Xen Project 4.11.2

We are pleased to announce the release of Xen 4.11.2. This is available immediately from its git repository;a=shortlog;h=refs/heads/stable-4.11 (tag RELEASE-4.11.2) or from this download page

This release contains the following bug-fixes and improvements in the Xen Project hypervisor:

  • 5b25729267: update Xen version to 4.11.2 [Jan Beulich]
  • d9086e8ee0: xen/arm: time: cycles_t should be an uint64_t and not unsigned long [Julien Grall]
  • a3014dfc84: x86: drop arch_evtchn_inject() [Jan Beulich]
  • f459e531d7: XSM: adjust Kconfig names [Jan Beulich]
  • f990f2ade3: xen/arm: grant-table: Protect gnttab_clear_flag against guest misbehavior [Julien Grall]
  • af90ec8fb2: xen/arm: Add performance counters in guest atomic helpers [Julien Grall]
  • 8fd10a6176: xen: Use guest atomics helpers when modifying atomically guest memory [Julien Grall]
  • 38492cec42: xen/cmpxchg: Provide helper to safely modify guest memory atomically [Julien Grall]
  • dc556f468e: xen/bitops: Provide helpers to safely modify guest memory atomically [Julien Grall]
  • 08400a7a22: xen/arm: Turn on SILO mode by default on Arm [Julien Grall]
  • b415a99d53: xen/xsm: Add new SILO mode for XSM [Xin Li]
  • 37db5e59da: xen/xsm: Introduce new boot parameter xsm [Xin Li]
  • 3c3490fb76: xen/xsm: remove unnecessary #define [Xin Li]
  • 521b9f594f: xen/arm: cmpxchg: Provide a new helper that can timeout [Julien Grall]
  • e9f7dfac87: xen/arm: bitops: Implement a new set of helpers that can timeout [Julien Grall]
  • 632e87512e: xen/arm32: cmpxchg: Simplify the cmpxchg implementation [Julien Grall]
  • 5833f3fc33: xen/arm64: cmpxchg: Simplify the cmpxchg implementation [Julien Grall]
  • 4fc7dd9f8c: xen/arm: bitops: Consolidate prototypes in one place [Julien Grall]
  • 6ce62fabcc: xen/arm32: bitops: Rewrite bitop helpers in C [Julien Grall]
  • 2a0fda3ed9: xen/arm64: bitops: Rewrite bitop helpers in C [Julien Grall]
  • 8f634214fb: xen/grant_table: Rework the prototype of _set_status* for lisibility [Julien Grall]
  • ca73ac8e7d: xen/arm: Add an isb() before reading CNTPCT_EL0 to prevent re-ordering [Julien Grall]
  • b7ab29d448: common: avoid atomic read-modify-write accesses in map_vcpu_info() [Jan Beulich]
  • 33a9494e2d: events: drop arch_evtchn_inject() [Jan Beulich]
  • 6c33308a8d: xen/arm: mm: Set-up page permission for Xen mappings earlier on [Julien Grall]
  • f9233b7804: libacpi: report PCI slots as enabled only for hotpluggable devices [Igor Druzhinin]
  • 2effc2f131: x86/IO-APIC: fix build with gcc9 [Jan Beulich]
  • c14310666b: x86emul: add support for missing {,V}PMADDWD insns [Jan Beulich]
  • 9d89d2c431: x86/IRQ: avoid UB (or worse) in trace_irq_mask() [Jan Beulich]
  • 10a7329307: x86/boot: Fix latent memory corruption with early_boot_opts_t [Andrew Cooper]
  • 4f2d189bb9: x86/svm: Fix handling of ICEBP intercepts [Andrew Cooper]
  • f06cc4f182: drivers/video: drop framebuffer size constraints [Marek Marczykowski-Górecki]
  • ba75e0d44b: bitmap: fix bitmap_fill with zero-sized bitmap [Marek Marczykowski-Górecki]
  • 18af067ae3: x86/vmx: correctly gather gs_shadow value for current vCPU [Tamas K Lengyel]
  • ec821f1242: x86/mtrr: recalculate P2M type for domains with iocaps [Igor Druzhinin]
  • 59ae170507: AMD/IOMMU: disable previously enabled IOMMUs upon init failure [Jan Beulich]
  • 45342cd88d: trace: fix build with gcc9 [Jan Beulich]
  • 8266ed668c: xen/sched: fix csched2_deinit_pdata() [Juergen Gross]
