86/xpti: Don’t leak TSS-adjacent percpu data via Meltdown [Andrew Cooper]
• 32bdae2750: xen/page_alloc: Keep away MFN 0 from the buddy allocator [Julien Grall]
• b647da41b3: xen/link: Introduce .bss.percpu.page_aligned [Andrew Cooper]
• 1ec05c2256: xen/sched: fix memory leak in credit2 [Juergen Gross]
• 9b91beca34: x86/boot: Set Accessed bits in boot_cpu_{,compat_}gdt_table[] [Andrew Cooper]
• dc3cd3dcf4: x86/apic: enable x2APIC mode before doing any setup [Roger Pau Monné]
• 3311f10e5b: x86/microcode: always collect_cpu_info() during boot [Sergey Dyasli]
• 5fd47c57db: xen/spec-ctrl: Speculative mitigation facilities report wrong status [James Wang]
• 6af54f7ce3: x86/boot: Fix build dependenices for reloc.c [Andrew Cooper]
• c250e2d5c0: video: fix handling framebuffer located above 4GB [Marek Marczykowski-Górecki]
• 08cb4b93dd: x86/altp2m: make sure EPTP_INDEX is up-to-date when enabling #VE [George Dunlap]
• 8efcc0d2d3: x86/msi: fix loop termination condition in pci_msi_conf_write_intercept() [Paul Durrant]
• 1cf304fc55: x86/vvmx: set CR4 before CR0 [Sergey Dyasli]
• c14026bd19: x86/cpuid: leak OSXSAVE only when XSAVE is not clear in policy [Igor Druzhinin]
• c719519a41: x86/SMP: don’t try to stop already stopped CPUs [Jan Beulich]
• 93ad919778: x86/AMD: limit C1E disable family range [Jan Beulich]
• fcc4f5db17: x86/AMD: correct certain Fam17 checks [Jan Beulich]
• 2f7f16c55d: x86/pv: Fix undefined behaviour in check_descriptor() [Andrew Cooper]
• fddda5d058: x86/irq: Fix undefined behaviour in irq_move_cleanup_interrupt() [Andrew Cooper]
• d0dc725514: x86/spec-ctrl: Knights Landing/Mill are retpoline-safe [Andrew Cooper]
• 7ca58e5aa3: x86/vhpet: avoid ‘small’ time diff test on resume [Paul Durrant]
• be800a1676: update Xen version to 4.11.3-pre [Jan Beulich]

This release, which includes source code for qemu-traditional and qemu-upstream, contains the following security fixes.

See https://xenbits.xenproject.org/xsa/ for details related to Xen Project security advisories.

We recommend all users of the 4.11 stable series to update to this latest point release.