  • 50c382310e: oxenstored: Don’t re-open a xenctrl handle for every domain introduction [Andrew Cooper]
  • edbe12140d: xl: handle PVH type in apply_global_affinity_masks again [Wei Liu]
  • 5b97821919: tools/libxc: Fix issues with libxc and Xen having different featureset lengths [Andrew Cooper]
  • 989a2ec4f3: tools/xl: use libxl_domain_info to get domain type for vcpu-pin [Igor Druzhinin]
  • b55ff4c879: tools/libxl: correct vcpu affinity output with sparse physical cpu map [Juergen Gross]
  • 4b72470175: tools/ocaml: Dup2 /dev/null to stdin in daemonize() [Christian Lindig]
  • 5c6be595b1: tools/misc/xenpm: fix getting info when some CPUs are offline [Marek Marczykowski-Górecki]
  • 0ab95a98fe: x86: fix build race when generating temporary object files [Jan Beulich]
  • d85748bd10: VT-d: posted interrupts require interrupt remapping [Jan Beulich]
  • a6870a96b5: vm_event: fix XEN_VM_EVENT_RESUME domctl [Petre Pircalabu]
  • 9f4a0af37f: xen/timers: Fix memory leak with cpu unplug/plug [Andrew Cooper]
  • 3859ed92d8: x86emul: suppress general register update upon AVX gather failures [Jan Beulich]
  • 6afaac2275: xen/sched: fix credit2 smt idle handling [Juergen Gross]
  • a6e07495c1: x86/spec-ctrl: Introduce options to control VERW flushing [Andrew Cooper]
  • bd03b27b9a: x86/spec-ctrl: Infrastructure to use VERW to flush pipeline buffers [Andrew Cooper]
  • b09886e3c9: x86/spec-ctrl: CPUID/MSR definitions for Microarchitectural Data Sampling [Andrew Cooper]
  • bac4405a90: x86/spec-ctrl: Misc non-functional cleanup [Andrew Cooper]
  • 0d8e6f7298: x86/boot: Detect the firmware SMT setting correctly on Intel hardware [Andrew Cooper]
  • 9be661341d: x86/msr: Definitions for MSR_INTEL_CORE_THREAD_COUNT [Andrew Cooper]
  • f5cc6e140a: x86/spec-ctrl: Reposition the XPTI command line parsing logic [Andrew Cooper]
  • 3b062f5040: x86/spec-ctrl: Extend repoline safey calcuations for eIBRS and Atom parts [Andrew Cooper]
  • 0825fbdd62: x86/msr: Shorten ARCH_CAPABILITIES_* constants [Andrew Cooper]
  • bdb0630806: x86/e820: fix build with gcc9 [Jan Beulich]
  • eb8acba82a: xen: Fix backport of “xen/cmdline: Fix buggy strncmp(s, LITERAL, ss – s) construct” [Andrew Cooper]
  • 0ebfc81c09: xen: Fix backport of “x86/tsx: Implement controls for RTM force-abort mode” [Andrew Cooper]
  • e983e8ae84: tools/firmware: update OVMF Makefile, when necessary [Wei Liu]
  • 348922b16a: Arm/atomic: correct asm() constraints in build_add_sized() [Jan Beulich]
  • 718a8d2e9c: x86/pv: Fix construction of 32bit dom0’s [Andrew Cooper]
  • fc46e159a6: x86/tsx: Implement controls for RTM force-abort mode [Andrew Cooper]
  • 4db8fddf77: x86/vtd: Don’t include control register state in the table pointers [Andrew Cooper]
  • c74683ae88: x86/HVM: don’t crash guest in hvmemul_find_mmio_cache() [Jan Beulich]
  • 793d669fc1: iommu: leave IOMMU enabled by default during kexec crash transition [Igor Druzhinin]
  • 1b0e77dd96: x86/cpuid: add missing PCLMULQDQ dependency [Jan Beulich]
  • dd32dab374: x86/mm: fix #GP(0) in switch_cr3_cr4() [Jan Beulich]
  • 03afae62a7: x86/nmi: correctly check MSB of P6 performance counter MSR in watchdog [Igor Druzhinin]
  • aea41c3d10: x86/hvm: Increase the triple fault log message level to XENLOG_ERR [Andrew Cooper]
  • 935a4adb36: x86/vmx: Properly flush the TLB when an altp2m is modified [Andrew Cooper]
  • 833788f4d2: x86/shadow: don’t use map_domain_page_global() on paths that may not fail [Jan Beulich]
  • b77bf91e28: viridian: fix the HvFlushVirtualAddress/List hypercall implementation [Paul Durrant]
  • cf9901070d: x86/shadow: don’t pass wrong L4 MFN to guest_walk_tables() [Jan Beulich]
  • 0c0f0ab5ab: x86/pmtimer: fix hvm_acpi_sleep_button behavior [Varad Gautam]
  • e984846dad: x86/pv: _toggle_guest_pt() may not skip TLB flush for shadow mode guests [Jan Beulich]
  • 4f9ab5f75c: x86/pv: Don’t have %cr4.fsgsbase active behind a guest kernels back [Andrew Cooper]
  • c567b053e8: x86/pv: Rewrite guest %cr4 handling from scratch [Andrew Cooper]
  • 6c197f96bd: x86/mm: properly flush TLB in switch_cr3_cr4() [Jan Beulich]
  • 7bbd3a5ecd: x86/mm: don’t retain page type reference when IOMMU operation fails [Jan Beulich]
  • 92227e2509: x86/mm: add explicit preemption checks to L3 (un)validation [Jan Beulich]
  • 4835974065: x86/mm: also allow L2 (un)validation to be fully preemptible [Jan Beulich]
  • be58f86123: xen: Make coherent PV IOMMU discipline [George Dunlap]
  • 4298abd327: steal_page: Get rid of bogus struct page states [George Dunlap]
  • 4f785ea01c: IOMMU/x86: fix type ref-counting race upon IOMMU page table construction [Jan Beulich]
  • 1028304d42: gnttab: set page refcount for copy-on-grant-transfer [Jan Beulich]
  • 87f51bf366: libxl: correctly dispose of dominfo list in libxl_name_to_domid [Wei Liu]
  • dd492b8f64: libxl: don’t set gnttab limits in soft reset case [Juergen Gross]
  • e2e3a1d757: correct release note link in [Juergen Gross]
  • 850ca94004: x86/hvm: Fix bit checking for CR4 and MSR_EFER [Andrew Cooper]
  • 514dccd049: x86/AMD: flush TLB after ucode update [Jan Beulich]
  • e202feb713: xen/cmdline: Fix buggy strncmp(s, LITERAL, ss – s) construct [Andrew Cooper]
  • 198672807e: mm/page_alloc: fix MEMF_no_dma allocations for single NUMA [Sergey Dyasli]
  • 2cd833de4d: x86emul: work around SandyBridge errata [Jan Beulich]
  • de094111f4: x86emul: fix 3-operand IMUL [Jan Beulich]
  • dd914e4c6f: x86/hvm: Corrections to RDTSCP intercept handling [Andrew Cooper]
  • 63d71138a4: x86/VT-x: Don’t activate VMCS Shadowing outside of nested vmx mode [Andrew Cooper]
  • af25f52a06: x86/shadow: don’t enable shadow mode with too small a shadow allocation [Jan Beulich]
  • 91f2ad76aa: ns16550/PCI: fix skipping of devices [Jan Beulich]
  • 0b2be0bd82: x86/soft-reset: Drop gfn reference after calling get_gfn_query() [Andrew Cooper]
  • 7d1bd985eb: x86/mem-sharing: Don’t leave the altp2m lock held when nominating a page [Andrew Cooper]
  • d8b2418573: x86/HVM: __hvm_copy() should not write to p2m_ioreq_server pages [Jan Beulich]
  • bf608fd2f0: update Xen version to 4.11.2-pre [Jan Beulich]
  • c21aba8b9d: VMX: fix vmx_handle_eoi() [Jan Beulich]
  • df1debf494: xen/arm: Don’t build GICv3 with the new vGIC [Julien Grall]
  • 14b7dc115b: xen/arm: vgic-v3: Don’t create empty re-distributor regions [Julien Grall]
  • 015b00ff35: xen/arm: vgic-v3: Delay the initialization of the domain information [Julien Grall]
  • 02fd1ee8ce: xen/arm: check for multiboot nodes only under /chosen [Stefano Stabellini]
  • dd1c98afc6: xen/arm: gic: Ensure ordering between read of INTACK and shared data [Julien Grall]
  • 28f380fbde: xen/arm: gic: Ensure we have an ISB between ack and do_IRQ() [Julien Grall]
  • 0be5443873: xen/arm: smccc-1.1: Handle function result as parameters [Marc Zyngier]
  • ad8875c8a7: xen/arm: smccc-1.1: Make return values unsigned long [Marc Zyngier]

This release contains NO fixes to qemu-traditional. This release contains the following changes to qemu-upstream:

  • 06fbdaf7d6: xen_disk: Disable file locking for the PV disk backend [Anthony PERARD]
  • 2871355a69: gtk: Don’t vte_terminal_set_encoding() on new VTE versions [Kevin Wolf]
  • 94a715b6cb: gluster: the glfs_io_cbk callback function pointer adds pre/post stat args [Niels de Vos]
  • 13bac7abf6: gluster: Handle changed glfs_ftruncate signature [Prasanna Kumar Kalever]
  • 9864a12f4a: net: drop too large packet early [Jason Wang]
  • b697c0aecb: net: ignore packet size greater than INT_MAX [Jason Wang]
  • f517c1b607: 9p: fix QEMU crash when renaming files [Greg Kurz]
  • 9af9c1c20e: nvme: fix out-of-bounds access to the CMB [Paolo Bonzini]
  • c50c704a6a: 9p: take write lock on fid path updates (CVE-2018-19364) [Greg Kurz]
  • 03c28544a1: xen-mapcache: use MAP_FIXED flag so the mmap address hint is always honored [Roger Pau Monne]
  • a35ed14443: mmap(2) returns MAP_FAILED, not NULL, on failure [Michael McConville]

This release, which includes source code for qemu-traditional and qemu-upstream, contains the following security fixes. 

XSA Xen qemu-traditional qemu-upstream 
XSA-283 Advisory withdrawn
XSA-284 Applied N/A N/A
XSA-285 Applied N/A N/A
XSA-286 Applied N/A N/A
XSA-287 Applied N/A N/A
XSA-288 Applied N/A N/A
XSA-289 Not Applied, see Technical Details.
XSA-290 Applied N/A N/A
XSA-291 Applied N/A N/A
XSA-292 Applied N/A N/A
XSA-293 Applied N/A N/A
XSA-294 Applied N/A N/A
XSA-295 Applied N/A N/A
XSA-296 Applied N/A N/A
XSA-297 Applied N/A N/A

See for details related to Xen Project security advisories.

We recommend all users of the 4.11 stable series to update to this latest point release.